【破解作者】 落魄浪子
【作者邮箱】 zxy223_szb@21cn.net
【使用工具】 FlyOD1.1 PeiD IRC1.6
【破解平台】 Windows XP SP2
【软件名称】 PixHunter
【下载地址】 http://www.enova-soft.com
【软件简介】 图片猎人》(Pix Hunter)是一个专门用于从Internet上搜索和下载、管理图片的工具软件。它保持了“网际快车”、“网络蚂蚁”等下载软件操作简便、下载迅速等优点,并扩展很多功能:如智能搜索、图片浏览、图片管理等等。这是一款集成了众多同类软件的优点,并增加了更多功能的图片下载专用工具软件。
简而言之,《图片猎人》就象是下载工具ACDSee和下载工具FlashGet的完美结合。
【加壳方式】 Armadillo 1.xx - 2.xx -> Silicon Realms Toolworks
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------------------------
【破解内容】
这个壳把我搞的头破血流,以前总是用工具脱,但总用工具也不是办法,人总要长大吧,只好学用手工脱,一次次的
失败,其间看了好多大侠的文章,也没能解决,一有时间就慢慢分析,和参考大侠的文章,现在终于把她搞定了,兴
奋啊!!!!
还是来正题吧,用PEID查是Armadillo 1.xx - 2.xx -> Silicon Realms Toolworks的壳,但用FI查报是Armadillo2.5
,唉,不管是哪个版本加的,知道是Armadillo就行了。这个程序运行之后有两个进程,应该是Armadillo的双进程。
不管了,对着大侠的文章用OD载入,设置Ollydbg忽略所有的异常选项。用IsDebug 1.4插件隐藏OD。 

载入后OD停在这里:
00629379 PixHunte.<ModuleEntryPoint>   /$  55                   push ebp   
0062937A                               |.  8BEC                 mov ebp,esp
0062937C                               |.  6A FF                push -1
0062937E                               |.  68 78E26400          push PixHunte.0064E278
00629383                               |.  68 608D6200          push PixHunte.00628D60                        ;  SE handler installation
00629388                               |.  64:A1 00000000       mov eax,dword ptr fs:[0]
0062938E                               |.  50                   push eax
0062938F                               |.  64:8925 00000000     mov dword ptr fs:[0],esp
00629396                               |.  83EC 58              sub esp,58
00629399                               |.  53                   push ebx
0062939A                               |.  56                   push esi
0062939B                               |.  57                   push edi
0062939C                               |.  8965 E8              mov dword ptr ss:[ebp-18],esp
0062939F                               |.  FF15 4CB16400        call dword ptr ds:[<&KERNEL32.GetVersion>]    ;  kernel32.GetVersion
***********************************************************************************************
下断点:BP OpenMutexA,然后F9运行
7C80EC1B kernel32.OpenMutexA             8BFF                   mov edi,edi      OD中断在这里
7C80EC1D                                 55                     push ebp
7C80EC1E                                 8BEC                   mov ebp,esp
7C80EC20                                 51                     push ecx
7C80EC21                                 51                     push ecx
7C80EC22                                 837D 10 00             cmp dword ptr ss:[ebp+10],0
7C80EC26                                 56                     push esi
7C80EC27                                 0F84 7A500300          je kernel32.7C843CA7
7C80EC2D                                 64:A1 18000000         mov eax,dword ptr fs:[18]
7C80EC33                                 FF75 10                push dword ptr ss:[ebp+10]
7C80EC36                                 8DB0 F80B0000          lea esi,dword ptr ds:[eax+BF8]
7C80EC3C                                 8D45 F8                lea eax,dword ptr ss:[ebp-8]
7C80EC3F                                 50                     push eax
7C80EC40                                 FF15 8C10807C          call dword ptr ds:[<&ntdll.RtlInitAnsiString>>; ntdll.RtlInitAnsiString
OD断下后,看看堆栈:
0012F5B0   0061FDA6  /CALL 到 OpenMutexA 来自 PixHunte.0061FDA0
0012F5B4   001F0001  |Access = 1F0001
0012F5B8   00000000  |Inheritable = FALSE
0012F5BC   0012FBF0  \MutexName = "644::DA8D229493"      *重要等下有用
Ctrl+G定位到00401000处:
00401000                                 0000                   add byte ptr ds:[eax],al
00401002                                 0000                   add byte ptr ds:[eax],al
00401004                                 0000                   add byte ptr ds:[eax],al
00401006                                 0000                   add byte ptr ds:[eax],al
00401008                                 0000                   add byte ptr ds:[eax],al
0040100A                                 0000                   add byte ptr ds:[eax],al
0040100C                                 0000                   add byte ptr ds:[eax],al
0040100E                                 0000                   add byte ptr ds:[eax],al
以上全是空码,在00401000处Ctrl+E贴上以下代码,这是从大侠那里偷来的,呵呵
00401000                                 60                     pushad
00401001                                 9C                     pushfd
00401002                                 68 F0FB1200            push 12FBF0  *这是堆栈中看到的
00401007                                 33C0                   xor eax,eax
00401009                                 50                     push eax
0040100A                                 50                     push eax
0040100B                                 E8 2FDB407C            call kernel32.CreateMutexA
00401010                                 9D                     popfd
00401011                                 61                     popad
00401012                               - E9 04DC407C            jmp kernel32.OpenMutexA
然的天00401000处单击右键,在弹出的菜单上选”在此处新建EIP“,确正。然后F9运行
7C80EC1B kernel32.OpenMutexA             8BFF                   mov edi,edi  运行之后又中断在这里,F2取消断点
7C80EC1D                                 55                     push ebp
7C80EC1E                                 8BEC                   mov ebp,esp
7C80EC20                                 51                     push ecx
7C80EC21                                 51                     push ecx
7C80EC22                                 837D 10 00             cmp dword ptr ss:[ebp+10],0
7C80EC26                                 56                     push esi
7C80EC27                                 0F84 7A500300          je kernel32.7C843CA7

