ActiveSkin 3.62

标题：我已爆破3.62版，要小心啊！有暗桩的…… (15千字)AcitveX控件
作者：leo_cyl1
时间：2001-11-6 18:04:28
链接：http://bbs.pediy.com

ActiveSkin是一个很出色的skin（“皮肤”）AcitveX控件。支持vb，vc，dephi等，功能十分强大。
下载地址：http://www.softshape.com/download/activeskin.zip (v3.62版)
安装后，将在windows的system下产生ActiveSkin.ocx文件。
它的加密方式比较特别，如果直接修改原文件的话，修改后的ActiveSkin.ocx将不能再次注册成为控件。（即：用“Regsvr32.exe ActiveSkin.ocx”命令注册控件会失败，导致你开发的程序不能用在其他电脑上）。

因为是未注册的，所以当你的程序调用ActiveSkin时，将弹出Unregistered的对话框。
用w32asm反汇编ActiveSkin.ocx，查找字符“Unregistered control”，可看到下面代码：

:12121503 E879350000 call 12124A81
:12121508 33DB xor ebx, ebx
:1212150A 395DF8 cmp dword ptr [ebp-08], ebx
:1212150D 7441 je 12121550
:1212150F 389E44010000 cmp byte ptr [esi+00000144], bl
:12121515 7548 jne 1212155F

* Reference To: KERNEL32.GetTickCount, Ord:016Dh
|
:12121517 8B3DB4211512 mov edi, dword ptr [121521B4]
:1212151D FFD7 call edi
:1212151F 8945F4 mov dword ptr [ebp-0C], eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:12121549(C)
|
:12121522 6A10 push 00000010

* Possible StringData Ref from Data Obj ->"Unregistered control"
|
:12121524 68F0851512 push 121585F0

* Possible StringData Ref from Data Obj ->"Warning! This application was "
->"created with trial version of "
->"ActiveSkin control."
|
:12121529 685C851512 push 1215855C
:1212152E 53 push ebx

* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:1212152F FF155C231512 Call dword ptr [1215235C]
============================================================================
很显然，修改12121515处，将jne改为jmp就可跳过对话框。为什么不改[esi+00000144]的初始化代码呢？因为有好几个地方将[esi+00000144]置0，其中包括mfc42.dll。改好后拿到别人电脑上注册控件，命令行方式下输入“Regsvr32.exe ActiveSkin.ocx”，失败！看来还有暗桩。将ActiveSkin.ocx恢复回原来的文件。再用w32asm反汇编。我们知道AcitveX控件注册时都要提供一个引出函数“DllRegisterServer”供Regsvr32.exe调用。可能ActiveSkin.ocx在函数DllRegisterServer检查自身是否被修改过。如果被修改过将注册失败。
现在看看DllRegisterServer函数，选菜单Functions->Exports,查DllRegisterServer函数，知道它的地址在12125386处。

好！先运行trw2000，control-n，下断点bpx loadlibraryexa do "d *(esp+4)",这个命令当 loadlibraryexa 被执行是中断，并显示出参数。然后在开始菜单的运行窗口输入“Regsvr32.exe 路径\ActiveSkin.ocx”
中断后，看一下参数，f5，直到参数为ActiveSkin.ocx，f12数次，回到Regsvr32.exe领空，此时下命令：bpx 12125386;f5，来到ActiveSkin的领空：
==============================================================================================
Exported fn(): DllRegisterServer - Ord:0003h
:12125386 833D94DB151200 cmp dword ptr [1215DB94], 00000000 <==解码标志
:1212538D 7523 jne 121253B2
:1212538F 68534F1312 push 12134F53

