Hide&Protect V1.016C脱壳——Hide&Protect.exe主程序+试炼品
下载页面: http://www.softwar-protect.com/download.html
软件大小: 1.65M
软件简介: Hide&Protect is built in as invisible protection of any Windows programs.How to prevent from hacking ? You can crypt your program, make complex registration codes, translate execution of your program in high virtual memory. But they remain very vulnerable to hackers. The best way is to stop reverse engineering. Above all you need to forbid the use of the hacker's tools: the debugger and the memory dumper. In first place comes the debugger. Without the use of debugger, it's almost impossible to understand the logic of software and to make patches. Hide&Protect forbid use of debugger. In second place comes the memory dumper. Dumper is useful for the hacker if the program is compressed or encoded. Hide&Protect obstruct the full result of a memory dumper witch makes it inoperative. More, Hide&Protect compress and encrypt your application, and has mechanism of monitoring of your application.
【作者声明】:只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教
【调试环境】:WinXP、OllyDbg、PEiD、LordPE
—————————————————————————————————
【脱壳过程】:
Hide&Protect算是一个新壳了,并且是多进程的壳
但是比起Armadillo的CopyMem-II来说,弱了许多。
[Hide&Protect V1.0X-> SoftWar Company]
signature = 90 90 90 E9 D8
ep_only = true
—————————————————————————————————
一、Hide&Protect.exe主程序脱壳
Hide&Protect.exe主程序是双进程,弱了许多,脱壳简单。
设置OllyDbg忽略所有异常选项。用IsDebug插件去掉OllyDbg的调试器标志。
————————————————————————
1、把双进程切换成单进程
0054B000 90 nop
//进入OllyDbg后暂停在这
0054B001 90 nop
0054B002 90 nop
0054B003 E9 D8100000 jmp 0054C0E0
下断:BP GetCommandLineA
F9运行,中断2次后取消断点,Alt+F9返回
0054C43C C705 DCD65500 F>mov dword ptr ds:[55D6DC],5580F1; ASCII "AZAAZZAA"
0054C446 E8 C5B80000 call 00557D10 ; <jmp.&KERNEL32.GetCommandLineA>
0054C44B 8945 F8 mov dword ptr ss:[ebp-8],eax
//返回这里
0054C44E A1 DCD65500 mov eax,dword ptr ds:[55D6DC]
0054C453 50 push eax
0054C454 8B55 F8 mov edx,dword ptr ss:[ebp-8]
0054C457 52 push edx
0054C458 E8 D3B90000 call 00557E30 ; <jmp.&KERNEL32.lstrcmpA>
0054C45D 85C0 test eax,eax
0054C45F 0F85 64050000 jnz 0054C9C9
//修改标志位Z=1,使这里不跳转
0054CC5D E8 78B00000 call 00557CDA ; <jmp.&KERNEL32.CreateProcessA>
//跳则这里就产生新进程了
————————————————————————
2、搞定输入表
下断:BP VirtualProtect
F9运行,中断后取消断点,Alt+F9返回
0054C58B E8 82B80000 call 00557E12 ; <jmp.&KERNEL32.VirtualProtect>
0054C590 6A 40 push 40
//返回这里
0054C592 68 00100000 push 1000
0054C597 68 00200000 push 2000
0054C59C 6A 00 push 0
0054C59E E8 63B80000 call 00557E06 ; <jmp.&KERNEL32.VirtualAlloc>
0054C5A3 8985 70FFFFFF mov dword ptr ss:[ebp-90],eax
0054C5A9 68 FA805500 push 5580FA ; ASCII "kernel32.dll"
0054C5AE E8 8DB70000 call 00557D40 ; <jmp.&KERNEL32.GetModuleHandleA>
0054C5B3 8985 78FFFFFF mov dword ptr ss:[ebp-88],eax
0054C5B9 68 07815500 push 558107 ; ASCII "user32.dll"
