【破文标题】:《图章制作系统 V3.63》脱壳去校验解除自杀代码[分析篇]
【破文作者】: KuNgBiM[DFCG]
【作者邮箱】: gb_1227@163.com
【软件名称】: 图章制作系统 V3.63
【整理时间】: 2005-07-29
【下载地址】: http://www.downreg.com/Software/View-Software-4587.htm
【保护方式】: 注册码 + 试用功能限制
【加密保护】: ASPack 2.12 + 脱壳自校验 + 程序自杀代码(调用系统autoexec.bat命令删除校验失败的程序) + Anti-Loader(反加载)
【编译语言】: Borland Delphi 6.0 - 7.0
【调试环境】: WinXP、PEiD、Ollydbg、LordPE、ImportREC
【破解日期】: 2005-09-01
【破解目的】: 推广使用ESP定律脱壳,去除自校验,以及研究算法分析
【作者声明】: 初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
—————————————————————————————————
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 【脱壳过程】 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
侦壳脱壳:用PEiD查壳,ASPack 2.12 -> Alexey Solodovnikov加壳。
使用法宝:我们既然知道了是ASPack所加壳保护的,所以拿出Ollydbg结合文章题目手动脱之~~
————————————————————
Ollydbg载入主程序:
005FA001 > 60 pushad ; 载入程序后停在这里,F8一次
005FA002 E8 03000000 call MakeSign.005FA00A ; 到这里,这时查看寄存器窗口
005FA007 - E9 EB045D45 jmp 45BCA4F7
005FA00C 55 push ebp
005FA00D C3 retn
\\\\\\\\\\\\\\\寄存器\\\\\\\\\\\\\\\\
EAX 00000000
ECX 0012FFB0
EDX 7FFE0304
EBX 7FFDF000
ESP 0012FFA4 ; esp=0012ffa4
EBP 0012FFF0
ESI 77F57D70 ntdll.77F57D70
EDI 77F944A8 ntdll.77F944A8
EIP 005FA002 MakeSign.005FA002
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
根据ESP定律规则,现在在命令栏中下 hr 0012ffa4 命令,回车,F9运行:
005FA3B0 /75 08 jnz short MakeSign.005FA3BA ; 这里断下,F7继续
005FA3B2 |B8 01000000 mov eax,1
005FA3B7 |C2 0C00 retn 0C
005FA3BA \68 10CA5800 push MakeSign.0058CA10 ; 这里0058CA10所指的就是OEP,F7继续
005FA3BF C3 retn ; 返回到程序原始入口,飞向光明之颠~~ F7继续
返回到这里:
0058CA10 55 push ebp ; 在这儿用LordPE纠正ImageSize后完全DUMP这个进程
0058CA11 8BEC mov ebp,esp
0058CA13 83C4 F0 add esp,-10
0058CA16 B8 E0C55800 mov eax,MakeSign.0058C5E0
0058CA1B E8 64A2E7FF call MakeSign.00406C84
0058CA20 A1 A48B5900 mov eax,dword ptr ds:[598BA4]
0058CA25 8B00 mov eax,dword ptr ds:[eax]
0058CA27 E8 4427EEFF call MakeSign.0046F170
0058CA2C A1 A48B5900 mov eax,dword ptr ds:[598BA4]
0058CA31 8B00 mov eax,dword ptr ds:[eax]
0058CA33 BA 70CA5800 mov edx,MakeSign.0058CA70
0058CA38 E8 3F23EEFF call MakeSign.0046ED7C
0058CA3D 8B0D 90885900 mov ecx,dword ptr ds:[598890] ; MakeSign.005A5BE8
0058CA43 A1 A48B5900 mov eax,dword ptr ds:[598BA4]
0058CA48 8B00 mov eax,dword ptr ds:[eax]
脱壳修复:
运行ImportREC 1.6,选择这个进程,把OEP改为 0018CA10 ,点IT AutoSearch,指针全部有效。FixDump!
再用LordPE重建优化一下,程序大小变为 1.83 MB,Borland Delphi 6.0 - 7.0编译。
关闭Ollydbg,试运行,正常运行!不过。。。↓
意外发生了:我正准备反编译看看程序的时候,发现我们刚刚脱壳后运行过的程序不见了!~?奇怪~~!?难道这个程序有“脱壳自校验”以及传说中的“程序自杀代码”?,接着我就试着跟了跟,发现真有那么一回事,好吧~~“你”荒废我的“脱壳心血”我就跟“你”没完~!呵呵,下面就接着讲讲怎样去掉这个烦人的“程序自杀自校验”!!!GO~~
—————————————————————————————————
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 【去自校验过程】 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
重新打开Ollydbg,载入刚刚我们脱壳修复优化后的“dumped_.exe”文件(这里我采用的是默认脱壳文件名)
在命令栏中下 bpx CreateFileA 断点命令,回车,F9运行:
程序运行后,点圾“确定”关闭提示框后程序断下:
004093BC 50 push eax
004093BD E8 C2DAFFFF call dumped_.00406E84 ; 这里断下,F7跟进,jmp to kernel32.CreateFileA
004093C2 5F pop edi
004093C3 5E pop esi
004093C4 5B pop ebx
004093C5 C3 retn
跟进后:
00406E84 - FF25 1C645A00 jmp dword ptr ds:[5A641C] ; 这里继续F7跳过!kernel32.CreateFileA
00406E8A 8BC0 mov eax,eax
跳向这里:
77E5B476 > 55 push ebp ; 跳到这里,一路F8!
77E5B477 8BEC mov ebp,esp
77E5B479 FF75 08 push dword ptr ss:[ebp+8]
77E5B47C E8 11FFFFFF call kernel32.77E5B392
77E5B481 85C0 test eax,eax
77E5B483 0F84 A3FF0100 je kernel32.77E7B42C
77E5B489 FF75 20 push dword ptr ss:[ebp+20]
77E5B48C FF75 1C push dword ptr ss:[ebp+1C]
77E5B48F FF75 18 push dword ptr ss:[ebp+18]
77E5B492 FF75 14 push dword ptr ss:[ebp+14]
77E5B495 FF75 10 push dword ptr ss:[ebp+10]
77E5B498 FF75 0C push dword ptr ss:[ebp+C]
77E5B49B FF70 04 push dword ptr ds:[eax+4]
77E5B49E E8 EEFBFFFF call kernel32.CreateFileW
77E5B4A3 5D pop ebp
77E5B4A4 C2 1C00 retn 1C ; F8到这里返回
返回到这里(也就是上面断点的下一个地址):
004093C2 5F pop edi ; 赋值数据,F7单步,00B80000
004093C3 5E pop esi ; 赋值数据,F7单步,00BC689C
004093C4 5B pop ebx ; 赋值数据,F7单步,00B8942C
004093C5 C3 retn ; 返回下一个检测空间
返回到这里:
0041F9D5 8BC8 mov ecx,eax ; 返回到这里
0041F9D7 33D2 xor edx,edx
0041F9D9 8BC3 mov eax,ebx
0041F9DB E8 7CFEFFFF call dumped_.0041F85C
0041F9E0 837B 04 00 cmp dword ptr ds:[ebx+4],0
0041F9E4 7D 24 jge short dumped_.0041FA0A
0041F9E6 8975 F4 mov dword ptr ss:[ebp-C],esi
0041F9E9 C645 F8 0B mov byte ptr ss:[ebp-8],0B
0041F9ED 8D45 F4 lea eax,dword ptr ss:[ebp-C]
0041F9F0 50 push eax
0041F9F1 6A 00 push 0
0041F9F3 8B0D A08C5900 mov ecx,dword ptr ds:[598CA0] ; dumped_.00418198
0041F9F9 B2 01 mov dl,1
0041F9FB A1 E49E4100 mov eax,dword ptr ds:[419EE4]
0041FA00 E8 03D1FEFF call dumped_.0040CB08
0041FA05 E8 0E46FEFF call dumped_.00404018
0041FA0A 8BC3 mov eax,ebx
0041FA0C 807D FF 00 cmp byte ptr ss:[ebp-1],0
0041FA10 74 0F je short dumped_.0041FA21
0041FA12 E8 F141FEFF call dumped_.00403C08
0041FA17 64:8F05 00000000 pop dword ptr fs:[0]
0041FA1E 83C4 0C add esp,0C
0041FA21 8BC3 mov eax,ebx
0041FA23 5F pop edi
0041FA24 5E pop esi
0041FA25 5B pop ebx
0041FA26 8BE5 mov esp,ebp
0041FA28 5D pop ebp
0041FA29 C2 0800 retn 8 ; 又一次一路F8后来到这里返回
返回到这里:
0041F945 8BC6 mov eax,esi
0041F947 84DB test bl,bl
0041F949 74 0F je short dumped_.0041F95A
