谁与我共续这破解的故事?《破解“黎之工资”对抗脱壳之故事(上集)》
**************************************************************************************************************
〖作 者〗PaulYoung
〖日 期〗二○○一年三月二十五日
〖软 件〗黎之工资 v6.0(http://leaze.3322.net/lzgz/lzgz60.zip)
〖破解工具〗W32DASM V8.93,TRW2000 V1.03,FILEINFO V2.43A
AspackDie 1.1(http://mud.sz.jsinfo.net/per/aaron/files/unpackers/win/aspackdie11.zip)...
黎之工资 V6.0 是用Aspack v2.11加的壳,用很多工具都可以脱,如我用 AspackDie 1.1,但无论用什么工具脱壳,脱壳后的程序一运行即一闪即逝,自行退出了。
我用 TRW2000 V1.03(唉,没办法,高版本的 TRW2000 与我爱的爱“姬”不和,唯有用1.03了。Browse 找到已脱壳的程序,Load...OK!
F10 单步跟踪,看到……
//******************** Program Entry Point ********
:0051DE6C 55
push ebp
:0051DE6D 8BEC
mov ebp, esp
:0051DE6F 83C4F4
add esp, FFFFFFF4
:0051DE72 53
push ebx
:0051DE73 56
push esi
:0051DE74 57
push edi
:0051DE75 B80CDB5100 mov eax,
0051DB0C
:0051DE7A E86D98EEFF call
004076EC
******
:0051DE7F 8B3514255200 mov esi, dword
ptr [00522514]
:0051DE85 8B3D20225200 mov edi, dword
ptr [00522220]
:0051DE8B 8B0F
mov ecx, dword ptr [edi]
:0051DE8D B201
mov dl, 01
* Possible StringData Ref from Code Obj ->"艾C"
|
:0051DE8F A190E14800 mov eax,
dword ptr [0048E190]
:0051DE94 E893D5F2FF call
0044B42C
******
:0051DE99 8906
mov dword ptr [esi], eax
:0051DE9B BB03000000 mov ebx,
00000003
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0051DEB6(C)
|
:0051DEA0 8B06
mov eax, dword ptr [esi]
:0051DEA2 8B10
mov edx, dword ptr [eax]
:0051DEA4 FF92D8000000 call dword
ptr [edx+000000D8] *弹出登录窗口
:0051DEAA 8B06
mov eax, dword ptr [esi]
:0051DEAC 83B83402000001 cmp dword ptr [eax+00000234],
00000001 *口令是否正确?
:0051DEB3 7403
je 0051DEB8 *不正确即出错,下 r fl z(即相当于把je 改为jne或9090,使其不跳)
:0051DEB5 4B
dec ebx
:0051DEB6 75E8
jne 0051DEA0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0051DEB3(C)
|
:0051DEB8 8B06
mov eax, dword ptr [esi]
:0051DEBA 83B83402000001 cmp dword ptr [eax+00000234],
00000001 ***比较什么???
:0051DEC1 0F8574010000 jne 0051E03B *下
r fl z(原理同上),否则再按几下 F10 就会退出!!(关键)
:0051DEC7 8B0F
mov ecx, dword ptr [edi]
:0051DEC9 B201
mov dl, 01
* Possible StringData Ref from Code Obj ->"艾C"
|
:0051DECB A1286A4B00 mov eax,
dword ptr [004B6A28]
:0051DED0 E857D5F2FF call
0044B42C
***
:0051DED5 8B15841E5200 mov edx, dword
ptr [00521E84]
:0051DEDB 8902
mov dword ptr [edx], eax
:0051DEDD 8B06
mov eax, dword ptr [esi]
:0051DEDF E82452EEFF call
00403108
*******
:0051DEE4 A1841E5200 mov eax,
dword ptr [00521E84]
:0051DEE9 8B00
mov eax, dword ptr [eax]
:0051DEEB E81C14F3FF call
0044F30C
********
:0051DEF0 A1841E5200 mov eax,
dword ptr [00521E84]
:0051DEF5 8B00
mov eax, dword ptr [eax]
:0051DEF7 8B10
mov edx, dword ptr [eax]
:0051DEF9 FF9280000000 call dword
ptr [edx+00000080] *******
:0051DEFF 8B07
mov eax, dword ptr [edi]
:0051DF01 E8924BF3FF call
00452A98
********
:0051DF06 8B07
mov eax, dword ptr [edi]
* Possible StringData Ref from Code Obj ->"黎之工资管理"
|
:0051DF08 BA4CE05100 mov edx,
0051E04C
:0051DF0D E88A47F3FF call
0045269C
********
:0051DF12 8B0D64225200 mov ecx, dword
ptr [00522264]
:0051DF18 8B07
mov eax, dword ptr [edi]
* Possible StringData Ref from Code Obj ->"`+A"
|
:0051DF1A 8B15C8B64C00 mov edx, dword
ptr [004CB6C8]
:0051DF20 E88B4BF3FF call
00452AB0 ***
:0051DF25 8B0D941E5200 mov ecx, dword
ptr [00521E94]
:0051DF2B 8B07
mov eax, dword ptr [edi]
* Possible StringData Ref from Code Obj ->"艾C"
|
:0051DF2D 8B1554C85100 mov edx, dword
ptr [0051C854]
:0051DF33 E8784BF3FF call
00452AB0 ***
:0051DF38 8B0D44215200 mov ecx, dword
ptr [00522144]
:0051DF3E 8B07