* Possible StringData Ref from Code Obj ->"?+?"
|
:12125394 68744E1312 push 12134E74
:12125399 BA5F161212 mov edx, 1212165F
:1212539E B9C1141212 mov ecx, 121214C1
:121253A3 E8E7900100 call 1213E48F <=========注意此call；进入
:121253A8 C70594DB151201000000 mov dword ptr [1215DB94], 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1212538D(C)
|
:121253B2 6A00 push 00000000
:121253B4 6A01 push 00000001
:121253B6 6810DB1512 push 1215DB10
:121253BB E83C150000 call 121268FC
:121253C0 C3 ret
===============================================================================================
* Referenced by a CALL at Addresses:
|:121210DC , :121253A3 , :121253DE , :1214792D , :1214AC65
|
:1213E48F 55 push ebp
:1213E490 8BEC mov ebp, esp
:1213E492 83EC24 sub esp, 00000024
:1213E495 53 push ebx
:1213E496 56 push esi
:1213E497 33DB xor ebx, ebx
:1213E499 57 push edi
:1213E49A 8955E0 mov dword ptr [ebp-20], edx
:1213E49D 894DDC mov dword ptr [ebp-24], ecx
:1213E4A0 894DF4 mov dword ptr [ebp-0C], ecx
:1213E4A3 885DFE mov byte ptr [ebp-02], bl
:1213E4A6 885DFD mov byte ptr [ebp-03], bl
:1213E4A9 885DFF mov byte ptr [ebp-01], bl
:1213E4AC 885DFC mov byte ptr [ebp-04], bl
:1213E4AF 895DF8 mov dword ptr [ebp-08], ebx
:1213E4B2 895DE4 mov dword ptr [ebp-1C], ebx

* Reference To: KERNEL32.GetCurrentProcess, Ord:00F7h
|
:1213E4B5 FF15CC211512 Call dword ptr [121521CC]
:1213E4BB BE30DC1512 mov esi, 1215DC30
:1213E4C0 8945E8 mov dword ptr [ebp-18], eax
:1213E4C3 6804010000 push 00000104
:1213E4C8 56 push esi
:1213E4C9 FF3514DB1512 push dword ptr [1215DB14]

* Reference To: KERNEL32.GetModuleFileNameA, Ord:0124h
|
:1213E4CF FF154C211512 Call dword ptr [1215214C]
:1213E4D5 53 push ebx
:1213E4D6 6880000000 push 00000080
:1213E4DB 6A03 push 00000003
:1213E4DD 53 push ebx
:1213E4DE 6A01 push 00000001
:1213E4E0 6800000080 push 80000000
:1213E4E5 56 push esi <=====打开"ActiveSkin.ocx"

* Reference To: KERNEL32.CreateFileA, Ord:0034h
|
:1213E4E6 FF15D8211512 Call dword ptr [121521D8]
:1213E4EC BE00101212 mov esi, 12121000
:1213E4F1 8945F0 mov dword ptr [ebp-10], eax
:1213E4F4 8BC6 mov eax, esi
:1213E4F6 2B054CA51512 sub eax, dword ptr [1215A54C]
:1213E4FC 8945EC mov dword ptr [ebp-14], eax
:1213E4FF 740E je 1213E50F
:1213E501 3AC3 cmp al, bl
:1213E503 750A jne 1213E50F

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1213E50A(C)
|
:1213E505 C1F808 sar eax, 08
:1213E508 3AC3 cmp al, bl
:1213E50A 74F9 je 1213E505
:1213E50C 8945EC mov dword ptr [ebp-14], eax

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:1213E4FF(C), :1213E503(C)
|

* Reference To: KERNEL32.SetFilePointer, Ord:026Ah
|
:1213E50F 8B3DDC201512 mov edi, dword ptr [121520DC]
:1213E515 8945F8 mov dword ptr [ebp-08], eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1213E5F3(C)
|
:1213E518 53 push ebx
:1213E519 8D45FE lea eax, dword ptr [ebp-02]
:1213E51C 6A01 push 00000001
:1213E51E 50 push eax
:1213E51F FF7508 push [ebp+08] 〈=======初始地址为12134e74
:1213E522 FF75E8 push [ebp-18]

* Reference To: KERNEL32.ReadProcessMemory, Ord:021Ch
|
:1213E525 FF15D8201512 Call dword ptr [121520D8]
:1213E52B 8B4508 mov eax, dword ptr [ebp+08] --+
:1213E52E 2BC6 sub eax, esi |通过虚拟地址
:1213E530 53 push ebx |计算文件偏移
:1213E531 0500100000 add eax, 00001000 --+
:1213E536 53 push ebx
:1213E537 50 push eax
:1213E538 FF75F0 push [ebp-10]
:1213E53B FFD7 call edi
:1213E53D 8D45E4 lea eax, dword ptr [ebp-1C]
:1213E540 53 push ebx
:1213E541 50 push eax
:1213E542 8D45FC lea eax, dword ptr [ebp-04]
:1213E545 6A01 push 00000001
:1213E547 50 push eax
:1213E548 FF75F0 push [ebp-10]