0041F94B E8 B842FEFF call dumped_.00403C08
0041F950 64:8F05 00000000 pop dword ptr fs:[0]
0041F957 83C4 0C add esp,0C
0041F95A 8BC6 mov eax,esi
0041F95C 5E pop esi
0041F95D 5B pop ebx
0041F95E 5D pop ebp
0041F95F C2 0400 retn 4 ; 再次一路F8后来到这里返回
返回到这里:(★重要★)
00581E4A 8945 F4 mov dword ptr ss:[ebp-C],eax
00581E4D 33C0 xor eax,eax ; 这里脱壳前和脱壳后数据不一样,eax=00B8942C
00581E4F 55 push ebp
00581E50 68 7C1E5800 push dumped_.00581E7C
00581E55 64:FF30 push dword ptr fs:[eax]
00581E58 64:8920 mov dword ptr fs:[eax],esp
00581E5B 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00581E5E E8 D5D5E9FF call dumped_.0041F438 ; CRC冗余代码校验CALL
00581E63 8945 F8 mov dword ptr ss:[ebp-8],eax ; 当前文件大小赋值给eax,eax=001D5200 //1D5200 =1921536字节
00581E66 33C0 xor eax,eax ; 异或,eax=001D5200
00581E68 5A pop edx
00581E69 59 pop ecx
00581E6A 59 pop ecx
00581E6B 64:8910 mov dword ptr fs:[eax],edx
00581E6E 68 831E5800 push dumped_.00581E83
00581E73 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00581E76 E8 D119E8FF call dumped_.0040384C
00581E7B C3 retn
00581E7C ^\E9 5F21E8FF jmp dumped_.00403FE0
00581E81 ^ EB F0 jmp short dumped_.00581E73
00581E83 33C0 xor eax,eax
00581E85 5A pop edx
00581E86 59 pop ecx
00581E87 59 pop ecx
00581E88 64:8910 mov dword ptr fs:[eax],edx
00581E8B EB 0A jmp short dumped_.00581E97
00581E8D ^ E9 9A1EE8FF jmp dumped_.00403D2C
00581E92 E8 FD21E8FF call dumped_.00404094
00581E97 33C0 xor eax,eax
00581E99 5A pop edx
00581E9A 59 pop ecx
00581E9B 59 pop ecx
00581E9C 64:8910 mov dword ptr fs:[eax],edx
00581E9F 68 B41E5800 push dumped_.00581EB4
00581EA4 8D45 FC lea eax,dword ptr ss:[ebp-4]
00581EA7 E8 9027E8FF call dumped_.0040463C
00581EAC C3 retn
00581EAD ^\E9 2E21E8FF jmp dumped_.00403FE0
00581EB2 ^ EB F0 jmp short dumped_.00581EA4
00581EB4 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; 最终赋值,堆栈 ss:[0012FDBC]=001D5200
00581EB7 5F pop edi
00581EB8 5E pop esi
00581EB9 5B pop ebx
00581EBA 8BE5 mov esp,ebp
00581EBC 5D pop ebp
00581EBD C3 retn ; 返回程序,告诉程序下一步该做什么!
返回到这里:(★重要★【第一处】)
00584B87 E8 78D2FFFF call dumped_.00581E04
00584B8C 3D 00A00F00 cmp eax,0FA000 ; 这里作者怕加壳后出错,所以给定了程序一个大小限制范围 FA000
; FA000 = 1024000字节
00584B91 7E 1C jle short dumped_.00584BAF ; 如果文件大小,小于这个数据,那么才能正常运行,必须跳!
*************************
代码修改:
00584B8C 3D 00A00F00 cmp eax,0FA000 // 我改为:cmp eax,0FFFFFFF (嘿嘿,268435455字节约为256MB,有多少的软件能大过256MB啊?)
*************************
00584B93 8D55 F0 lea edx,dword ptr ss:[ebp-10]
00584B96 A1 A48B5900 mov eax,dword ptr ds:[598BA4]
00584B9B 8B00 mov eax,dword ptr ds:[eax]
00584B9D E8 3EACEEFF call dumped_.0046F7E0
00584BA2 8B45 F0 mov eax,dword ptr ss:[ebp-10]
00584BA5 E8 16D3FFFF call dumped_.00581EC0
00584BAA E8 19F9E7FF call dumped_.004044C8
00584BAF E8 E0D4FFFF call dumped_.00582094
00584BB4 84C0 test al,al
00584BB6 74 1C je short dumped_.00584BD4 ; 跳
00584BB8 8D55 EC lea edx,dword ptr ss:[ebp-14]
00584BBB A1 A48B5900 mov eax,dword ptr ds:[598BA4]
00584BC0 8B00 mov eax,dword ptr ds:[eax]
00584BC2 E8 19ACEEFF call dumped_.0046F7E0
00584BC7 8B45 EC mov eax,dword ptr ss:[ebp-14]
00584BCA E8 F1D2FFFF call dumped_.00581EC0
00584BCF E8 F4F8E7FF call dumped_.004044C8
00584BD4 8B83 B8040000 mov eax,dword ptr ds:[ebx+4B8]
00584BDA E8 8D9CFEFF call dumped_.0056E86C
00584BDF E8 ECD7FFFF call dumped_.005823D0
00584BE4 8B93 44030000 mov edx,dword ptr ds:[ebx+344]
00584BEA 8B52 48 mov edx,dword ptr ds:[edx+48]
00584BED 3BC2 cmp eax,edx
00584BEF 7E 02 jle short dumped_.00584BF3 ; 跳
00584BF1 8BC2 mov eax,edx
00584BF3 8BD0 mov edx,eax
00584BF5 8B83 48030000 mov eax,dword ptr ds:[ebx+348]
00584BFB E8 748DECFF call dumped_.0044D974
00584C00 8B83 C4040000 mov eax,dword ptr ds:[ebx+4C4]
00584C06 E8 619CFEFF call dumped_.0056E86C
00584C0B E8 90D8FFFF call dumped_.005824A0
00584C10 8B93 44030000 mov edx,dword ptr ds:[ebx+344]
00584C16 8B52 4C mov edx,dword ptr ds:[edx+4C]
00584C19 3BC2 cmp eax,edx
00584C1B 7E 02 jle short dumped_.00584C1F ; 跳
00584C1D 8BC2 mov eax,edx
00584C1F 8BD0 mov edx,eax
00584C21 8B83 48030000 mov eax,dword ptr ds:[ebx+348]
00584C27 E8 6C8DECFF call dumped_.0044D998
00584C2C 8B93 44030000 mov edx,dword ptr ds:[ebx+344]
00584C32 8B52 48 mov edx,dword ptr ds:[edx+48]
00584C35 8B83 48030000 mov eax,dword ptr ds:[ebx+348]
00584C3B 2B50 48 sub edx,dword ptr ds:[eax+48]
00584C3E D1FA sar edx,1
00584C40 79 03 jns short dumped_.00584C45 ; 跳
00584C42 83D2 00 adc edx,0
00584C45 E8 DE8CECFF call dumped_.0044D928
00584C4A 8B93 44030000 mov edx,dword ptr ds:[ebx+344]
00584C50 8B52 4C mov edx,dword ptr ds:[edx+4C]
00584C53 8B83 48030000 mov eax,dword ptr ds:[ebx+348]
00584C59 2B50 4C sub edx,dword ptr ds:[eax+4C]
00584C5C D1FA sar edx,1
00584C5E 79 03 jns short dumped_.00584C63 ; 跳
00584C60 83D2 00 adc edx,0
00584C63 E8 E48CECFF call dumped_.0044D94C
00584C68 B2 06 mov dl,6
00584C6A 8B83 4C030000 mov eax,dword ptr ds:[ebx+34C]
00584C70 E8 578AECFF call dumped_.0044D6CC
00584C75 B2 05 mov dl,5
00584C77 8B83 4C030000 mov eax,dword ptr ds:[ebx+34C]
00584C7D E8 4A8AECFF call dumped_.0044D6CC
00584C82 8BC3 mov eax,ebx