Ctrl+G定位到00401000处,取消先前的修改。之后下断点:BP GetModuleHandleA ,F9运行

7C80B529 kernel32.GetModuleHandleA       8BFF                   mov edi,edi     OD中断在这里,F2取消断点。
7C80B52B                                 55                     push ebp
7C80B52C                                 8BEC                   mov ebp,esp
7C80B52E                                 837D 08 00             cmp dword ptr ss:[ebp+8],0
7C80B532                                 74 18                  je short kernel32.7C80B54C    在这里F2重新下断点
7C80B534                                 FF75 08                push dword ptr ss:[ebp+8]
7C80B537                                 E8 682D0000            call kernel32.7C80E2A4
7C80B53C                                 85C0                   test eax,eax
7C80B53E                                 74 08                  je short kernel32.7C80B548
7C80B540                                 FF70 04                push dword ptr ds:[eax+4]
7C80B543                                 E8 F4300000            call kernel32.GetModuleHandleW
7C80B548                                 5D                     pop ebp
7C80B549                                 C2 0400                retn 4
F9运行,中断几次后,看看堆栈中的数据
-----------------------------------------------------------------------
0012ED48  |77F45BB0  返回到 SHLWAPI.77F45BB0 来自 kernel32.GetModuleHandleA
0012ED4C  |77F44FF4  ASCII "KERNEL32.DLL"
0012ED50  |00000001
0012ED54  |77F40000  SHLWAPI.77F40000

------------------------------------------------------------------------
0012EC88  |5D175394  返回到 COMCTL32.5D175394 来自 kernel32.GetModuleHandleA
0012EC8C  |5D1753E0  ASCII "kernel32.dll"
0012EC90  |5D1E2B38  COMCTL32.5D1E2B38

------------------------------------------------------------------------
0012F55C  |0061F073  返回到 PixHunte.0061F073 来自 kernel32.GetModuleHandleA    
0012F560  |00000000
0012F564  |7FFDFC00  UNICODE "HookSwitchHookEnabledEvent"

------------------------------------------------------------------------
0012C280  |00D15331  返回到 00D15331 来自 kernel32.GetModuleHandleA      *堆栈中的数据是这样就要Ctrl+F9返回了
0012C284  |0012C3BC  ASCII "kernel32.dll"

------------------------------------------------------------------------

取消断点,返回之后来到这里:

00D15331      8B0D 60D8D300          mov ecx,dword ptr ds:[D3D860]   返回之后停在这里
00D15337      89040E                 mov dword ptr ds:[esi+ecx],eax
00D1533A      A1 60D8D300            mov eax,dword ptr ds:[D3D860]
00D1533F      393C06                 cmp dword ptr ds:[esi+eax],edi
00D15342      75 16                  jnz short 00D1535A
00D15344      8D85 B4FEFFFF          lea eax,dword ptr ss:[ebp-14C]
00D1534A      50                     push eax
00D1534B      FF15 B850D300          call dword ptr ds:[D350B8]                    ; kernel32.LoadLibraryA
00D15351      8B0D 60D8D300          mov ecx,dword ptr ds:[D3D860]
00D15357      89040E                 mov dword ptr ds:[esi+ecx],eax
00D1535A      A1 60D8D300            mov eax,dword ptr ds:[D3D860]
00D1535F      393C06                 cmp dword ptr ds:[esi+eax],edi
00D15362      0F84 AD000000          je 00D15415   *这就是大侠们说的那个Magic Jump,把她改成JMP 00D15415
00D15368      33C9                   xor ecx,ecx
00D1536A      8B03                   mov eax,dword ptr ds:[ebx]
00D1536C      3938                   cmp dword ptr ds:[eax],edi
00D1536E      74 06                  je short 00D15376
00D15370      41                     inc ecx
00D15371      83C0 0C                add eax,0C
00D15374    ^ EB F6                  jmp short 00D1536C

下断点:BP GetCurrentThreadId,F9运行。

7C809737 ke>  64:A1 18000000         mov eax,dword ptr fs:[18]         运行后断在这里
7C80973D      8B40 24                mov eax,dword ptr ds:[eax+24]
7C809740      C3                     retn

看看堆栈中的数据:
---------------------------------------------------------------
0012BB40   66001E3A  /CALL 到 GetCurrentThreadId 来自 66001E34
0012BB44   00000001
0012BB48   66001C1E  返回到 66001C1E 来自 66001DE6
0012BB4C   66001B64  返回到 66001B64 来自 66001B90
--------------------------------------------------------------
0012BB20   66003505  /CALL 到 GetCurrentThreadId 来自 660034FF
0012BB24   00000000
0012BB28   6610E470
0012BB2C   6610E4D8

---------------------------------------------------------------
按F9差不多8次之后,堆栈看到:
0012F5A8   00D2CF2D  /CALL 到 GetCurrentThreadId 来自 00D2CF27
0012F5AC   0012FF2C
0012F5B0   00000000
---------------------------------------------------------------
取消断点,Ctrl+F9返回:

00D2CF2D      A3 F018D400            mov dword ptr ds:[D418F0],eax  ;返回到这里
00D2CF32      E8 2487FEFF            call 00D1565B
00D2CF37      6A 00                  push 0
00D2CF39      E8 4BD9FEFF            call 00D1A889
00D2CF3E      59                     pop ecx
00D2CF3F      E8 7D39FFFF            call 00D208C1
00D2CF44      8BF8                   mov edi,eax
00D2CF46      A1 E018D400            mov eax,dword ptr ds:[D418E0]
00D2CF4B      8B48 74                mov ecx,dword ptr ds:[eax+74]
00D2CF4E      3348 5C                xor ecx,dword ptr ds:[eax+5C]
00D2CF51      3308                   xor ecx,dword ptr ds:[eax]
00D2CF53      03F9                   add edi,ecx
00D2CF55      8B0E                   mov ecx,dword ptr ds:[esi]
00D2CF57      85C9                   test ecx,ecx
00D2CF59      75 2E                  jnz short 00D2CF89
00D2CF5B      8B78 5C                mov edi,dword ptr ds:[eax+5C]
00D2CF5E      E8 5E39FFFF            call 00D208C1
00D2CF63      8B0D E018D400          mov ecx,dword ptr ds:[D418E0]                 ; PixHunte.0064B258
00D2CF69      FF76 14                push dword ptr ds:[esi+14]
00D2CF6C      8B51 74                mov edx,dword ptr ds:[ecx+74]
00D2CF6F      FF76 10                push dword ptr ds:[esi+10]
00D2CF72      33D7                   xor edx,edi
00D2CF74      3311                   xor edx,dword ptr ds:[ecx]
00D2CF76      FF76 0C                push dword ptr ds:[esi+C]
00D2CF79      03C2                   add eax,edx
00D2CF7B      8B51 78                mov edx,dword ptr ds:[ecx+78]
00D2CF7E      3351 14                xor edx,dword ptr ds:[ecx+14]
00D2CF81      33D7                   xor edx,edi
00D2CF83      2BC2                   sub eax,edx
00D2CF85      FFD0                   call eax
00D2CF87      EB 25                  jmp short 00D2CFAE
00D2CF89      83F9 01                cmp ecx,1
00D2CF8C      75 22                  jnz short 00D2CFB0
00D2CF8E      FF76 04                push dword ptr ds:[esi+4]
00D2CF91      FF76 08                push dword ptr ds:[esi+8]
00D2CF94      6A 00                  push 0
00D2CF96      E8 2639FFFF            call 00D208C1
00D2CF9B      50                     push eax
00D2CF9C      A1 E018D400            mov eax,dword ptr ds:[D418E0]
00D2CFA1      8B48 78                mov ecx,dword ptr ds:[eax+78]
00D2CFA4      3348 5C                xor ecx,dword ptr ds:[eax+5C]
00D2CFA7      3348 14                xor ecx,dword ptr ds:[eax+14]
00D2CFAA      2BF9                   sub edi,ecx
00D2CFAC      FFD7                   call edi    看大侠们的文章说这里F7就可以DUMP了,但我这样做了,却不行
,F7进入
00D2CFAE      8BD8                   mov ebx,eax
00D2CFB0      5F                     pop edi
00D2CFB1      8BC3                   mov eax,ebx
00D2CFB3      5E                     pop esi
00D2CFB4      5B                     pop ebx
00D2CFB5      C3                     retn
*******************************************************************************
00618001      60                     pushad             进入后来到这里,这样DUMP了肯定不行,这不是OEP吗?呵呵F8慢行
00618002      E8 03000000            call PixHunte.0061800A  F7进入,如果F8程序就运行
00618007    - E9 EB045D45            jmp 45BE84F7   进入之后返回到这里
0061800C      55                     push ebp
0061800D      C3                     retn   返回
0061800E      E8 01000000            call PixHunte.00618014                   F7进入