* Reference To: KERNEL32.ReadFile, Ord:0218h
|
:1213E54B FF15D0211512 Call dword ptr [121521D0]
:1213E551 8B45F4 mov eax, dword ptr [ebp-0C]
:1213E554 2BC6 sub eax, esi
:1213E556 53 push ebx
:1213E557 0500100000 add eax, 00001000
:1213E55C 53 push ebx
:1213E55D 50 push eax
:1213E55E FF75F0 push [ebp-10]
:1213E561 FFD7 call edi <==========edi 为"setfilepointer"
:1213E563 8D45E4 lea eax, dword ptr [ebp-1C]
:1213E566 53 push ebx
:1213E567 50 push eax
:1213E568 8D45FD lea eax, dword ptr [ebp-03]
:1213E56B 6A01 push 00000001
:1213E56D 50 push eax
:1213E56E FF75F0 push [ebp-10]

* Reference To: KERNEL32.ReadFile, Ord:0218h
|
:1213E571 FF15D0211512 Call dword ptr [121521D0]
:1213E577 8A45FC mov al, byte ptr [ebp-04]
:1213E57A 3845FE cmp byte ptr [ebp-02], al
:1213E57D 7534 jne 1213E5B3
:1213E57F 395DF8 cmp dword ptr [ebp-08], ebx
:1213E582 7408 je 1213E58C
:1213E584 8B4DF8 mov ecx, dword ptr [ebp-08]
:1213E587 3B4DEC cmp ecx, dword ptr [ebp-14]
:1213E58A 7527 jne 1213E5B3

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1213E582(C)
|
:1213E58C 8A45FF mov al, byte ptr [ebp-01]
:1213E58F 53 push ebx
:1213E590 3245FD xor al, byte ptr [ebp-03]
:1213E593 6A01 push 00000001
:1213E595 3245FE xor al, byte ptr [ebp-02]
:1213E598 8845FF mov byte ptr [ebp-01], al
:1213E59B 8B45EC mov eax, dword ptr [ebp-14]
:1213E59E 8945F8 mov dword ptr [ebp-08], eax
:1213E5A1 8D45FF lea eax, dword ptr [ebp-01]
:1213E5A4 50 push eax
:1213E5A5 FF7508 push [ebp+08]
:1213E5A8 FF75E8 push [ebp-18]

* Reference To: KERNEL32.WriteProcessMemory, Ord:02E9h
|
:1213E5AB FF15EC201512 Call dword ptr [121520EC] <==将解码后的数据写回
:1213E5B1 EB26 jmp 1213E5D9

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:1213E57D(C), :1213E58A(C)
|
:1213E5B3 3245FF xor al, byte ptr [ebp-01]
:1213E5B6 53 push ebx
:1213E5B7 6A01 push 00000001
:1213E5B9 3245FD xor al, byte ptr [ebp-03]
:1213E5BC 8845FF mov byte ptr [ebp-01], al
:1213E5BF 0FB6C0 movzx eax, al
:1213E5C2 0145F8 add dword ptr [ebp-08], eax
:1213E5C5 8D45F8 lea eax, dword ptr [ebp-08]
:1213E5C8 50 push eax
:1213E5C9 FF7508 push [ebp+08]
:1213E5CC FF75E8 push [ebp-18]

* Reference To: KERNEL32.WriteProcessMemory, Ord:02E9h
|
:1213E5CF FF15EC201512 Call dword ptr [121520EC] <==将解码后的数据写回
:1213E5D5 C17DF808 sar dword ptr [ebp-08], 08

