另类PEtite V2.2 脱壳+修复+破解——英汉汉英双向学习词典 V1.0
下载页面: http://soft.269.net/SoftWareView.asp?SoftWareID=48727
软件大小: 900 KB
适用平台: Wn9x, NT, ME, Win2k, WinXP
收录时间: 2003-7-31
推荐等级: *****
【软件简介】:英汉汉英双向学习词典,很多英语爱好者喜欢采取“英汉—汉英”双向的学习方式来掌握英语词汇,对于“英汉”方式,普通的英汉词典就足够了,而对于“汉英”方式,一般的汉英词典就显得无能为力了;这是因为英语词汇的精髓和汉语词汇的精髓因文化背景和地域差异而有很大的差异:翻一翻英汉汉英双向学习词典的“汉英索引”部分,可以发现很多象“不…”、“无…”、“把…”、“使…”、“…的”、“…地”一类的“词”,而这类的“词”在汉英语词典中根本找不到,因为它们在汉语中并非作为词来对待,因而在传统的汉英词典中根本找不到象“不能永生的(mortal)”、“不精确的(inaccurate)”之类的词,而“mortal”、“inaccurate”之类的词恰恰是地地道道的英语词语;同理,在普通汉英词典中,很多汉语词汇只能用英文短语或句子来解释,所以通过常规的汉英词典很难学到英语词汇的精髓。鉴于上述原因,英汉汉英双向学习词典的18828条汉语词条全部取自“英汉词典”部分,从而达到了英汉、汉英的完全对等,对于习喜欢采用双向的方式来学习英语词汇的广大英语爱好者来说,英汉汉英双向学习词典是一种理想选择。
【软件限制】:功能限制。偶只是想看看这个壳,偶不用这个东东。
【作者声明】:初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
【调试环境】:WinXP、Ollydbg1.09、PEiD、LordPE、ImportREC、WinHex、W32Dasm 9.0白金版
—————————————————————————————————
【过 程】:
一、脱壳
设置Ollydbg忽略所有的异常。老规矩:载入后弹出“是压缩代码——要继续进行分析吗?”,点“否”。
004E5046 B8 00504E00 mov eax,英汉汉英.004E5000
====>进入OD后断在这!
下断:BP LoadLibraryA F9运行,断下!
77E605D8 837C24 04 00 cmp dword ptr ss:[esp+4],0
====>断在这!CTRL+F9执行到返回
77E605DD 53 push ebx
77E605DE 56 push esi
77E605DF 74 19 je short kernel32.77E605FA
77E605E1 68 9C5BE777 push kernel32.77E75B9C
77E605E6 FF7424 10 push dword ptr ss:[esp+10]
77E605EA FF15 9013E477 call dword ptr ds:[<&ntdll._strcmpi>]
77E605F0 85C0 test eax,eax
77E605F2 59 pop ecx
77E605F3 59 pop ecx
77E605F4 0F84 76AF0100 je kernel32.77E7B570
77E605FA 6A 00 push 0
77E605FC 6A 00 push 0
77E605FE FF7424 14 push dword ptr ss:[esp+14]
77E60602 E8 B1FFFFFF call kernel32.LoadLibraryExA
77E60607 5E pop esi
77E60608 5B pop ebx
77E60609 C2 0400 retn 4
====>返回到 004A6355
————————————————————————
004A6344 833E 00 cmp dword ptr ds:[esi],0
004A6347 0F84 03020000 je 英汉汉英.004A6550
004A634D 51 push ecx
004A634E 51 push ecx
004A634F FF95 90070000 call dword ptr ss:[ebp+790]
004A6355 85C0 test eax,eax
====>77E60609 返回到这
004A6357 0F84 DF000000 je 英汉汉英.004A643C
004A635D 8BF8 mov edi,eax
004A635F 0340 3C add eax,dword ptr ds:[eax+3C]
004A6362 8B40 78 mov eax,dword ptr ds:[eax+78]
004A6365 FF7438 18 push dword ptr ds:[eax+edi+18]
004A6369 8B4C38 24 mov ecx,dword ptr ds:[eax+edi+24]
004A636D 03CF add ecx,edi
004A636F 51 push ecx