**********************************************************************************
00618015      BB EDFFFFFF            mov ebx,-13        进入后来到这里
0061801A      03DD                   add ebx,ebp
0061801C      81EB 00802100          sub ebx,218000
00618022      83BD 22040000 00       cmp dword ptr ss:[ebp+422],0
00618029      899D 22040000          mov dword ptr ss:[ebp+422],ebx
0061802F      0F85 65030000          jnz PixHunte.0061839A
00618035      8D85 2E040000          lea eax,dword ptr ss:[ebp+42E]
0061803B      50                     push eax
0061803C      FF95 4D0F0000          call dword ptr ss:[ebp+F4D]
----------------------略过代码------------------------------------
006180D9      FF95 4D050000          call dword ptr ss:[ebp+54D]                   ; kernel32.VirtualAlloc
006180DF      8985 52010000          mov dword ptr ss:[ebp+152],eax
----------------------略过代码------------------------------------
00618100      80FB 00                cmp bl,0
00618103      75 5E                  jnz short PixHunte.00618163
00618105      FE85 EC000000          inc byte ptr ss:[ebp+EC]
0061810B      8B3E                   mov edi,dword ptr ds:[esi]
0061810D      03BD 22040000          add edi,dword ptr ss:[ebp+422]
00618113      FF37                   push dword ptr ds:[edi]
00618115      C607 C3                mov byte ptr ds:[edi],0C3
00618118      FFD7                   call edi                       ; PixHunte.00401000         F7进入