0054C5BE E8 7DB70000 call 00557D40 ; <jmp.&KERNEL32.GetModuleHandleA>
0054C5C3 8985 74FFFFFF mov dword ptr ss:[ebp-8C],eax
0054C5C9 8B55 EC mov edx,dword ptr ss:[ebp-14]
0054C5CC 8B0A mov ecx,dword ptr ds:[edx]
0054C5CE 034D C0 add ecx,dword ptr ss:[ebp-40]
0054C5D1 81C1 F0000000 add ecx,0F0
0054C5D7 33F6 xor esi,esi
0054C5D9 894D E8 mov dword ptr ss:[ebp-18],ecx
0054C5DC 8BCE mov ecx,esi
0054C5DE 8B45 E8 mov eax,dword ptr ss:[ebp-18]
0054C5E1 C1E1 02 shl ecx,2
0054C5E4 8B10 mov edx,dword ptr ds:[eax]
//[EAX]=[004002F0]=000C1000 ★ ImportTable RVA
0054C5E6 8D0C89 lea ecx,dword ptr ds:[ecx+ecx*4]
0054C5E9 03D1 add edx,ecx
0054C5EB 0355 C0 add edx,dword ptr ss:[ebp-40]
0054C5EE 83C2 0C add edx,0C
0054C5F1 8955 E0 mov dword ptr ss:[ebp-20],edx
0054C5F4 8B45 E0 mov eax,dword ptr ss:[ebp-20]
0054C5F7 8338 00 cmp dword ptr ds:[eax],0
0054C5FA 0F84 E4010000 je 0054C7E4
下面就是处理输入表了,获得ImportTable RVA后直接运行LordPE来Dump出这个进程。
————————————————————————
3、OEP
Ctrl+F搜索命令:jmp dword ptr ss:[ebp-38]
找到0054C9C1处,在其上mov ecx,dword ptr ds:[edx]的0054C9A2处下断
0054C991 8B4D EC mov ecx,dword ptr ss:[ebp-14]
0054C994 8B01 mov eax,dword ptr ds:[ecx]
0054C996 0345 C0 add eax,dword ptr ss:[ebp-40]
0054C999 83C0 4C add eax,4C
0054C99C 8945 E4 mov dword ptr ss:[ebp-1C],eax
0054C99F 8B55 E4 mov edx,dword ptr ss:[ebp-1C]
0054C9A2 8B0A mov ecx,dword ptr ds:[edx]
//[EDX]=[0040024C]=00001410 ★ OEP RVA
0054C9A4 034D C0 add ecx,dword ptr ss:[ebp-40]
0054C9A7 894D C8 mov dword ptr ss:[ebp-38],ecx
0054C9AA 68 D4D65500 push 55D6D4
0054C9AF 6A 00 push 0
0054C9B1 6A 00 push 0
0054C9B3 68 28C45400 push 54C428
0054C9B8 6A 00 push 0
0054C9BA 6A 00 push 0
0054C9BC E8 1FB30000 call 00557CE0 ; <jmp.&KERNEL32.CreateThread>
0054C9C1 FF65 C8 jmp dword ptr ss:[ebp-38]; 00401410
//飞向光明之巅
00401410 EB 10 jmp short 00401422
//OEP ★ Borland C++ 入口方式
00401412 66:623A bound di,dword ptr ds:[edx]
00401415 43 inc ebx
00401416 2B2B sub ebp,dword ptr ds:[ebx]
00401418 48 dec eax
00401419 4F dec edi
0040141A 4F dec edi
0040141B 4B dec ebx
0040141C 90 nop
0040141D E9 98004B00 jmp 008B14BA
00401422 A1 8B004B00 mov eax,dword ptr ds:[4B008B]
00401427 C1E0 02 shl eax,2
0040142A A3 8F004B00 mov dword ptr ds:[4B008F],eax
0040142F 52 push edx
00401430 6A 00 push 0
00401432 E8 E5E10A00 call 004AF61C
用LordPE修正脱壳文件OEP RVA=00001410、ImportTable RVA=000C1000即可运行。
————————————————————————
4、破解
破解部分取自nGen team发布的Patch
00402B38 833D FC9E4B00 0>cmp dword ptr ds:[4B9EFC],0
//修改为:cmp dword ptr ds:[4B9EFC],1 启动时检测
00402B3F 75 7B jnz short 00402BBC
004047E9 833D FC9E4B00 0>cmp dword ptr ds:[4B9EFC],0
//修改为:cmp dword ptr ds:[4B9EFC],1 加壳时检测
004047F0 8985 20FEFFFF mov dword ptr ss:[ebp-1E0],eax
004047F6 0F85 C6000000 jnz 004048C2
其实这个软件也没有太多限制:On a non registered copy, at each execution of a protected program, a non protected copy is generated in parallel of the execution of the protected file.