004A6370 8B4C38 20 mov ecx,dword ptr ds:[eax+edi+20]
004A6374 03CF add ecx,edi
004A6376 51 push ecx
004A6377 FF7438 10 push dword ptr ds:[eax+edi+10]
004A637B FF7438 14 push dword ptr ds:[eax+edi+14]
004A637F 8B4438 1C mov eax,dword ptr ds:[eax+edi+1C]
004A6383 03C7 add eax,edi
004A6385 50 push eax
004A6386 56 push esi
004A6387 8B36 mov esi,dword ptr ds:[esi]
004A6389 03F5 add esi,ebp
004A638B 8B06 mov eax,dword ptr ds:[esi]
004A638D 85C0 test eax,eax
004A638F 0F84 81000000 je 英汉汉英.004A6416
004A6395 0FBAE0 1F bt eax,1F
004A6399 73 2B jnb short 英汉汉英.004A63C6
004A63C6 03C5 add eax,ebp
004A63C8 50 push eax
004A63C9 50 push eax
004A63CA 57 push edi
004A63CB FF95 94070000 call dword ptr ss:[ebp+794] ; kernel32.GetProcAddress
004A63D1 85C0 test eax,eax
004A63D3 74 7F je short 英汉汉英.004A6454
004A63D5 FF4C24 28 dec dword ptr ss:[esp+28]
004A63D9 7D 1F jge short 英汉汉英.004A63FA
004A63DB 8B5424 24 mov edx,dword ptr ss:[esp+24]
004A63DF C602 E9 mov byte ptr ds:[edx],0E9
004A63E2 2BC2 sub eax,edx
004A63E4 83E8 05 sub eax,5
004A63E7 8942 01 mov dword ptr ds:[edx+1],eax
004A63EA 8BC2 mov eax,edx
004A63EC 83C2 05 add edx,5
004A63EF 895424 24 mov dword ptr ss:[esp+24],edx
004A63F3 83E2 07 and edx,7
004A63F6 895424 28 mov dword ptr ss:[esp+28],edx
004A63FA 8906 mov dword ptr ds:[esi],eax
004A63FC 873C24 xchg dword ptr ss:[esp],edi
004A63FF 83C9 FF or ecx,FFFFFFFF
004A6402 33C0 xor eax,eax
004A6404 F2:AE repne scas byte ptr es:[edi]
004A6406 FD std
004A6407 F7D1 not ecx
004A6409 4F dec edi
004A640A F3:AA rep stos byte ptr es:[edi]
004A640C 5F pop edi
004A640D FC cld
004A640E 83C6 04 add esi,4
004A6411 ^ E9 75FFFFFF jmp 英汉汉英.004A638B
====>向上看发现004A638F可跳出循环。 F4下去
004A6416 5E pop esi
004A6417 83C4 18 add esp,18
004A641A 8B16 mov edx,dword ptr ds:[esi]
004A641C 03D5 add edx,ebp
004A641E 8D43 47 lea eax,dword ptr ds:[ebx+47]
004A6421 8B4C24 04 mov ecx,dword ptr ss:[esp+4]
004A6425 833A 00 cmp dword ptr ds:[edx],0
004A6428 74 12 je short 英汉汉英.004A643C
004A642A 3B1A cmp ebx,dword ptr ds:[edx]
004A642C 8318 00 sbb dword ptr ds:[eax],0
004A642F 390A cmp dword ptr ds:[edx],ecx
004A6431 8318 00 sbb dword ptr ds:[eax],0
004A6434 83C2 04 add edx,4
004A6437 C108 03 ror dword ptr ds:[eax],3
004A643A ^ EB E9 jmp short 英汉汉英.004A6425
====>F4下去跳出循环!
