explor2000的破解
ASProtect1.2以后版本加壳,ep=5f4690。
用bo2k找不到入口。手动跟踪方法参见(1),脱壳方法参见(2)。
explor2000的破解方法如下。
先运行superbpm,再运行trw,下bpx 5f4690,g。
trw弹出后,下pedump c:\explor2k.exe 脱壳。
用w32dasm对脱壳后的explor2k.exe进行反汇编。在Refs/String Data Refrences中找'trialversion',找到后双击,看到下面这段(用find
text找也可)
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005D1D0E(U), :005D1D1A(C)
|
:005D1D2D 8D45F8
lea eax, dword ptr [ebp-08]
:005D1D30 8B1520D05F00 mov edx, dword
ptr [005FD020]
:005D1D36 E87523E3FF call
004040B0 ;这是一个关键的call
:005D1D3B 8B45F8
mov eax, dword ptr [ebp-08]
:005D1D3E E83524E3FF call
00404178 ;这里不是关键,进去就知道
:005D1D43 85C0
test eax, eax
:005D1D45 0F8FD2000000 jg 005D1E1D
;跳就对了
:005D1D4B 833D28D05F0000 cmp dword ptr [005FD028],
00000000 ;[5fd028]中放的是剩余天数
:005D1D52 7E47
jle 005D1D9B
:005D1D54 833D28D05F001E cmp dword ptr [005FD028],
0000001E ;试用期为30天
:005D1D5B 7E07
jle 005D1D64
:005D1D5D B805000000 mov eax,
00000005
:005D1D62 EB0B
jmp 005D1D6F
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005D1D5B(C)
|
:005D1D64 B823000000 mov eax,
00000023
:005D1D69 2B0528D05F00 sub eax, dword
ptr [005FD028]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005D1D62(U)
|
:005D1D6F 83F80A
cmp eax, 0000000A
:005D1D72 7E05
jle 005D1D79
:005D1D74 B80A000000 mov eax,
0000000A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005D1D72(C)
|
:005D1D79 8B55FC
mov edx, dword ptr [ebp-04]
:005D1D7C 52
push edx
:005D1D7D 68641F5D00 push
005D1F64
:005D1D82 50
push eax
:005D1D83 8B45FC
mov eax, dword ptr [ebp-04]
:005D1D86 8B90FC040000 mov edx, dword
ptr [eax+000004FC]
:005D1D8C B103
mov cl, 03
:005D1D8E 8B45FC
mov eax, dword ptr [ebp-04]
:005D1D91 E812020000 call
005D1FA8
:005D1D96 E982000000 jmp 005D1E1D
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005D1D52(C)
|
:005D1D9B E8140EE3FF call
00402BB4
:005D1DA0 B80A000000 mov eax,
0000000A
:005D1DA5 E8CE10E3FF call
00402E78
:005D1DAA 83F802
cmp eax, 00000002
:005D1DAD 7550
jne 005D1DFF
:005D1DAF 6A30
push 00000030
* Possible StringData Ref from Code Obj ->"EXPLOR2000"
|
:005D1DB1 68E01E5D00 push
005D1EE0
:005D1DB6 8D4DF4
lea ecx, dword ptr [ebp-0C]
:005D1DB9 8B45FC
mov eax, dword ptr [ebp-04]
:005D1DBC 8B8054050000 mov eax, dword
ptr [eax+00000554]
* Possible StringData Ref from Code Obj ->"TrialVersion"
|
:005D1DC2 BAF41E5D00 mov edx,
005D1EF4 ;显示试用字样
:005D1DC7 E838B0F5FF call
0052CE04
下bpx 5d1d36,trw弹出后按F8进入
0167:004040B0 31C9 XOR
ECX,ECX
0167:004040B2 85D2 TEST
EDX,EDX
0167:004040B4 7421 JZ
004040D7
0167:004040B6 52 PUSH
EDX
0167:004040B7 3A0A CMP
CL,[EDX] ;[edx]=[1333405]=0。把它改为1,bd,g。
0167:004040B9 7417 JZ
004040D2 ;嘿嘿,居然成为注册版了。不过用户名是乱码。
0167:004040BB 3A4A01 CMP
CL,[EDX+01]
0167:004040BE 7411 JZ
004040D1
0167:004040C0 3A4A02 CMP
CL,[EDX+02]
0167:004040C3 740B JZ
004040D0
0167:004040C5 3A4A03 CMP
CL,[EDX+03]
0167:004040C8 7405 JZ
004040CF
0167:004040CA 83C204 ADD
EDX,BYTE +04
0167:004040CD EBE8 JMP
SHORT 004040B7
0167:004040CF 42 INC
EDX
0167:004040D0 42 INC
EDX
0167:004040D1 42 INC
EDX
0167:004040D2 89D1 MOV
ECX,EDX
0167:004040D4 5A POP
EDX
0167:004040D5 29D1 SUB
ECX,EDX
0167:004040D7 E904FFFFFF JMP 00403FE0
0167:004040DC C3 RET
因为4040b0经常被调用,所以不能在这里修改。一种偷懒的方法是使用内存补丁ppatcher3.93。
把以下内容存为ppatcher.ppc,连同ppatcher.exe考到explor2000安装目录下,运行ppatcher.exe即可,连脱壳也不用了。
------------------------------------------------
#Process Patcher Configuration File
Version=3.93
WaitForWindowName=Explor2000
PatchAuthor=kingtall
DisplayName=Explor2000
Filename=Explor2000.exe
Filesize=933376
Address=0x1333405:0x00:0x01
#End of Configuration File
-----------------------------------------------
程序中一定有直接对[1333405]进行修改的地方,懒得再找了。哪位大哥找到了,别忘说一声。
(1)
http://001.com.cn/forum/toye/14434.html
标 题:如何跟踪ASProtect外壳加密过的程序? (7千字)
(2)
http://001.com.cn/forum/toye/15931.html
标 题:PicturesToExe3.51的脱壳 (2千字)