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1213E5B1(U)
|
:1213E5D9 FF45F4 inc [ebp-0C]
:1213E5DC 8B45F4 mov eax, dword ptr [ebp-0C]
:1213E5DF 3B45E0 cmp eax, dword ptr [ebp-20]
:1213E5E2 7E06 jle 1213E5EA
:1213E5E4 8B45DC mov eax, dword ptr [ebp-24]
:1213E5E7 8945F4 mov dword ptr [ebp-0C], eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1213E5E2(C)
|
:1213E5EA FF4508 inc [ebp+08]
:1213E5ED 8B4508 mov eax, dword ptr [ebp+08]
:1213E5F0 3B450C cmp eax, dword ptr [ebp+0C] <==比较是否修改完；最后
:1213E5F3 0F8C1FFFFFFF jl 1213E518 的地址是12134f53
:1213E5F9 FF75F0 push [ebp-10]

* Reference To: KERNEL32.CloseHandle, Ord:001Bh
|
:1213E5FC FF15C4211512 Call dword ptr [121521C4]
:1213E602 6A01 push 00000001
:1213E604 58 pop eax
:1213E605 5F pop edi
:1213E606 5E pop esi
:1213E607 5B pop ebx
:1213E608 C9 leave
:1213E609 C20800 ret 0008
============================================================================================
在这里可以看到很多敏感的函数：CreateFileA，ReadFile，WriteProcessMemory……;经过分析，这段程序将根据自身的代码改写从12134e74到12134f53的代码(总长度为12134f53-12134e74=df)。如果原程序被修改的话，将解出一堆乱码，当执行到12134e74出就会出错。
好了，解决方法是当程序解出正确代码后，再将12134e74到12134f53出代码dump出来，再覆盖刚才第一次修改过的ActiveSkin.ocx文件。现在按F12，返回后， u 12134e74；看一下，解码正确！下命令："w 12134e74 l df c:\dump.bin".从w32asm中可知：
=======================================================================================
Code Offset = 00001000, Code Size = 00031000
Data Offset = 00038000, Data Size = 00006000

Number of Objects = 0005 (dec), Imagebase = 12120000h

Object01: .text RVA: 00001000 Offset: 00001000 Size: 00031000 Flags: 60000020
Object02: .rdata RVA: 00032000 Offset: 00032000 Size: 00006000 Flags: 40000040
Object03: .data RVA: 00038000 Offset: 00038000 Size: 00006000 Flags: C0000040
Object04: .rsrc RVA: 0003F000 Offset: 0003E000 Size: 00013000 Flags: 40000040
Object05: .reloc RVA: 00052000 Offset: 00051000 Size: 00005000 Flags: 42000040
=========================================================================================
那么地址12134e74的文件实际偏移为：12134e74-Imagebase=14e74;(你也可以用peditor的FLC功能计算)
用 hworks32载人第一次修改过的ActiveSkin.ocx文件，定位在偏移14e74处，用c:\dump.bin的数据覆盖，长度为0xdf(223)。注意备份。
另外还有两处要改，一个是DllRegisterServer，另一个是DllUnregisterServer。它们一开始检查一个标志，如果解码过，就不执行解码函数。

Exported fn(): DllRegisterServer - Ord:0003h
:12125386 833D94DB151200 cmp dword ptr [1215DB94], 00000000
:1212538D 7523 jne 121253B2 <=======改为jmp
:1212538F 68534F1312 push 12134F53
* Possible StringData Ref from Code Obj ->"?+?"
|
:12125394 68744E1312 push 12134E74
:12125399 BA5F161212 mov edx, 1212165F
:1212539E B9C1141212 mov ecx, 121214C1
:121253A3 E8E7900100 call 1213E48F
:121253A8 C70594DB151201000000 mov dword ptr [1215DB94], 00000001 <==解码完成，置1;

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1212538D(C)
|
:121253B2 6A00 push 00000000
:121253B4 6A01 push 00000001
:121253B6 6810DB1512 push 1215DB10
:121253BB E83C150000 call 121268FC
:121253C0 C3 ret
。
。
。
Exported fn(): DllUnregisterServer - Ord:0004h
:121253C1 833D94DB151200 cmp dword ptr [1215DB94], 00000000
:121253C8 7523 jne 121253ED <=======改为jmp
:121253CA 68534F1312 push 12134F53
==================================================================================
到此爆破完成。