004A643C C706 00000000 mov dword ptr ds:[esi],0
004A6442 5F pop edi
004A6443 83C9 FF or ecx,FFFFFFFF
004A6446 33C0 xor eax,eax
004A6448 F2:AE repne scas byte ptr es:[edi]
004A644A 8BCF mov ecx,edi
004A644C 83C6 04 add esi,4
004A644F ^ E9 F0FEFFFF jmp 英汉汉英.004A6344
====>向上看004A6347可以跳出循环。
004A6550 59 pop ecx
====>此处下断。F9断在这
004A6551 5E pop esi
004A6552 FD std
004A6553 33C0 xor eax,eax
004A6555 B9 54030000 mov ecx,354
004A655A E8 DEEA0300 call 英汉汉英.004E503D
====>F7进入
004E503D 5F pop edi
004E503E F3:AA rep stos byte ptr es:[edi]
004E5040 61 popad
004E5041 66:9D popfw
004E5043 83C4 08 add esp,8
004E5046 E9 75EAFBFF jmp 英汉汉英.004A3AC0
====>飞向光明之巅!
PEtite V2.2 相当容易啦,如此找OEP就行了。:-)
————————————————————————
004A3AC0 55 push ebp
====>在这儿用LordPE完全DUMP这个进程
004A3AC1 8BEC mov ebp,esp
004A3AC3 83C4 F4 add esp,-0C
004A3AC6 53 push ebx
004A3AC7 56 push esi
004A3AC8 57 push edi
004A3AC9 B8 28384A00 mov eax,英汉汉英.004A3828
004A3ACE E8 B534F6FF call 英汉汉英.00406F88
————————————————————————
运行ImportREC,选择这个进程。把OEP改为000A3AC0,点IT AutoSearch,点“Get Import”,
有几个无效的函数,右键点“追踪层次1”全部修复。FixDump,905K ->932K 但是运行出错!
—————————————————————————————————
二、手动修正文件指针
近日有兄弟发现某些Petite壳用脱壳机自动脱壳或者手脱均无法正常运行。这个程序也是这样的。
感谢[FCG]的 mikelong 兄弟指点!使偶又多学点知识,呵呵 :-)
用Ollydbg载入脱壳后的程序,寻找出错的地方:
004A3AC0 55 push ebp
004A3AC1 8BEC mov ebp,esp
004A3AC3 83C4 F4 add esp,-0C
004A3AC6 53 push ebx
004A3AC7 56 push esi
004A3AC8 57 push edi
004A3AC9 B8 28384A00 mov eax,DUMPED_ 004A3828
004A3ACE E8 B534F6FF call DUMPED_ 00406F88
004A3AD3 A1 1C604A00 mov eax,dword ptr ds:[4A601C]
004A3AD8 8B00 mov eax,dword ptr ds:[eax]
004A3ADA E8 AD91FAFF call DUMPED_ 0044CC8C
004A3ADF A1 1C604A00 mov eax,dword ptr ds:[4A601C]
004A3AE4 8B00 mov eax,dword ptr ds:[eax]
004A3AE6 BA A03B4A00 mov edx,DUMPED_ 004A3BA0 ; ASCII "eBook"
004A3AEB E8 A08DFAFF call DUMPED_ 0044C890
004A3AF0 6A 00 push 0
004A3AF2 A1 1C604A00 mov eax,dword ptr ds:[4A601C]
004A3AF7 8B00 mov eax,dword ptr ds:[eax]
004A3AF9 8B40 24 mov eax,dword ptr ds:[eax+24]
004A3AFC 50 push eax
004A3AFD E8 6A3FF6FF call <jmp &user32 ShowWindow>
004A3B02 6A EC push -14
004A3B04 A1 1C604A00 mov eax,dword ptr ds:[4A601C]
004A3B09 8B00 mov eax,dword ptr ds:[eax]
004A3B0B 8B58 24 mov ebx,dword ptr ds:[eax+24]
004A3B0E 53 push ebx
004A3B0F E8 083DF6FF call <jmp &user32 GetWindowLongA>
004A3B14 0D 80000000 or eax,80
004A3B19 50 push eax
004A3B1A 6A EC push -14
004A3B1C A1 1C604A00 mov eax,dword ptr ds:[4A601C]
004A3B21 53 push ebx
004A3B22 E8 053FF6FF call <jmp &user32 SetWindowLongA>
004A3B27 E8 1857FFFF call DUMPED_ 00499244
====>经过这里就出错啦!:-( 重新LOAD进去看看!