00584C84 E8 939AECFF call dumped_.0044E71C
00584C89 B2 06 mov dl,6
00584C8B 8B83 4C030000 mov eax,dword ptr ds:[ebx+34C]
00584C91 E8 368AECFF call dumped_.0044D6CC
00584C96 8B83 48030000 mov eax,dword ptr ds:[ebx+348]
00584C9C 8B50 48 mov edx,dword ptr ds:[eax+48]
00584C9F 83EA 02 sub edx,2
00584CA2 8B83 4C030000 mov eax,dword ptr ds:[ebx+34C]
00584CA8 E8 C78CECFF call dumped_.0044D974
00584CAD 8B83 48030000 mov eax,dword ptr ds:[ebx+348]
00584CB3 8B50 4C mov edx,dword ptr ds:[eax+4C]
00584CB6 83EA 02 sub edx,2
00584CB9 8B83 4C030000 mov eax,dword ptr ds:[ebx+34C]
00584CBF E8 D48CECFF call dumped_.0044D998
00584CC4 8B83 64030000 mov eax,dword ptr ds:[ebx+364]
00584CCA 66:BE EBFF mov si,0FFEB
00584CCE E8 75EDE7FF call dumped_.00403A48 ; 跟进,返回程序,进行2次校验
返回到这里:
004093BC 50 push eax
004093BD E8 C2DAFFFF call dumped_.00406E84 ; 返回到这里,F7跟进,jmp to kernel32.CreateFileA
004093C2 5F pop edi
004093C3 5E pop esi
004093C4 5B pop ebx
004093C5 C3 retn
跟进后:
00406E84 - FF25 1C645A00 jmp dword ptr ds:[5A641C] ; 这里继续F7跳过!kernel32.CreateFileA
00406E8A 8BC0 mov eax,eax
跳向这里:
77E5B476 > 55 push ebp ; 跳到这里,一路F8!
77E5B477 8BEC mov ebp,esp
77E5B479 FF75 08 push dword ptr ss:[ebp+8]
77E5B47C E8 11FFFFFF call kernel32.77E5B392
77E5B481 85C0 test eax,eax
77E5B483 0F84 A3FF0100 je kernel32.77E7B42C
77E5B489 FF75 20 push dword ptr ss:[ebp+20]
77E5B48C FF75 1C push dword ptr ss:[ebp+1C]
77E5B48F FF75 18 push dword ptr ss:[ebp+18]
77E5B492 FF75 14 push dword ptr ss:[ebp+14]
77E5B495 FF75 10 push dword ptr ss:[ebp+10]
77E5B498 FF75 0C push dword ptr ss:[ebp+C]
77E5B49B FF70 04 push dword ptr ds:[eax+4]
77E5B49E E8 EEFBFFFF call kernel32.CreateFileW
77E5B4A3 5D pop ebp
77E5B4A4 C2 1C00 retn 1C ; F8到这里返回
返回到这里(也就是上面断点的下一个地址):
004093C2 5F pop edi ; 赋值数据,F7单步,00B80000
004093C3 5E pop esi ; 赋值数据,F7单步,00BC689C
004093C4 5B pop ebx ; 赋值数据,F7单步,00B8942C
004093C5 C3 retn ; 返回下一个检测空间
返回到这里:
0041F9D5 8BC8 mov ecx,eax ; 返回到这里
0041F9D7 33D2 xor edx,edx
0041F9D9 8BC3 mov eax,ebx
0041F9DB E8 7CFEFFFF call dumped_.0041F85C
0041F9E0 837B 04 00 cmp dword ptr ds:[ebx+4],0
0041F9E4 7D 24 jge short dumped_.0041FA0A
0041F9E6 8975 F4 mov dword ptr ss:[ebp-C],esi
0041F9E9 C645 F8 0B mov byte ptr ss:[ebp-8],0B
0041F9ED 8D45 F4 lea eax,dword ptr ss:[ebp-C]
0041F9F0 50 push eax
0041F9F1 6A 00 push 0
0041F9F3 8B0D A08C5900 mov ecx,dword ptr ds:[598CA0] ; dumped_.00418198
0041F9F9 B2 01 mov dl,1
0041F9FB A1 E49E4100 mov eax,dword ptr ds:[419EE4]
0041FA00 E8 03D1FEFF call dumped_.0040CB08
0041FA05 E8 0E46FEFF call dumped_.00404018
0041FA0A 8BC3 mov eax,ebx
0041FA0C 807D FF 00 cmp byte ptr ss:[ebp-1],0
0041FA10 74 0F je short dumped_.0041FA21
0041FA12 E8 F141FEFF call dumped_.00403C08
0041FA17 64:8F05 00000000 pop dword ptr fs:[0]
0041FA1E 83C4 0C add esp,0C
0041FA21 8BC3 mov eax,ebx
0041FA23 5F pop edi
0041FA24 5E pop esi
0041FA25 5B pop ebx
0041FA26 8BE5 mov esp,ebp
0041FA28 5D pop ebp
0041FA29 C2 0800 retn 8 ; 又一次一路F8后来到这里返回
返回到这里:
0041F945 8BC6 mov eax,esi
0041F947 84DB test bl,bl
0041F949 74 0F je short dumped_.0041F95A
0041F94B E8 B842FEFF call dumped_.00403C08
0041F950 64:8F05 00000000 pop dword ptr fs:[0]
0041F957 83C4 0C add esp,0C
0041F95A 8BC6 mov eax,esi
0041F95C 5E pop esi
0041F95D 5B pop ebx
0041F95E 5D pop ebp
0041F95F C2 0400 retn 4 ; 再次一路F8后来到这里返回
返回到这里:(★重要★)
00581E4A 8945 F4 mov dword ptr ss:[ebp-C],eax
00581E4D 33C0 xor eax,eax ; 这里脱壳前和脱壳后数据不一样,eax=00B8942C
00581E4F 55 push ebp
00581E50 68 7C1E5800 push dumped_.00581E7C
00581E55 64:FF30 push dword ptr fs:[eax]
00581E58 64:8920 mov dword ptr fs:[eax],esp
00581E5B 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00581E5E E8 D5D5E9FF call dumped_.0041F438 ; CRC冗余代码校验CALL
00581E63 8945 F8 mov dword ptr ss:[ebp-8],eax ; 当前文件大小赋值给eax,eax=001D5200 //1D5200 =1921536字节
00581E66 33C0 xor eax,eax ; 异或,eax=001D5200
00581E68 5A pop edx
00581E69 59 pop ecx
00581E6A 59 pop ecx
00581E6B 64:8910 mov dword ptr fs:[eax],edx
00581E6E 68 831E5800 push dumped_.00581E83
00581E73 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00581E76 E8 D119E8FF call dumped_.0040384C
00581E7B C3 retn
00581E7C ^\E9 5F21E8FF jmp dumped_.00403FE0
00581E81 ^ EB F0 jmp short dumped_.00581E73
00581E83 33C0 xor eax,eax
00581E85 5A pop edx
00581E86 59 pop ecx
00581E87 59 pop ecx
00581E88 64:8910 mov dword ptr fs:[eax],edx
00581E8B EB 0A jmp short dumped_.00581E97
00581E8D ^ E9 9A1EE8FF jmp dumped_.00403D2C
00581E92 E8 FD21E8FF call dumped_.00404094
00581E97 33C0 xor eax,eax
00581E99 5A pop edx
00581E9A 59 pop ecx
00581E9B 59 pop ecx
00581E9C 64:8910 mov dword ptr fs:[eax],edx
00581E9F 68 B41E5800 push dumped_.00581EB4
00581EA4 8D45 FC lea eax,dword ptr ss:[ebp-4]
00581EA7 E8 9027E8FF call dumped_.0040463C
00581EAC C3 retn
00581EAD ^\E9 2E21E8FF jmp dumped_.00403FE0
00581EB2 ^ EB F0 jmp short dumped_.00581EA4
00581EB4 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; 最终赋值,堆栈 ss:[0012FDBC]=001D5200
00581EB7 5F pop edi
00581EB8 5E pop esi
00581EB9 5B pop ebx
00581EBA 8BE5 mov esp,ebp
00581EBC 5D pop ebp
00581EBD C3 retn ; 返回程序,告诉程序下一步该做什么!