mov eax, dword ptr [edi]
* Possible StringData Ref from Code Obj ->"艾C"
|
:0051DF40 8B1580515100 mov edx, dword
ptr [00515180]
:0051DF46 E8654BF3FF call
00452AB0 ****
:0051DF4B 8B0DC81C5200 mov ecx, dword
ptr [00521CC8]
:0051DF51 8B07
mov eax, dword ptr [edi]
* Possible StringData Ref from Code Obj ->"艾C"
|
:0051DF53 8B15C8415000 mov edx, dword
ptr [005041C8]
:0051DF59 E8524BF3FF call
00452AB0 *****
:0051DF5E 8B0D20255200 mov ecx, dword
ptr [00522520]
:0051DF64 8B07
mov eax, dword ptr [edi]
* Possible StringData Ref from Code Obj ->"艾C"
|
:0051DF66 8B15349D5100 mov edx, dword
ptr [00519D34]
:0051DF6C E83F4BF3FF call
00452AB0 ******
:0051DF71 8B0D90225200 mov ecx, dword
ptr [00522290]
:0051DF77 8B07
mov eax, dword ptr [edi]
* Possible StringData Ref from Code Obj ->"艾C"
|
:0051DF79 8B15D8D34F00 mov edx, dword
ptr [004FD3D8]
:0051DF7F E82C4BF3FF call
00452AB0 ***
:0051DF84 8B0D80205200 mov ecx, dword
ptr [00522080]
:0051DF8A 8B07
mov eax, dword ptr [edi]
* Possible StringData Ref from Code Obj ->"艾C"
|
:0051DF8C 8B1580FC4F00 mov edx, dword
ptr [004FFC80]
:0051DF92 E8194BF3FF call
00452AB0 ***
:0051DF97 8B0DE81C5200 mov ecx, dword
ptr [00521CE8]
:0051DF9D 8B07
mov eax, dword ptr [edi]
* Possible StringData Ref from Code Obj ->"艾C"
|
:0051DF9F 8B153C8D4F00 mov edx, dword
ptr [004F8D3C]
:0051DFA5 E8064BF3FF call
00452AB0 ***
:0051DFAA 8B0D4C225200 mov ecx, dword
ptr [0052224C]
:0051DFB0 8B07
mov eax, dword ptr [edi]
* Possible StringData Ref from Code Obj ->"艾C"
|
:0051DFB2 8B150C245100 mov edx, dword
ptr [0051240C]
:0051DFB8 E8F34AF3FF call
00452AB0 ***
:0051DFBD 8B0DAC245200 mov ecx, dword
ptr [005224AC]
:0051DFC3 8B07
mov eax, dword ptr [edi]
* Possible StringData Ref from Code Obj ->"艾C"
|
:0051DFC5 8B15B86F4F00 mov edx, dword
ptr [004F6FB8]
:0051DFCB E8E04AF3FF call
00452AB0 ***
:0051DFD0 8B0D2C235200 mov ecx, dword
ptr [0052232C]
:0051DFD6 8B07
mov eax, dword ptr [edi]
* Possible StringData Ref from Code Obj ->"艾C"
|
:0051DFD8 8B1564885000 mov edx, dword
ptr [00508864]
:0051DFDE E8CD4AF3FF call
00452AB0 ***
:0051DFE3 8B0D101F5200 mov ecx, dword
ptr [00521F10]
:0051DFE9 8B07
mov eax, dword ptr [edi]
* Possible StringData Ref from Code Obj ->"艾C"
|
:0051DFEB 8B153CE55000 mov edx, dword
ptr [0050E53C]
:0051DFF1 E8BA4AF3FF call
00452AB0 ***
:0051DFF6 8B0DC0215200 mov ecx, dword
ptr [005221C0]
:0051DFFC 8B07
mov eax, dword ptr [edi]
* Possible StringData Ref from Code Obj ->"艾C"
|
:0051DFFE 8B1548375000 mov edx, dword
ptr [00503748]
:0051E004 E8A74AF3FF call
00452AB0 ***
:0051E009 8B0DF8225200 mov ecx, dword
ptr [005222F8]
:0051E00F 8B07
mov eax, dword ptr [edi]
* Possible StringData Ref from Code Obj ->"艾C"
|
:0051E011 8B15E8D05000 mov edx, dword
ptr [0050D0E8]
:0051E017 E8944AF3FF call
00452AB0 ***
:0051E01C A1841E5200 mov eax,
dword ptr [00521E84]
:0051E021 8B00
mov eax, dword ptr [eax]
:0051E023 E8DC12F3FF call
0044F304 ****程序中止,自行退出!!
:0051E028 A1841E5200 mov eax,
dword ptr [00521E84]
:0051E02D 8B00
mov eax, dword ptr [eax]
:0051E02F E8D450EEFF call
00403108
:0051E034 8B07
mov eax, dword ptr [edi]
:0051E036 E8F54AF3FF call
00452B30
.
.
.
以上每经过一个 call 程序就会运行一步,一直到0051E023 call 0044F304处退出。如果不在0051DEC1 jne 0051E03B处下
r fl z,程序很快就会退出。也就是脱壳后的程序马上退出的地方了(惨……连程序的界面是啥模样都不让人看)。把0051DEC1 jne 0051E03B的jne
改为 je 或9090后,程序运行一段时间才退出。到底还有什么地方还在校验呢?我就找不到了。希望哪位高手赏脸,试一试,指点一下我这位初哥,在此先行拜谢了。
- 标 题:谁与我共续这破解的故事?《破解“黎之工资”对抗脱壳之故事(上集)》 (9千字)
- 作 者:paulyoung
- 时 间:2001-3-25 20:16:10
- 链 接:http://bbs.pediy.com