————————————————————————
进入出错CALL: 004A3B27 call DUMPED_ 00499244
00499244 55 push ebp
00499245 8BEC mov ebp,esp
00499247 6A 00 push 0
00499249 6A 00 push 0
0049924B 6A 00 push 0
0049924D 53 push ebx
0049924E 33C0 xor eax,eax
00499250 55 push ebp
00499251 68 19934900 push 1_.00499319
00499256 64:FF30 push dword ptr fs:[eax]
00499259 64:8920 mov dword ptr fs:[eax],esp
0049925C 33DB xor ebx,ebx
0049925E B8 FC7A4A00 mov eax,DUMPED_.004A7AFC
00499263 BA 30934900 mov edx,DUMPED_.00499330 ; ASCII "1.29c for Windows"
00499268 E8 77AAF6FF call DUMPED_.00403CE4
0049926D B8 3C7B4A00 mov eax,DUMPED_.004A7B3C
00499272 BA 4C934900 mov edx,DUMPED_.0049934C ; ASCII "WebPacker"
00499277 E8 68AAF6FF call DUMPED_.00403CE4
0049927C C705D07A4A00240106 mov dword ptr ds:[4A7AD0],60124
====>注意文件指针60124,这是针对原exe的指针
————————————————————————
根据 mikelong 兄弟的指点,偶来进行手动修复:
1、用 WinHex 打开原程序,复制60124至E2724的数据,呵呵,索性复制到最后。然后打开修复输入表后的脱壳文件,就粘贴到文件末尾吧,看一下粘贴数据在新文件中的偏移:E9000 另存为:修复DUMPED_.EXE
2、用 WinHex 打开 修复DUMPED_.EXE ,去到99282处,把240106改为00900E 修正新的文件指针
即把:0049927C C705D07A4A0024010600 mov dword ptr ds:[4A7AD0],60124
改成:0049927C C705D07A4A0000900E00 mov dword ptr ds:[4A7AD0],E9000
OK!修改后的程序正常运行!只是文件大了许多。菜鸟如偶没办法啦。
对于此类让人修理过的Petite2.2壳的程序关键是找到出错的原文件指针,然后把相应代码复制进脱壳后的程序,修改成新的偏移地址。再次感谢 mikelong 兄弟 :-) 这些都是他的成果!
再提供一个类似的Petite2.2壳:3TV宽带卫星网络电视机 下载地址:http://webtv.zmdns.com/3tv.exe
可以参考:http://www.51itcool.com/fcg/Announce/Announce.asp?BoardID=3&ID=2842
—————————————————————————————————
三、破解
这个东东是用 Delphi 编写的EBOOK做的程序,不太清楚是用哪个制作EBOOK工具加工的。
注册有点烦人,感谢 DarkNess0ut 帮忙测试 :-) 明码比较,懒人如偶太困了,没看算法啦。
晕,点“英汉索引”L就会出现:“本部分仅供注册用户使用,非注册用户只能使用a-k部分的词汇”,下面才出现识别码,呵呵,有点隐蔽。
用户名:fly
识别码:89DD-5EA0123
试炼码:135724689012
—————————————————————————————————
关键地方不太好找,下面这点东西是用 内存搜索 加 内存断点 找到的。
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049ABAA(C)
|
:0049ABED 8D55FC lea edx, dword ptr [ebp-04]
:0049ABF0 A10C604A00 mov eax, dword ptr [004A600C]
:0049ABF5 8B00 mov eax, dword ptr [eax]
:0049ABF7 E8A4E2F6FF call 00408EA0