返回到这里:(★重要★【第二处】)
005842C4 E8 3BDBFFFF call dumped_.00581E04
005842C9 3D 00A00F00 cmp eax,0FA000 ; 这里作者怕加壳后出错,所以给定了程序一个大小限制范围 FA000
; FA000 = 1024000字节
005842CE 7E 05 jle short dumped_.005842D5 ; 如果文件大小,小于这个数据,那么才能正常运行,必须跳!
*************************
代码修改:
005842C9 3D 00A00F00 cmp eax,0FA000 // 我改为:cmp eax,0FFFFFFF (嘿嘿,268435455字节约为256MB,有多少的软件能大过256MB啊?)
*************************
005842D0 BB 01000000 mov ebx,1
005842D5 4B dec ebx
005842D6 0F85 0C020000 jnz dumped_.005844E8 ; 再次CRC冗余代码检测合格后跳(必须跳)!
005842DC B9 24475800 mov ecx,dumped_.00584724 ; ASCII "system.ini"
005842E1 B2 01 mov dl,1
005842E3 A1 04084700 mov eax,dword ptr ds:[470804]
005842E8 E8 C7C5EEFF call dumped_.004708B4
005842ED 8BF0 mov esi,eax
005842EF 68 38475800 push dumped_.00584738
005842F4 8D85 70FFFFFF lea eax,dword ptr ss:[ebp-90]
005842FA 50 push eax
005842FB B9 44475800 mov ecx,dumped_.00584744 ; ASCII "date" ★这里是为什么脱壳程序运行后会被删除的原因之一★
00584300 BA 54475800 mov edx,dumped_.00584754 ; ASCII "hsjsign_install" ★等会儿会作详细说明★
00584305 8BC6 mov eax,esi
00584307 8B18 mov ebx,dword ptr ds:[eax]
00584309 FF13 call dword ptr ds:[ebx]
0058430B 8B95 70FFFFFF mov edx,dword ptr ss:[ebp-90]
00584311 8B45 FC mov eax,dword ptr ss:[ebp-4]
00584314 05 80000000 add eax,80
00584319 E8 7203E8FF call dumped_.00404690
0058431E 8BC6 mov eax,esi
00584320 E8 27F5E7FF call dumped_.0040384C
00584325 8B45 FC mov eax,dword ptr ss:[ebp-4]
00584328 8B80 80000000 mov eax,dword ptr ds:[eax+80]
0058432E E8 7963E8FF call dumped_.0040A6AC
00584333 DBBD 64FFFFFF fstp tbyte ptr ss:[ebp-9C]
00584339 9B wait
0058433A E8 2568E8FF call dumped_.0040AB64
0058433F DBAD 64FFFFFF fld tbyte ptr ss:[ebp-9C]
00584345 DEE1 fsubrp st(1),st
00584347 D9E1 fabs
00584349 D81D 64475800 fcomp dword ptr ds:[584764]
0058434F DFE0 fstsw ax
00584351 9E sahf
00584352 0F86 90010000 jbe dumped_.005844E8
00584358 B9 24475800 mov ecx,dumped_.00584724 ; ASCII "system.ini"
0058435D B2 01 mov dl,1
0058435F A1 04084700 mov eax,dword ptr ds:[470804]
00584364 E8 4BC5EEFF call dumped_.004708B4
00584369 8BF0 mov esi,eax
0058436B 68 38475800 push dumped_.00584738
00584370 8D85 60FFFFFF lea eax,dword ptr ss:[ebp-A0]
00584376 50 push eax
00584377 B9 70475800 mov ecx,dumped_.00584770 ; ASCII "protect" ★这里是为什么脱壳程序运行后会被删除的原因之一★
0058437C BA 54475800 mov edx,dumped_.00584754 ; ASCII "hsjsign_install" ★等会儿会作详细说明★
00584381 8BC6 mov eax,esi
00584383 8B18 mov ebx,dword ptr ds:[eax]
00584385 FF13 call dword ptr ds:[ebx]
00584387 8B95 60FFFFFF mov edx,dword ptr ss:[ebp-A0]
0058438D 8B45 FC mov eax,dword ptr ss:[ebp-4]
00584390 05 80000000 add eax,80
00584395 E8 F602E8FF call dumped_.00404690
0058439A 8B45 FC mov eax,dword ptr ss:[ebp-4]
0058439D 8B80 80000000 mov eax,dword ptr ds:[eax+80]
005843A3 E8 104EE8FF call dumped_.004091B8
005843A8 8BD8 mov ebx,eax
005843AA 43 inc ebx
005843AB 8B45 FC mov eax,dword ptr ss:[ebp-4]
005843AE 8958 0C mov dword ptr ds:[eax+C],ebx
005843B1 8D95 5CFFFFFF lea edx,dword ptr ss:[ebp-A4]
005843B7 8BC3 mov eax,ebx
005843B9 E8 5A4DE8FF call dumped_.00409118
005843BE 8B85 5CFFFFFF mov eax,dword ptr ss:[ebp-A4]
005843C4 50 push eax
005843C5 B9 70475800 mov ecx,dumped_.00584770 ; ASCII "protect" ★这里是为什么脱壳程序运行后会被删除的原因之一★
005843CA BA 54475800 mov edx,dumped_.00584754 ; ASCII "hsjsign_install" ★等会儿会作详细说明★
005843CF 8BC6 mov eax,esi
005843D1 8B18 mov ebx,dword ptr ds:[eax]
005843D3 FF53 04 call dword ptr ds:[ebx+4]
005843D6 8B45 FC mov eax,dword ptr ss:[ebp-4]
005843D9 8378 0C 01 cmp dword ptr ds:[eax+C],1
005843DD 75 2F jnz short dumped_.0058440E
005843DF E8 8067E8FF call dumped_.0040AB64
005843E4 83C4 F4 add esp,-0C
005843E7 DB3C24 fstp tbyte ptr ss:[esp]
005843EA 9B wait
005843EB 8D85 58FFFFFF lea eax,dword ptr ss:[ebp-A8]
005843F1 E8 B261E8FF call dumped_.0040A5A8
005843F6 8B85 58FFFFFF mov eax,dword ptr ss:[ebp-A8]
005843FC 50 push eax
005843FD B9 44475800 mov ecx,dumped_.00584744 ; ASCII "date" ★这里是为什么脱壳程序运行后会被删除的原因之一★
00584402 BA 54475800 mov edx,dumped_.00584754 ; ASCII "hsjsign_install" ★等会儿会作详细说明★
00584407 8BC6 mov eax,esi
00584409 8B18 mov ebx,dword ptr ds:[eax]
0058440B FF53 04 call dword ptr ds:[ebx+4]
0058440E 8BC6 mov eax,esi
00584410 E8 37F4E7FF call dumped_.0040384C
00584415 8D95 54FFFFFF lea edx,dword ptr ss:[ebp-AC]
0058441B A1 A48B5900 mov eax,dword ptr ds:[598BA4]
00584420 8B00 mov eax,dword ptr ds:[eax]
00584422 E8 B9B3EEFF call dumped_.0046F7E0
00584427 8B85 54FFFFFF mov eax,dword ptr ss:[ebp-AC]
0058442D E8 8EDAFFFF call dumped_.00581EC0
00584432 8B45 FC mov eax,dword ptr ss:[ebp-4]
00584435 8B40 0C mov eax,dword ptr ds:[eax+C]
00584438 83F8 01 cmp eax,1
0058443B 0F8E A2000000 jle dumped_.005844E3