—————————————————————————————————
二、Hide&Protect加壳的3进程记事本脱壳
用Hide&Protect加壳Win98的记事本,重命名为Test.eXe。运行后可以看到是三个进程,进程之间有检测,如果杀掉第一个进程则会导致系统注销。为了方便,还是用SoftICE来脱这个吧。
先用LordPE察看Test.eXe的信息:
EntryPoint=0000D000、ImageBase=00400000、SizeOfImage=0007E000
运行Test.eXe,用LordPE直接dump出第3个记事本的进程。IDA分析出来,方便察看。
Start IceExt,先!Protect on,再下断BPX CreateProcessA
F5返回Windows后直接运行上面加壳的Test.eXe,在CreateProcessA处中断2次,现在正准备创建第3个进程,此时Addr会看见2个记事本进程,F12,第3个进程创建了。记下新进程的KTEB值84D4D960,Addr 84D4D960,BPX 40D000,F5运行中断在第3个进程的EP处了。
壳没有花指令,SoftICE结合IDA比较容易分析。
.idata:004159CF call sub_415A18
.idata:004159D4 push eax
.idata:004159D5 push ebx
.idata:004159D6 push 0
.idata:004159D8 push 0
.idata:004159DA call sub_41A3B8
.idata:004159DF push eax
.idata:004159E0 call dword ptr [esi+18h], 0040EAE0
//这里进入
.idata:0040EAE0 push ebp
.idata:0040EAE1 mov ebp, esp
.idata:0040EAE3 add esp, 0FFFFFEFCh
.idata:0040EAE9 push ebx
.idata:0040EAEA push esi
.idata:0040EAEB push edi
.idata:0040EAEC call sub_41A382
.idata:0040EAF1 mov [ebp+var_B4], eax
.idata:0040EAF7 call sub_41A38E
.idata:0040EAFC mov [ebp+var_B8], eax
中间是解码,F10走就行了。下面代码是否眼熟?呵呵,和主程序的输入表处理部分是一样的。
.idata:0040ED60 push 40h
.idata:0040ED62 push 1000h
.idata:0040ED67 push 2000h
.idata:0040ED6C push 0
.idata:0040ED6E call sub_41A472 ; <jmp.&KERNEL32.VirtualAlloc>
.idata:0040ED73 mov [ebp+var_14], eax
.idata:0040ED76
.idata:0040ED76 loc_40ED76: ; CODE XREF: sub_40EAE0+27Ej
.idata:0040ED76 push offset dword_41B144 ; ASCII "kernel32.dll""
.idata:0040ED7B call sub_41A3B8 ; <jmp.&KERNEL32.GetModuleHandleA>
.idata:0040ED80 mov [ebp+var_74], eax
.idata:0040ED83 push offset dword_41B151 ; ASCII "user32.dll""
.idata:0040ED88 call sub_41A3B8 ; <jmp.&KERNEL32.GetModuleHandleA>
.idata:0040ED8D mov [ebp+var_78], eax
.idata:0040ED90 mov eax, [ebp+var_10]
.idata:0040ED93 add eax, 18h
.idata:0040ED96 mov [ebp+var_18], eax
.idata:0040ED99 mov edx, [ebp+var_B0]
.idata:0040ED9F mov eax, [ebp+var_18]
.idata:0040EDA2 mov ecx, [edx]
.idata:0040EDA4 xor [eax], ecx
.idata:0040EDA6 xor esi, esi
.idata:0040EDA8
.idata:0040EDA8 loc_40EDA8: ; CODE XREF: sub_40EAE0+479j
.idata:0040EDA8 mov ecx, esi
.idata:0040EDAA mov eax, [ebp+var_18]
.idata:0040EDAD shl ecx, 2
.idata:0040EDB0 mov edx, [eax]
//[EAX]=[0040D018]=00006000 ★ ImportTable RVA
现在可以 BD * 暂停所有断点,然后Dump出这个进程
怀念trw2000的PEDump
.idata:0040EDB2 lea ecx, [ecx+ecx*4]
.idata:0040EDB5 add edx, ecx
.idata:0040EDB7 add edx, edi
.idata:0040EDB9 add edx, 0Ch
.idata:0040EDBC mov [ebp+var_34], edx
.idata:0040EDBF mov eax, [ebp+var_34]
.idata:0040EDC2 cmp dword ptr [eax], 0
.idata:0040EDC5 jz loc_40EF5E
//中间是输入表处理,壳没有加密输入表
.idata:0040EFC1 lea ecx, [ebp+var_9C]
.idata:0040EFC7 mov eax, [ebp+var_1C]
.idata:0040EFCA mov edx, [eax]
//[EAX]=[0040D01C]=000010CC ★ OEP RVA
.idata:0040EFCC add edx, edi
//EDX=000010CC+基址=004010CC
.idata:0040EFCE mov [ebp+var_98], edx
.idata:0040EFD4 push ecx
.idata:0040EFD5 push 0
.idata:0040EFD7 push 0
.idata:0040EFD9 mov eax, [ebp+var_98]
.idata:0040EFDF push eax
//EAX=004010CC
.idata:0040EFE0 push 0
.idata:0040EFE2 push 0
.idata:0040EFE4 call sub_41A358; kernel32.CreateThread
//以OEP值004010CC为lpStartAddress, CreateThread
.idata:0040EFE9 push 1388h
.idata:0040EFEE call sub_41A448; kernel32.Sleep
BPX 4010CC,再F5就可以中断在OEP了
修正脱壳文件的OEP RVA和ImportTable RVA就行了。
————————————————————————————————
, _/
/| _.-~/ \_ , 青春都一晌
( /~ / \~-._ |\
`\\ _/ \ ~\ ) 忍把浮名
_-~~~-.) )__/;;,. \_ //'
/'_,\ --~ \ ~~~- ,;;\___( (.-~~~-. 换了脱壳轻狂
`~ _( ,_..--\ ( ,;'' / ~-- /._`\
/~~//' /' `~\ ) /--.._, )_ `~
" `~" " `" /~'`\ `\\~~\
" " "~' ""
UnPacKed By : fly
2005-05-25 21:00