:0049ABFC 8D85DCFEFFFF lea eax, dword ptr [ebp+FFFFFEDC]
:0049AC02 8D55EB lea edx, dword ptr [ebp-15]
:0049AC05 E8AA92F6FF call 00403EB4
:0049AC0A 8B85DCFEFFFF mov eax, dword ptr [ebp+FFFFFEDC]
====>EAX=89DD-5EA0123 识别码
:0049AC10 8D95E0FEFFFF lea edx, dword ptr [ebp+FFFFFEE0]
:0049AC16 E865F0FFFF call 00499C80
:0049AC1B 8B85E0FEFFFF mov eax, dword ptr [ebp+FFFFFEE0]
:0049AC21 50 push eax
:0049AC22 8D95D8FEFFFF lea edx, dword ptr [ebp+FFFFFED8]
:0049AC28 A1105F4A00 mov eax, dword ptr [004A5F10]
:0049AC2D 8B00 mov eax, dword ptr [eax]
====>EAX=135724689012 试炼码
:0049AC2F E86CE2F6FF call 00408EA0
:0049AC34 8B95D8FEFFFF mov edx, dword ptr [ebp+FFFFFED8]
:0049AC3A 8D45F8 lea eax, dword ptr [ebp-08]
:0049AC3D 59 pop ecx
:0049AC3E E81993F6FF call 00403F5C
:0049AC43 8B45FC mov eax, dword ptr [ebp-04]
====>EAX=fly 用户名
:0049AC46 E8C592F6FF call 00403F10
:0049AC4B 83F803 cmp eax, 00000003
====>用户名至少3位
:0049AC4E 7D4C jge 0049AC9C
:0049AC9C 8B45F8 mov eax, dword ptr [ebp-08]
====>EAX=135724689012 试炼码
:0049AC9F E86C92F6FF call 00403F10
:0049ACA4 83F80C cmp eax, 0000000C
====>注册码需要12位
:0049ACA7 740E je 0049ACB7
:0049ACB7 A1AC5F4A00 mov eax, dword ptr [004A5FAC]
:0049ACBC 803800 cmp byte ptr [eax], 00
:0049ACBF 7542 jne 0049AD03
:0049ACC1 A150604A00 mov eax, dword ptr [004A6050]
:0049ACC6 8B00 mov eax, dword ptr [eax]
:0049ACC8 50 push eax
:0049ACC9 8B45F8 mov eax, dword ptr [ebp-08]
:0049ACCC 50 push eax
:0049ACCD A1E0604A00 mov eax, dword ptr [004A60E0]
:0049ACD2 8A00 mov al, byte ptr [eax]
:0049ACD4 50 push eax
:0049ACD5 8D85C8FEFFFF lea eax, dword ptr [ebp+FFFFFEC8]
:0049ACDB 8D55EB lea edx, dword ptr [ebp-15]
:0049ACDE E8D191F6FF call 00403EB4
:0049ACE3 8B8DC8FEFFFF mov ecx, dword ptr [ebp+FFFFFEC8]
:0049ACE9 8B1584604A00 mov edx, dword ptr [004A6084]
:0049ACEF 8B12 mov edx, dword ptr [edx]
:0049ACF1 8B45FC mov eax, dword ptr [ebp-04]
:0049ACF4 E893F5FFFF call 0049A28C
====>关键CALL!进入!
:0049ACF9 84C0 test al, al
:0049ACFB 0F84C3000000 je 0049ADC4
====>跳则OVER!