00584441 83F8 02 cmp eax,2
00584444 75 34 jnz short dumped_.0058447A
00584446 6A 00 push 0
00584448 68 78475800 push dumped_.00584778
0058444D 68 80475800 push dumped_.00584780
00584452 8B45 FC mov eax,dword ptr ss:[ebp-4]
00584455 E8 CA05EDFF call dumped_.00454A24
0058445A 50 push eax
0058445B E8 E433E8FF call dumped_.00407844 ; jmp to user32.MessageBoxA
00584460 6A 00 push 0
00584462 68 64485800 push dumped_.00584864
00584467 68 70485800 push dumped_.00584870
0058446C 8B45 FC mov eax,dword ptr ss:[ebp-4]
0058446F E8 B005EDFF call dumped_.00454A24
00584474 50 push eax
00584475 E8 CA33E8FF call dumped_.00407844 ; jmp to user32.MessageBoxA
0058447A E8 95E6E7FF call dumped_.00402B14
0058447F B8 0A000000 mov eax,0A
00584484 E8 7BECE7FF call dumped_.00403104
00584489 8D95 50FFFFFF lea edx,dword ptr ss:[ebp-B0]
0058448F E8 844CE8FF call dumped_.00409118
00584494 8B85 50FFFFFF mov eax,dword ptr ss:[ebp-B0]
0058449A 8A10 mov dl,byte ptr ds:[eax]
0058449C 8B45 FC mov eax,dword ptr ss:[ebp-4]
0058449F 05 80000000 add eax,80
005844A4 E8 7303E8FF call dumped_.0040481C
005844A9 8B45 FC mov eax,dword ptr ss:[ebp-4]
005844AC 8B80 80000000 mov eax,dword ptr ds:[eax+80]
005844B2 E8 014DE8FF call dumped_.004091B8
005844B7 8BD8 mov ebx,eax
005844B9 8B45 FC mov eax,dword ptr ss:[ebp-4]
005844BC 8958 0C mov dword ptr ds:[eax+C],ebx
005844BF D1FB sar ebx,1
005844C1 79 03 jns short dumped_.005844C6
005844C3 83D3 00 adc ebx,0
005844C6 85DB test ebx,ebx
005844C8 75 12 jnz short dumped_.005844DC
005844CA 8B45 FC mov eax,dword ptr ss:[ebp-4]
005844CD 8B80 7C060000 mov eax,dword ptr ds:[eax+67C]
005844D3 B2 01 mov dl,1
005844D5 E8 4EF2EBFF call dumped_.00443728
005844DA EB 0C jmp short dumped_.005844E8
005844DC E8 E7FFE7FF call dumped_.004044C8
005844E1 EB 05 jmp short dumped_.005844E8
005844E3 E8 E0FFE7FF call dumped_.004044C8
005844E8 33C0 xor eax,eax ; 异或,eax=001D5200
005844EA 5A pop edx
005844EB 59 pop ecx
005844EC 59 pop ecx
005844ED 64:8910 mov dword ptr fs:[eax],edx
005844F0 68 A8455800 push dumped_.005845A8
005844F5 8B45 FC mov eax,dword ptr ss:[ebp-4]
005844F8 8B80 9C030000 mov eax,dword ptr ds:[eax+39C]
005844FE 33D2 xor edx,edx
00584500 E8 57F8EFFF call dumped_.00483D5C
00584505 8B45 FC mov eax,dword ptr ss:[ebp-4]
00584508 8B80 4C030000 mov eax,dword ptr ds:[eax+34C]
0058450E B2 05 mov dl,5
00584510 E8 B791ECFF call dumped_.0044D6CC
00584515 8B45 FC mov eax,dword ptr ss:[ebp-4]
00584518 8B80 28060000 mov eax,dword ptr ds:[eax+628]
0058451E 33D2 xor edx,edx
00584520 E8 DB9BECFF call dumped_.0044E100
00584525 8B45 FC mov eax,dword ptr ss:[ebp-4]
00584528 8B80 5C060000 mov eax,dword ptr ds:[eax+65C]
0058452E 33D2 xor edx,edx
00584530 E8 CB9BECFF call dumped_.0044E100
00584535 8B45 FC mov eax,dword ptr ss:[ebp-4]
00584538 8B80 60030000 mov eax,dword ptr ds:[eax+360]
0058453E 33D2 xor edx,edx
00584540 E8 BB9BECFF call dumped_.0044E100
00584545 8B45 FC mov eax,dword ptr ss:[ebp-4]
00584548 8B80 68030000 mov eax,dword ptr ds:[eax+368]
0058454E 33D2 xor edx,edx
00584550 E8 AB9BECFF call dumped_.0044E100
00584555 8B45 FC mov eax,dword ptr ss:[ebp-4]
00584558 8B80 6C030000 mov eax,dword ptr ds:[eax+36C]
0058455E 33D2 xor edx,edx
00584560 E8 9B9BECFF call dumped_.0044E100
00584565 8B45 FC mov eax,dword ptr ss:[ebp-4]
00584568 8B80 70030000 mov eax,dword ptr ds:[eax+370]
0058456E 33D2 xor edx,edx
00584570 E8 8B9BECFF call dumped_.0044E100
00584575 8B45 FC mov eax,dword ptr ss:[ebp-4]
00584578 8B80 0C060000 mov eax,dword ptr ds:[eax+60C]
0058457E 33D2 xor edx,edx
00584580 E8 7B9BECFF call dumped_.0044E100
00584585 8B45 FC mov eax,dword ptr ss:[ebp-4]
00584588 8B80 4C030000 mov eax,dword ptr ds:[eax+34C]
0058458E 33D2 xor edx,edx
00584590 E8 6B9BECFF call dumped_.0044E100
00584595 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00584598 E8 AFF2E7FF call dumped_.0040384C
0058459D C3 retn
0058459E ^\E9 3DFAE7FF jmp dumped_.00403FE0
005845A3 ^ E9 4DFFFFFF jmp dumped_.005844F5
005845A8 33C0 xor eax,eax ; 异或,eax=00000000
005845AA 5A pop edx
005845AB 59 pop ecx ; ecx=00000000
005845AC 59 pop ecx ; ecx=00584660
005845AD 64:8910 mov dword ptr fs:[eax],edx
005845B0 68 6A465800 push dumped_.0058466A
005845B5 8D85 50FFFFFF lea eax,dword ptr ss:[ebp-B0]
005845BB BA 05000000 mov edx,5
005845C0 E8 9B00E8FF call dumped_.00404660
005845C5 8D85 70FFFFFF lea eax,dword ptr ss:[ebp-90]
005845CB BA 03000000 mov edx,3
005845D0 E8 8B00E8FF call dumped_.00404660
005845D5 8D85 7CFFFFFF lea eax,dword ptr ss:[ebp-84]
005845DB E8 5C00E8FF call dumped_.0040463C
005845E0 8D45 80 lea eax,dword ptr ss:[ebp-80]
005845E3 E8 8007E8FF call dumped_.00404D68
