Embird32 防破解技术的分析
应皮大客的要求,写了一篇关于如何在破解Embird32中Anti-Debug的教程.因本人最近学习比较紧张,
所以这篇教程写的就不那么详细了,抱歉!我只将它的关键部分列出,希望皮大客不要再“夸”我了。;-)
第一部分:在软件启动时的Anti-Debug,它依然使用比较通用的防破解技术,用CREATEFILEA查SICE和TRW。
各位在跟踪时要根椐你的调试器进行选择性的修改,不能将所有的CREATEFILEA后面的JZ都改成JMP。这点一定要注意。
==============================================================================
016F:00D821B8 5C 5C 2E 5C 53 49 43 45-00 00 00 00 70 54 54 00 \\.\SICE....pTT.
==============================================================================
0167:004961CB 50
PUSH EAX
0167:004961CC E8530BF7FF CALL
KERNEL32!CreateFileA ;防SICE。
0167:004961D1 83F8FF CMP
EAX,-01
0167:004961D4 740C
JZ 004961E2
0167:004961D6 50
PUSH EAX
0167:004961D7 E8300BF7FF CALL
KERNEL32!CloseHandle
0167:004961DC C645FA01 MOV
BYTE PTR [EBP-06],01
0167:004961E0 EB6D
JMP 0049624F
0167:004961E2 8D45F0 LEA
EAX,[EBP-10]
0167:004961E5 BA30634900 MOV
EDX,00496330
0167:004961EA E8D1DBF6FF CALL
00403DC0
0167:004961EF 8D45F0 LEA
EAX,[EBP-10]
0167:004961F2 E84DC3FCFF CALL
00462544
0167:004961F7 6A00
PUSH 00
0167:004961F9 6880000000 PUSH
00000080 \
==============================================================================
016F:00D821A8 5C 5C 2E 5C 54 52 57 00-70 54 54 00 70 54 54 00 \\.\TRW.pTT.pTT.
==============================================================================
0167:004961F9 6880000000 PUSH
00000080
0167:004961FE 6A03
PUSH 03
0167:00496200 6A00
PUSH 00
0167:00496202 6A01
PUSH 01
0167:00496204 6800000080 PUSH
80000000
0167:00496209 8B45F0 MOV
EAX,[EBP-10]
0167:0049620C E85BDFF6FF CALL
0040416C
0167:00496211 50
PUSH EAX
0167:00496212 E80D0BF7FF CALL
KERNEL32!CreateFileA ;防TRW
0167:00496217 83F8FF CMP
EAX,-01
0167:0049621A 740C
JZ 00496228
0167:0049621C 50
PUSH EAX
0167:0049621D E8EA0AF7FF CALL
KERNEL32!CloseHandle
0167:00496222 C645FA01 MOV
BYTE PTR [EBP-06],01
0167:00496226 EB27
JMP 0049624F
0167:00496228 33C0
XOR EAX,EAX
0167:0049622A 55
PUSH EBP
0167:0049622B 6845624900 PUSH
00496245
0167:00496230 64FF30 PUSH
DWORD PTR FS:[EAX]
0167:00496233 648920 MOV
FS:[EAX],ESP
0167:00496236 CC
INT 3
0167:00496237 C645FA01 MOV
BYTE PTR [EBP-06],01
.
.
.
0167:00496289 68F8634900 PUSH
004963F8
0167:0049628E FF75F0 PUSH
DWORD PTR [EBP-10]
0167:00496291 8D45E4 LEA
EAX,[EBP-1C]
0167:00496294 BA04000000 MOV
EDX,00000004
0167:00496299 E8CADDF6FF CALL
00404068
0167:0049629E 8B45E4 MOV
EAX,[EBP-1C]
0167:004962A1 668B0DF4624900 MOV
CX,[004962F4]
0167:004962A8 B201
MOV DL,01
0167:004962AA E8693E0A00 CALL
0053A118 ;这里将显示第二个Error.
0167:004962AF C645FB01 MOV
BYTE PTR [EBP-05],01
0167:004962B3 E8D8440A00 CALL
0053A790
0167:004962B8 E85B370300 CALL
004C9A18
0167:004962BD 807DFB00 CMP
BYTE PTR [EBP-05],00
0167:004962C1 7408
JZ 004962CB
0167:004962C3 8B45FC MOV
EAX,[EBP-04]
第二部分:在进入软件后还有防跟踪技术,这次用的是_lcreat防SICE和TRW,其实和第一部分是一样的
只是用的API不一样。用这个API我也是第一次见到。
==============================================================================
016F:00D4B47C 5C 5C 2E 5C 73 69 63 65-00 00 00 00 26 00 00 00 \\.\sice....&...
==============================================================================
0167:0049CF20 50
PUSH EAX
0167:0049CF21 E866A0F6FF CALL
KERNEL32!_lcreat ;用_lcreat防SICE
0167:0049CF26 83F8FF CMP
EAX,-01
0167:0049CF29 740A
JZ 0049CF35
0167:0049CF2B 50
PUSH EAX
0167:0049CF2C E853A0F6FF CALL
KERNEL32!_lclose
0167:0049CF31 B301
MOV BL,01
0167:0049CF33 EB32
JMP 0049CF67
0167:0049CF35 8D45FC LEA
EAX,[EBP-04]
0167:0049CF38 BA60D14900 MOV
EDX,0049D160
0167:0049CF3D E87E6EF6FF CALL
00403DC0
0167:0049CF42 8D45FC LEA
EAX,[EBP-04]
0167:0049CF45 E8FA55FCFF CALL
00462544
0167:0049CF4A 6A01
PUSH 01
0167:0049CF4C 8B45FC MOV
EAX,[EBP-04]
=============================================================================
016F:00DE3B14 5C 5C 2E 5C 74 72 77 00-3E 01 00 00 60 2C 42 00 \\.\trw.>...`,B.
=============================================================================
0167:0049CF54 50
PUSH EAX
0167:0049CF55 E832A0F6FF CALL
KERNEL32!_lcreat ;用_lcreat防TRW
0167:0049CF5A 83F8FF CMP
EAX,-01
0167:0049CF5D EB08
JMP 0049CF67
0167:0049CF5F 50
PUSH EAX
0167:0049CF60 E81FA0F6FF CALL
KERNEL32!_lclose
0167:0049CF65 B301
MOV BL,01
0167:0049CF67 84DB
TEST BL,BL
0167:0049CF69 740C
JZ 0049CF77
0167:0049CF6B A164415400 MOV
EAX,[00544164]
0167:0049CF70 8B00
MOV EAX,[EAX]
0167:0049CF72 E80538FBFF CALL
0045077C
0167:0049CF77 80BE772E000000 CMP
BYTE PTR [ESI+00002E77],00
0167:0049CF7E E9EF000000 JMP
0049D072
0167:0049CF83 90
NOP
如果哪位想转载本文,请保持文章的完整性!
gfh
2001.4.29
- 标 题:Embird32 防破解技术的分析 (8千字)
- 作 者:parrot
- 时 间:2001-4-29 8:01:59
- 链 接:http://bbs.pediy.com