:0049AD01 EB15 jmp 0049AD18
————————————————————————
进入关键CALL:0049ACF4 call 0049A28C
* Referenced by a CALL at Addresses:
|:00498C86 , :0049ACF4
|
:0049A28C 55 push ebp
:0049A28D 8BEC mov ebp, esp
:0049A28F 6A00 push 00000000
:0049A291 6A00 push 00000000
:0049A293 6A00 push 00000000
:0049A295 6A00 push 00000000
:0049A297 6A00 push 00000000
:0049A299 6A00 push 00000000
:0049A29B 6A00 push 00000000
:0049A29D 53 push ebx
:0049A29E 56 push esi
:0049A29F 57 push edi
:0049A2A0 894DF4 mov dword ptr [ebp-0C], ecx
:0049A2A3 8955F8 mov dword ptr [ebp-08], edx
:0049A2A6 8945FC mov dword ptr [ebp-04], eax
:0049A2A9 8B45FC mov eax, dword ptr [ebp-04]
:0049A2AC E8139EF6FF call 004040C4
:0049A2B1 8B45F8 mov eax, dword ptr [ebp-08]
:0049A2B4 E80B9EF6FF call 004040C4
:0049A2B9 8B45F4 mov eax, dword ptr [ebp-0C]
:0049A2BC E8039EF6FF call 004040C4
:0049A2C1 8B4510 mov eax, dword ptr [ebp+10]
:0049A2C4 E8FB9DF6FF call 004040C4
:0049A2C9 8B450C mov eax, dword ptr [ebp+0C]
:0049A2CC E8F39DF6FF call 004040C4
:0049A2D1 33C0 xor eax, eax
:0049A2D3 55 push ebp
:0049A2D4 68AEA34900 push 0049A3AE
:0049A2D9 64FF30 push dword ptr fs:[eax]
:0049A2DC 648920 mov dword ptr fs:[eax], esp
:0049A2DF BE01000000 mov esi, 00000001
:0049A2E4 33DB xor ebx, ebx
:0049A2E6 8B450C mov eax, dword ptr [ebp+0C]
:0049A2E9 E8229CF6FF call 00403F10
:0049A2EE 83F80C cmp eax, 0000000C
:0049A2F1 0F858F000000 jne 0049A386
:0049A2F7 8D45E4 lea eax, dword ptr [ebp-1C]
:0049A2FA 8B550C mov edx, dword ptr [ebp+0C]
:0049A2FD E8269AF6FF call 00403D28
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049A381(U)
|
:0049A302 8B4510 mov eax, dword ptr [ebp+10]
:0049A305 50 push eax
:0049A306 8A4508 mov al, byte ptr [ebp+08]
:0049A309 50 push eax
:0049A30A 8D45F0 lea eax, dword ptr [ebp-10]
:0049A30D 50 push eax
:0049A30E 8B4DF4 mov ecx, dword ptr [ebp-0C]
:0049A311 8B55F8 mov edx, dword ptr [ebp-08]
:0049A314 8B45FC mov eax, dword ptr [ebp-04]
:0049A317 E894010000 call 0049A4B0
====>算法CALL!
:0049A31C 8D55EC lea edx, dword ptr [ebp-14]
:0049A31F 8B45F0 mov eax, dword ptr [ebp-10]
:0049A322 E805FAFFFF call 00499D2C
:0049A327 8B45EC mov eax, dword ptr [ebp-14]
====>EAX=CWIDFLXCMYLO 注册码
:0049A32A 8B550C mov edx, dword ptr [ebp+0C]
====>EDX=135724689012 试炼码
:0049A32D E8EE9CF6FF call 00404020
====>比较CALL!
:0049A332 7504 jne 0049A338
====>跳则OVER!
:0049A334 B301 mov bl, 01
:0049A336 EB4E jmp 0049A386
—————————————————————————————————
【注册信息保存】:
D:\WINDOWS\system32\bccbiosrm64bft.dll
—————————————————————————————————
【整 理】:
用户名:fly
识别码:89DD-5EA0123
注册码:CWIDFLXCMYLO
—————————————————————————————————
, _/
/| _ -~/ _ , 青春都一饷
( /~ / ~- _ |
`\ _/ ~ ) 忍把浮名
_-~~~- ) )__/;;, _ //'
/'_, --~ ~~~- ,;;___( ( -~~~- 换了破解轻狂
`~ _( ,_ -- ( ,;'' / ~-- / _`
/~~//' /' `~ ) /-- _, )_ `~
" `~" " `" /~'` `\~~
" " "~' ""
Cracked By 巢水工作坊——fly [OCN][FCG]
2003-10-25 01:10