005845E8 8D45 84 lea eax,dword ptr ss:[ebp-7C]
005845EB E8 4C00E8FF call dumped_.0040463C
005845F0 8D45 88 lea eax,dword ptr ss:[ebp-78]
005845F3 E8 7007E8FF call dumped_.00404D68
005845F8 8D45 8C lea eax,dword ptr ss:[ebp-74]
005845FB E8 3C00E8FF call dumped_.0040463C
00584600 8D45 90 lea eax,dword ptr ss:[ebp-70]
00584603 E8 6007E8FF call dumped_.00404D68
00584608 8D45 94 lea eax,dword ptr ss:[ebp-6C]
0058460B E8 2C00E8FF call dumped_.0040463C
00584610 8D45 98 lea eax,dword ptr ss:[ebp-68]
00584613 E8 5007E8FF call dumped_.00404D68
00584618 8D45 9C lea eax,dword ptr ss:[ebp-64]
0058461B E8 1C00E8FF call dumped_.0040463C
00584620 8D45 A0 lea eax,dword ptr ss:[ebp-60]
00584623 E8 4007E8FF call dumped_.00404D68
00584628 8D45 A4 lea eax,dword ptr ss:[ebp-5C]
0058462B BA 06000000 mov edx,6
00584630 E8 2B00E8FF call dumped_.00404660
00584635 8D45 BC lea eax,dword ptr ss:[ebp-44]
00584638 BA 07000000 mov edx,7
0058463D E8 1E00E8FF call dumped_.00404660
00584642 8D45 D8 lea eax,dword ptr ss:[ebp-28]
00584645 E8 F2FFE7FF call dumped_.0040463C
0058464A 8D45 E0 lea eax,dword ptr ss:[ebp-20]
0058464D BA 03000000 mov edx,3
00584652 E8 0900E8FF call dumped_.00404660
00584657 8D45 F4 lea eax,dword ptr ss:[ebp-C]
0058465A E8 0907E8FF call dumped_.00404D68
0058465F C3 retn
00584660 ^\E9 7BF9E7FF jmp dumped_.00403FE0
00584665 ^ E9 4BFFFFFF jmp dumped_.005845B5
0058466A 5F pop edi ; edi=00470850
0058466B 5E pop esi ; esi=0043E118
0058466C 5B pop ebx ; ebx=FFFFFFFF
0058466D 8BE5 mov esp,ebp
0058466F 5D pop ebp
00584670 C3 retn ; 第二次校验正常,返回校验结果
返回到这里:
0044F798 FF93 20010000 call dword ptr ds:[ebx+120]
0044F79E 5B pop ebx ; 返回到这里,ebx=00B762AC
0044F79F C3 retn ; 继续返回校验结果
返回到这里:
0043E134 E8 FB150100 call dumped_.0044F734
0043E139 5B pop ebx ; 堆栈 [0012FDC4]=00B6D110 (00B6D110),ebx=00B762AC
0043E13A C3 retn ; 继续返回校验结果
返回到这里:
00584CCE E8 75EDE7FF call dumped_.00403A48
00584CD3 33C0 xor eax,eax ; 返回到这里进行异或,eax=0012FDA8
00584CD5 5A pop edx ; edx=00000000
00584CD6 59 pop ecx ; ecx=00000000
00584CD7 59 pop ecx ; ecx=00584CEE
00584CD8 64:8910 mov dword ptr fs:[eax],edx
00584CDB 68 F54C5800 push dumped_.00584CF5
00584CE0 8D45 EC lea eax,dword ptr ss:[ebp-14]
00584CE3 BA 05000000 mov edx,5
00584CE8 E8 73F9E7FF call dumped_.00404660
00584CED C3 retn
00584CEE ^\E9 EDF2E7FF jmp dumped_.00403FE0
00584CF3 ^ EB EB jmp short dumped_.00584CE0
00584CF5 5F pop edi ; edi=00470850
00584CF6 5E pop esi ; esi=0043E118
00584CF7 5B pop ebx ; ebx=00B6D110
00584CF8 8BE5 mov esp,ebp
00584CFA 5D pop ebp
00584CFB C3 retn ; 继续返回校验结果
返回到这里:
0044376F FF53 38 call dword ptr ds:[ebx+38]
00443772 5B pop ebx ; 返回到这里,ebx=00BBC654
00443773 C3 retn ; 继续返回校验结果
返回到这里:
00443658 33C0 xor eax,eax ; 返回到这里进行异或清零,eax=00000000
0044365A 5A pop edx
0044365B 59 pop ecx
0044365C 59 pop ecx
0044365D 64:8910 mov dword ptr fs:[eax],edx
00443660 EB 33 jmp short dumped_.00443695
00443662 ^ E9 C506FCFF jmp dumped_.00403D2C
00443667 A1 A48B5900 mov eax,dword ptr ds:[598BA4]
0044366C 8B00 mov eax,dword ptr ds:[eax]
0044366E 8B55 FC mov edx,dword ptr ss:[ebp-4]
00443671 E8 92BC0200 call dumped_.0046F308
00443676 E8 190AFCFF call dumped_.00404094
0044367B EB 18 jmp short dumped_.00443695
0044367D 8B43 08 mov eax,dword ptr ds:[ebx+8]
00443680 50 push eax
00443681 8B43 04 mov eax,dword ptr ds:[ebx+4]
00443684 50 push eax
00443685 56 push esi
00443686 8B45 FC mov eax,dword ptr ss:[ebp-4]
00443689 8B40 34 mov eax,dword ptr ds:[eax+34]
0044368C 50 push eax
0044368D E8 423EFCFF call dumped_.004074D4 ; jmp to user32.DefWindowProcA
00443692 8943 0C mov dword ptr ds:[ebx+C],eax
00443695 5F pop edi
00443696 5E pop esi
00443697 5B pop ebx
00443698 59 pop ecx
00443699 5D pop ebp
0044369A C3 retn ; 继续返回校验结果
返回到这里:
00426448 FF11 call dword ptr ds:[ecx]
0042644A 83C4 0C add esp,0C ; 返回到这里
0042644D 58 pop eax ; eax清零,eax=00000000
0042644E 5D pop ebp
0042644F C2 1000 retn 10 ; 继续返回校验结果
返回到这里:
77D37AD7 817C24 04 CDABBADC cmp dword ptr ss:[esp+4],DCBAABCD ; 返回到这里,堆栈 ss:[0012FE58]=DCBAABCD
77D37ADF 74 11 je short user32.77D37AF2
77D37AE1 813C24 CDABBADC cmp dword ptr ss:[esp],DCBAABCD
77D37AE8 75 05 jnz short user32.77D37AEF
77D37AEA 83EC 04 sub esp,4
77D37AED EB 03 jmp short user32.77D37AF2
77D37AEF 83C4 10 add esp,10
77D37AF2 83C4 08 add esp,8
77D37AF5 5B pop ebx
77D37AF6 5F pop edi
77D37AF7 5E pop esi
77D37AF8 5D pop ebp
77D37AF9 C2 1400 retn 14 ; 继续返回校验结果
返回到这里:
77D3CCD4 8945 E4 mov dword ptr ss:[ebp-1C],eax ; 返回到这里
77D3CCD7 ^ EB B0 jmp short user32.77D3CC89 ; 向上跳转
向上跳转到这里:
77D3CC89 834D FC FF or dword ptr ss:[ebp-4],FFFFFFFF
77D3CC8D E8 49000000 call user32.77D3CCDB
77D3CC92 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