00401000      C3                     retn         怎么进入就返回
00401001      03BB B29911AA          add edi,dword ptr ds:[ebx+AA1199B2]
00401007      003447                 add byte ptr ds:[edi+eax*2],dh
0040100A      9C                     pushfd
0040100B      E7 9E                  out 9E,eax
0040100D      72 4F                  jb short PixHunte.0040105E
0040100F      24 38                  and al,38
00401011      1C E4                  sbb al,0E4
00401013      24 3D                  and al,3D
00401015      14 82                  adc al,82
-----------------------------------------------------------------------
0061811A      8F07                   pop dword ptr ds:[edi] 返回到这里
0061811C      50                     push eax
0061811D      51                     push ecx
0061811E      56                     push esi
0061811F      53                     push ebx
----------------------略过代码------------------------------------
00618131     /78 2C                  js short PixHunte.0061815F
00618133     |AC                     lods byte ptr ds:[esi]
00618134     |3C E8                  cmp al,0E8
00618136     |74 0A                  je short PixHunte.00618142
00618138     |EB 00                  jmp short PixHunte.0061813A
0061813A     |3C E9                  cmp al,0E9
0061813C     |74 04                  je short PixHunte.00618142
0061813E     |43                     inc ebx
0061813F     |49                     dec ecx
00618140    ^|EB EB                  jmp short PixHunte.0061812D
00618142     |8B06                   mov eax,dword ptr ds:[esi]
00618144     |EB 00                  jmp short PixHunte.00618146
00618146     |803E 2A                cmp byte ptr ds:[esi],2A
00618149    ^|75 F3                  jnz short PixHunte.0061813E
0061814B     |24 00                  and al,0
0061814D     |C1C0 18                rol eax,18
00618150     |2BC3                   sub eax,ebx
00618152     |8906                   mov dword ptr ds:[esi],eax
00618154     |83C3 05                add ebx,5
00618157     |83C6 04                add esi,4
----------------------略过代码------------------------------------
00618373      57                     push edi
00618374      EB 4A                  jmp short PixHunte.006183C0
00618376      8907                   mov dword ptr ds:[edi],eax
00618378      8385 49050000 04       add dword ptr ss:[ebp+549],4
0061837F    ^ E9 32FFFFFF            jmp PixHunte.006182B6
00618384      8906                   mov dword ptr ds:[esi],eax
00618386      8946 0C                mov dword ptr ds:[esi+C],eax
00618389      8946 10                mov dword ptr ds:[esi+10],eax
0061838C      83C6 14                add esi,14
0061838F      8B95 22040000          mov edx,dword ptr ss:[ebp+422]
00618395    ^ E9 EBFEFFFF            jmp PixHunte.00618285
0061839A      B8 C88B1700            mov eax,178BC8
0061839F      50                     push eax
006183A0      0385 22040000          add eax,dword ptr ss:[ebp+422]
006183A6      59                     pop ecx
006183A7      0BC9                   or ecx,ecx
006183A9      8985 A8030000          mov dword ptr ss:[ebp+3A8],eax
006183AF      61                     popad                    看到这里我就笑了,呵呵相信你也会笑
006183B0      75 08                  jnz short PixHunte.006183BA     F2下断,F9运行,中断后取消断点    
006183B2      B8 01000000            mov eax,1
006183B7      C2 0C00                retn 0C   返回
006183BA      68 C88B5700            push PixHunte.00578BC8  这就是程序的OEP了
006183BF      C3                     retn      返回

00578BC8      55                     push ebp   返回之后来到这里,呵呵,全是一片红色代码,在这里用LordPE脱了她吧。用IRC修复。
00578BC9      8BEC                   mov ebp,esp
00578BCB      83C4 F4                add esp,-0C
00578BCE      53                     push ebx
00578BCF      B8 28865700            mov eax,PixHunte.00578628
00578BD4      E8 57E7E8FF            call PixHunte.00407330
00578BD9      8B1D 88415800          mov ebx,dword ptr ds:[584188]                 ; PixHunte.005857D8
00578BDF      8B0B                   mov ecx,dword ptr ds:[ebx]
00578BE1      B2 01                  mov dl,1
--------------------------------------------------------------------------------
【破解总结】
这个程序脱了之后用IRC修复,所有的函数都有效,运行一下,OK,脱壳成功,在这里感谢大侠们的文章。
--------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢! 
[COLOR=skyblue]

  • 标 题: 答复
  • 作 者:fly
  • 时 间:2005-01-20 20:36

鼓励一下
看样子应该是Armadillo+AsPack

  • 标 题: 答复
  • 作 者:csjwaman
  • 时 间:2005-01-21 22:03

我来贴个OD脚本:

//////////////////////////////////////////////
//图片猎人v2.0脱壳脚本 by csjwaman[DFCG]  ///
//         2005年1月21日                 ///
///////////////////////////////////////////
var a
var base
msg "请设置忽略所有异常!"
dbh
gmi eip,MODULEBASE
mov base,$RESULT
gpa "OpenMutexA","kernel32"
bp $RESULT
run
exec
pushad
pushfd
push 12FBF0
xor eax,eax
push eax
push eax
call CreateMutexA
popfd
popad
jmp OpenMutexA
ende
bc eip
gpa "GetModuleHandleA","kernel32.dll"
bp $RESULT
run
bc eip
mov a,eip
add a,5
bp a
run
run
run
run
run
run
bc eip
rtu
sto
sto
sto
sto
sto
sto
sto
mov !zf,1
add base,179000
bprm  base,C000
run
bpmc
sub base,178000
bprm base,178000
run
bpmc
dpe "c:\dumped.exe",eip
msg "文件已经DUMP在C:\dumped.exe,现在请用ImportRECv142+修复IAT!"
ret