77D3CC95 E8 B7070200 call user32.77D5D451
77D3CC9A C2 2000 retn 20
返回到这里:
77D14455 8BC8 mov ecx,eax ; 返回到这里
77D14457 A1 585ED677 mov eax,dword ptr ds:[77D65E58]
77D1445C F640 02 04 test byte ptr ds:[eax+2],4
77D14460 ^ 75 AF jnz short user32.77D14411 ; 向下跳转
向下跳转到这里:
77D14411 33D2 xor edx,edx
77D14413 3955 E4 cmp dword ptr ss:[ebp-1C],edx
77D14416 74 4A je short user32.77D14462 ; 向下跳转
向下跳转到这里:
77D14416 /74 4A je short user32.77D14462 ; 向下跳转
77D14418 |64:A1 18000000 mov eax,dword ptr fs:[18]
77D1441E |3990 40070000 cmp dword ptr ds:[eax+740],edx
77D14424 |74 3C je short user32.77D14462
77D14426 |64:A1 18000000 mov eax,dword ptr fs:[18]
......(代码太多以次省略一部分)
0046F047 E8 C084F9FF call dumped_.0040750C ; jmp to user32.DispatchMessageA
0046F04C EB 07 jmp short dumped_.0046F055 ; 最终返回到这里,说名在第2次校验时,作者很下了一点功夫滴~~
0046F04E C686 9C000000 01 mov byte ptr ds:[esi+9C],1
0046F055 8BC3 mov eax,ebx
0046F057 5A pop edx
0046F058 5F pop edi
0046F059 5E pop esi
0046F05A 5B pop ebx
0046F05B C3 retn ; 为返回程序做最后准备
返回到这里:
0046F07E E8 41FFFFFF call dumped_.0046EFC4
0046F083 84C0 test al,al ; 返回到这里,al=01
0046F085 75 09 jnz short dumped_.0046F090
0046F087 8BD4 mov edx,esp
0046F089 8BC3 mov eax,ebx
0046F08B E8 98080000 call dumped_.0046F928
0046F090 83C4 1C add esp,1C
0046F093 5B pop ebx
0046F094 C3 retn ; 为返回程序做最后准备
返回到这里:(★)
0046F2A3 33C0 xor eax,eax ; 返回到这里
0046F2A5 5A pop edx
0046F2A6 59 pop ecx
0046F2A7 59 pop ecx
0046F2A8 64:8910 mov dword ptr fs:[eax],edx
0046F2AB EB 15 jmp short dumped_.0046F2C2
0046F2AD ^ E9 7A4AF9FF jmp dumped_.00403D2C
0046F2B2 8B55 FC mov edx,dword ptr ss:[ebp-4]
0046F2B5 8B45 FC mov eax,dword ptr ss:[ebp-4]
0046F2B8 E8 4B000000 call dumped_.0046F308
0046F2BD E8 D24DF9FF call dumped_.00404094
0046F2C2 8B45 FC mov eax,dword ptr ss:[ebp-4]
0046F2C5 80B8 9C000000 00 cmp byte ptr ds:[eax+9C],0
0046F2CC ^ 74 BF je short dumped_.0046F28D ; 向上跳转,作循环运算
0046F2CE 33C0 xor eax,eax
0046F2D0 5A pop edx
0046F2D1 59 pop ecx
0046F2D2 59 pop ecx
0046F2D3 64:8910 mov dword ptr fs:[eax],edx
0046F2D6 68 EDF24600 push dumped_.0046F2ED
0046F2DB 8B45 FC mov eax,dword ptr ss:[ebp-4]
0046F2DE C680 A5000000 00 mov byte ptr ds:[eax+A5],0
0046F2E5 C3 retn ; 返回程序,时时刻刻作校验
●KuNgBiM小帖士●
程序一般采用了CRC冗余校验方式,那么,肯定它不会只用在一处,所以,我们应趁热打铁,用代码搜索的方法,一气呵成,把能改的相同处一起改掉!
但这种方法不是万能的,不是很全面,所以最好的办法还是用UE、WinHEX等16进制搜索代码修改,比较全面,这里主要讲的是跟踪代码,获得关键信息的方法。
利用上述办法,我们在OD中用 Ctrl + S 搜索“cmp eax,0FA000”,还真搜到一处:
(★重要★【第三处】)
00584E88 E8 77CFFFFF call dumped_.00581E04
00584E8D 3D 00A00F00 cmp eax,0FA000 ; 这里作者怕加壳后出错,所以给定了程序一个大小限制范围 FA000
; FA000 = 1024000字节
00584E92 7E 1C jle short dumped_.00584EB0 ; 如果文件大小,小于这个数据,那么才能正常运行,必须跳!
*************************
代码修改:
00584E8D 3D 00A00F00 cmp eax,0FA000 // 我改为:cmp eax,0FFFFFFF (嘿嘿,268435455字节约为256MB,有多少的软件能大过256MB啊?)
*************************
●KuNgBiM小帖士●
好了,到此代码就算修改完毕了,不过提醒一点,用UE、WinHEX等16进制搜索代码修改时,搜索“00A00F”一共搜索到了4处,而程序需要改的只有3处,有一处为程序界面校验,这处关系到程序有无边框,若你觉得“无边框”的程序窗口看的过去,那么,就使用UE、WinHEX等16进制搜索代码修改,否则,还是学我乖乖的一步一步用“土办法”来吧~~~呵呵~~
————————————————————————————————————————
【总结去自校验修改点】
00584B8C 3D 00A00F00 cmp eax,0FA000
005842C9 3D 00A00F00 cmp eax,0FA000
00584E8D 3D 00A00F00 cmp eax,0FA000
以上的汇编代码“cmp eax,0FA000”全部替换为“cmp eax,0FFFFFFF”保存即可!
再次运行我们修改保存后的程序,OK,正常运行!自校验解除咯~~~~哈哈~~~程序也不会“自杀”了~~方便以后我研究这个软件的算法分析了~~~~
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 【程序自杀(原因)代码分析过程】 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
呼~~总算完成了上面的脱壳去校验分析了,下面我们又来研究一下程序脱壳后校验失败从而引发的“自杀”原因:
既然是“自杀”,无非就是2种可能性:
①程序作者在程序中编写加入的“自杀”代码
②调用系统自身的“autoexec.bat”批处理命令,从而达到删除校验失败的程序
我们在程序的分析过程中却定了该程序是使用后者(②)的“自杀”方式,下面跟我来目睹程序的“自杀”吧:
准备条件:脱壳未去校验的原始程序(N个)以防万一,不成功失去程序目标,嘿嘿~~~ 我们的好帮手:Ollydbg
————————————————————————————————————————
打开Ollydbg,载入我们准备好的脱壳修复优化后的“dumped_.exe”文件(这里我采用的是默认脱壳文件名)
重复去自校验完全过程,到达下面这一步时请勿改动任何代码:
00584B87 E8 78D2FFFF call dumped_.00581E04
00584B8C 3D 00A00F00 cmp eax,0FA000 ; 大小校验数据
00584B91 /7E 1C jle short dumped_.00584BAF ; 到这里时,任其发展,不要改动任何代码,让它校验失败!
00584B93 |8D55 F0 lea edx,dword ptr ss:[ebp-10]
00584B96 |A1 A48B5900 mov eax,dword ptr ds:[598BA4]
00584B9B |8B00 mov eax,dword ptr ds:[eax]
00584B9D |E8 3EACEEFF call dumped_.0046F7E0
00584BA2 |8B45 F0 mov eax,dword ptr ss:[ebp-10]
00584BA5 |E8 16D3FFFF call dumped_.00581EC0
00584BAA |E8 19F9E7FF call dumped_.004044C8 ; F8到这里,程序再次被 bpx CreateFileA 断点中断
00584BAF \E8 E0D4FFFF call dumped_.00582094
00584BB4 84C0 test al,al
00584BB6 74 1C je short dumped_.00584BD4
断点效应:
004093E5 E8 9ADAFFFF call dumped_.00406E84 ; 断在这里,重复去校验过程,jmp to kernel32.CreateFileA
004093EA 5B pop ebx ; 程序返回一个失败的数据
004093EB C3 retn
004093EC E8 D7FFFFFF call dumped_.004093C8
004093F1 C3 retn ; 这里继续返回,准备下一步校验!
返回到这里:(★)
0041F994 8BC8 mov ecx,eax ; 返回到这里,F8继续分析
0041F996 33D2 xor edx,edx
0041F998 8BC3 mov eax,ebx
0041F99A E8 BDFEFFFF call dumped_.0041F85C
0041F99F 837B 04 00 cmp dword ptr ds:[ebx+4],0
0041F9A3 7D 65 jge short dumped_.0041FA0A ; 这里跳了
0041F9A5 8975 F4 mov dword ptr ss:[ebp-C],esi
0041F9A8 C645 F8 0B mov byte ptr ss:[ebp-8],0B
0041F9AC 8D45 F4 lea eax,dword ptr ss:[ebp-C]
0041F9AF 50 push eax
0041F9B0 6A 00 push 0
0041F9B2 8B0D 848C5900 mov ecx,dword ptr ds:[598C84] ; dumped_.00418180
0041F9B8 B2 01 mov dl,1
0041F9BA A1 889E4100 mov eax,dword ptr ds:[419E88]
0041F9BF E8 44D1FEFF call dumped_.0040CB08
0041F9C4 E8 4F46FEFF call dumped_.00404018
0041F9C9 EB 3F jmp short dumped_.0041FA0A
0041F9CB 0FB7D7 movzx edx,di
0041F9CE 8BC6 mov eax,esi
0041F9D0 E8 9799FEFF call dumped_.0040936C
0041F9D5 8BC8 mov ecx,eax
0041F9D7 33D2 xor edx,edx
0041F9D9 8BC3 mov eax,ebx
0041F9DB E8 7CFEFFFF call dumped_.0041F85C
0041F9E0 837B 04 00 cmp dword ptr ds:[ebx+4],0
0041F9E4 7D 24 jge short dumped_.0041FA0A
0041F9E6 8975 F4 mov dword ptr ss:[ebp-C],esi
0041F9E9 C645 F8 0B mov byte ptr ss:[ebp-8],0B
0041F9ED 8D45 F4 lea eax,dword ptr ss:[ebp-C]
0041F9F0 50 push eax
0041F9F1 6A 00 push 0
0041F9F3 8B0D A08C5900 mov ecx,dword ptr ds:[598CA0] ; dumped_.00418198
0041F9F9 B2 01 mov dl,1
0041F9FB A1 E49E4100 mov eax,dword ptr ds:[419EE4]
0041FA00 E8 03D1FEFF call dumped_.0040CB08
0041FA05 E8 0E46FEFF call dumped_.00404018
0041FA0A 8BC3 mov eax,ebx ; 跳向这里
0041FA0C 807D FF 00 cmp byte ptr ss:[ebp-1],0
0041FA10 74 0F je short dumped_.0041FA21 ; 又跳了
0041FA12 E8 F141FEFF call dumped_.00403C08
0041FA17 64:8F05 00000000 pop dword ptr fs:[0]
0041FA1E 83C4 0C add esp,0C
0041FA21 8BC3 mov eax,ebx
0041FA23 5F pop edi
0041FA24 5E pop esi
0041FA25 5B pop ebx
0041FA26 8BE5 mov esp,ebp
0041FA28 5D pop ebp
0041FA29 C2 0800 retn 8 ; 返回到下一个命令地址
返回到这里:
0041F945 8BC6 mov eax,esi ; 返回到这里
0041F947 84DB test bl,bl
0041F949 74 0F je short dumped_.0041F95A ; 现在这里不跳了
0041F94B E8 B842FEFF call dumped_.00403C08
0041F950 64:8F05 00000000 pop dword ptr fs:[0]
0041F957 83C4 0C add esp,0C
0041F95A 8BC6 mov eax,esi
0041F95C 5E pop esi
0041F95D 5B pop ebx
0041F95E 5D pop ebp
0041F95F C2 0400 retn 4 ; 继续返回到命令地址
返回到这里:(★)
0041EA96 8945 FC mov dword ptr ss:[ebp-4],eax ; 返回到这里
0041EA99 33C0 xor eax,eax ; eax=00B7D24C
0041EA9B 55 push ebp
0041EA9C 68 C7EA4100 push dumped_.0041EAC7
0041EAA1 64:FF30 push dword ptr fs:[eax]
0041EAA4 64:8920 mov dword ptr fs:[eax],esp
0041EAA7 8B55 FC mov edx,dword ptr ss:[ebp-4]
0041EAAA 8BC6 mov eax,esi
0041EAAC 8B08 mov ecx,dword ptr ds:[eax]
0041EAAE FF51 78 call dword ptr ds:[ecx+78]
0041EAB1 33C0 xor eax,eax
0041EAB3 5A pop edx
0041EAB4 59 pop ecx
0041EAB5 59 pop ecx
0041EAB6 64:8910 mov dword ptr fs:[eax],edx
0041EAB9 68 CEEA4100 push dumped_.0041EACE
0041EABE 8B45 FC mov eax,dword ptr ss:[ebp-4]
0041EAC1 E8 864DFEFF call dumped_.0040384C
0041EAC6 C3 retn
0041EAC7 ^ E9 1455FEFF jmp dumped_.00403FE0
0041EACC ^ EB F0 jmp short dumped_.0041EABE
0041EACE 5E pop esi
0041EACF 59 pop ecx
0041EAD0 5D pop ebp
0041EAD1 C3 retn ; 关键的返回,程序“自杀”根本原因所在
返回到这里:(★★★★★)
00581F9E 6A 00 push 0
00581FA0 68 80205800 push dumped_.00582080 ; ASCII "c:\autoexec1.bat"
; 在C盘目录下生成一个批处理文件,执行程序所向系统发出的删除命令
; ★跟到这里,我已经拷贝了那个“作恶”的批处理文件★
00581FA5 E8 5251E8FF call dumped_.004070FC ; jmp to kernel32.WinExec
00581FAA 33C0 xor eax,eax ; eax=00000021
00581FAC 5A pop edx
00581FAD 59 pop ecx
00581FAE 59 pop ecx
00581FAF 64:8910 mov dword ptr fs:[eax],edx
00581FB2 EB 0A jmp short dumped_.00581FBE
00581FB4 ^ E9 731DE8FF jmp dumped_.00403D2C
00581FB9 E8 D620E8FF call dumped_.00404094
00581FBE 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; 清零,eax=00000000
00581FC1 E8 8618E8FF call dumped_.0040384C
00581FC6 33C0 xor eax,eax ; 异或清零,eax=00000000
00581FC8 5A pop edx
00581FC9 59 pop ecx
00581FCA 59 pop ecx
00581FCB 64:8910 mov dword ptr fs:[eax],edx
00581FCE 68 F01F5800 push dumped_.00581FF0
00581FD3 8D45 EC lea eax,dword ptr ss:[ebp-14]
00581FD6 BA 03000000 mov edx,3
00581FDB E8 8026E8FF call dumped_.00404660
00581FE0 8D45 FC lea eax,dword ptr ss:[ebp-4] ; 清零,eax=00000000
00581FE3 E8 5426E8FF call dumped_.0040463C
00581FE8 C3 retn
00581FE9 ^ E9 F21FE8FF jmp dumped_.00403FE0
00581FEE ^ EB E3 jmp short dumped_.00581FD3
00581FF0 5F pop edi ; dumped_.00470850
00581FF1 5E pop esi
00581FF2 5B pop ebx
00581FF3 8BE5 mov esp,ebp
00581FF5 5D pop ebp
00581FF6 C3 retn ; 返回程序并执行命令
返回到这里:(★★★★★)
00584BAA E8 19F9E7FF call dumped_.004044C8 ; 程序到这里,就已经执行该命令了,Game Over ~
00584BAF E8 E0D4FFFF call dumped_.00582094
00584BB4 84C0 test al,al
........
【程序“自杀”原因|批处理文件内容】
:loop
if exist "D:\文章试验品\图章制作系统\dumped_.exe" del "D:\文章试验品\图章制作系统\dumped_.exe"
if exist "D:\文章试验品\图章制作系统\dumped_.exe" goto loop
if not exist "D:\文章试验品\图章制作系统\dumped_.exe" del "c:\autoexec1.bat"
--------------------------------------------------------------------------------------------
【本章总结】
作者同样采用CRC冗余代码校验方式,检测程序是否已遭受破解,狠心的是在检测程序完整性失败完后(非脱壳校验失败),调用“autoexec.bat”批处理命令以及系统配置文件“system.ini”,在后台随机删除一个系统文件,从而达到程序避免遭受破解的可能性,由之加大了对破解者机器的威胁,而检测是时时刻刻存在的,所以一定要分析完后再做修改!
提醒一点:在脱壳未去校验前,千万请勿对程序作任何代码修改,避免不必要的事件发生!
--------------------------------------------------------------------------------------------
版权所有(C)2005 KuNgBiM[DFCG] Copyright (C) 2005 KuNgBiM[DFCG]
--------------------------------------------------------------------------------------------
UnPacked & Cracked By KuNgBiM[DFCG]
2005-08-01
23:09:18 PM