【文章标题】: 说说VA_X的补丁方法
【文章作者】: yangjt
【作者邮箱】: yangjietao123@163.com
【作者QQ号】: 325002492
【软件名称】: VA_X
【加壳方式】: Armadillo V5.00-V5.X Dll -> Silicon Realms Toolworks
【操作平台】: Win XP sp3
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
总的来说补丁方法可以分为
1.直接打补丁(即Code Injection,好像是给Arm释放的那个ArmAccess.DLL Inline补丁,我还没太明白,就不赘述了^_^)
2.脱壳后打补丁(速度啊……)
从打的补丁的内容分可以分为三类,以VAX10.5.1709.0为例
载入后入口如下
代码:
1F256C0A >/$ 837C24 08 01 cmp dword ptr [esp+8], 1 1F256C0F |. 75 05 jnz short 1F256C16 1F256C11 |. E8 CA4A0000 call 1F25B6E0 1F256C16 |> FF7424 04 push dword ptr [esp+4] 1F256C1A |. 8B4C24 10 mov ecx, dword ptr [esp+10] 1F256C1E |. 8B5424 0C mov edx, dword ptr [esp+C] 1F256C22 |. E8 EDFEFFFF call 1F256B14 1F256C27 |. 59 pop ecx 1F256C28 \. C2 0C00 retn 0C
代码:
00CB865A /EB 03 jmp short 00CB865F 00CB865C |D6 salc 00CB865D |D6 salc 00CB865E |8F ??? ; ???? 00CB865F \8B15 8C4CD100 mov edx, dword ptr [D14C8C] 00CB8665 8995 B4FDFFFF mov dword ptr [ebp-24C], edx
然后就到了OEP,Dump后修复,就该打补丁了……
第一种CCDebuger的方法,好像原理是把监测是否注册那段不让它运行,然后把eax改成TRUE
先搜索字符串VAX:IDE Main Thread
找到以后往下拉,然后把找到的地方如下改好
代码:
1EDA8119 |. 68 00000100 push 10000 ; UNICODE "=::=::\" 1EDA811E |. E8 4FB41900 call 1EF43572 1EDA8123 |. 83C4 08 add esp, 8 1EDA8126 |> E8 A5CAF7FF call 1ED24BD0 1EDA812B |. 50 push eax 1EDA812C |. 8D4C24 1C lea ecx, dword ptr [esp+1C] 1EDA8130 |. E8 7B68F6FF call 1ED0E9B0 1EDA8135 |. 89BC24 CC0100>mov dword ptr [esp+1CC], edi 1EDA813C |. E8 AF29FAFF call 1ED4AAF0 //这个地方改成mov eax,1 1EDA8141 |. 85C0 test eax, eax 1EDA8143 |. 0F84 71020000 je 1EDA83BA
处理成如下这个样
代码:
1ED82201 . 68 9C86FD1E push 1EFD869C ; ASCII "VAX:ArmThread" 1ED82206 . 8BF1 mov esi, ecx 1ED82208 . E8 4304FAFF call 1ED22650 1ED8220D . 83C4 04 add esp, 4 1ED82210 . E8 BB3A1000 call 1EE85CD0 1ED82215 85C0 test eax, eax //这里改成inc eax
如此便完成了第一种方法……保存以后拍屁股走人
第二种是BRD的方法,据说可以跳过暗桩,实际上就是无限延长了试用期限
具体操作见我跟踪BRD破解文件的笔记
代码:
Find 1F02A5E8=1F02A5E8 (ASCII "Visual Assist X is loaded but dormant. You should uninstall the ",LF,"software or purchase a license if your trial has expired.") 1ED4EE4B |. E8 80111700 call 1EEBFFD0 ////enter 33 C0 40 C3 Repalcer 1ED4EE50 |. 83C4 04 add esp, 4 1ED4EE53 |. 85C0 test eax, eax 1ED4EE55 |. 75 2B jnz short 1ED4EE82 1ED4EE57 |. 8B15 000A0F1F mov edx, dword ptr [1F0F0A00] 1ED4EE5D |. 50 push eax ; /Style 1ED4EE5E |. 68 A44D021F push 1F024DA4 ; |Title = "Visual Assist X" 1ED4EE63 |. 68 E8A5021F push 1F02A5E8 ; |Text = "Visual Assist X is loaded but dormant. You should uninstall the ",LF,"software or purchase a license if your trial has expired." 1ED4EE68 |. 52 push edx ; |hOwner => NULL 1ED4EE69 |. FF15 143A021F call dword ptr [<&user32.MessageBoxA>>; \MessageBoxA like this 1EEBFFD0 33C0 xor eax, eax 1EEBFFD2 40 inc eax 1EEBFFD3 C3 retn 1EEBFFD4 ? 46 inc esi 1ED4EE93 |. 68 D8A5021F push 1F02A5D8 ; ASCII "CLOCKBACK" 1ED4EE98 |. 50 push eax 1ED4EE99 |. E8 42FAFFFF call 1ED4E8E0 1ED4EE9E |. 83C4 08 add esp, 8 1ED4EEA1 |. C64424 50 15 mov byte ptr [esp+50], 15 1ED4EEA6 |. 8B08 mov ecx, dword ptr [eax] 1ED4EEA8 |. 8B71 F4 mov esi, dword ptr [ecx-C] 1ED4EEAB |. 885C24 50 mov byte ptr [esp+50], bl 1ED4EEAF |. 8D4C24 38 lea ecx, dword ptr [esp+38] 1ED4EEB3 |. E8 9828FBFF call 1ED01750 1ED4EEB8 |. 85F6 test esi, esi 1ED4EEBA |. 74 29 je short 1ED4EEE5 //eb 1ED4EEBC |. 8B15 000A0F1F mov edx, dword ptr [1F0F0A00] 1ED4EEC2 |. 52 push edx 1ED4EEC3 |. 6A 00 push 0 1ED4EEC5 |. 68 10A5021F push 1F02A510 ; ASCII "Visual Assist X is unable to start your trial. You may need to reboot your system. If the problem persists, contact us at http://www.wholetomato.com/support/contact.asp for assistance.",LF,LF,"Error: CBX-3" 1ED4EF10 |. /74 10 je short 1ED4EF22 //eb 1ED4EF12 |. |8B15 000A0F1F mov edx, dword ptr [1F0F0A00] 1ED4EF18 |. |52 push edx 1ED4EF19 |. |6A 00 push 0 1ED4EF1B |. |68 38A4021F push 1F02A438 ; ASCII "Visual Assist X is unable to start your trial. You may need to reboot your system. If the problem persists, contact us at http://www.wholetomato.com/support/contact.asp for assistance.",LF,LF,"Error: CFX-3" 1ED4EF20 |.^|EB A8 jmp short 1ED4EECA 1ED4EF22 |> \8D4424 38 lea eax, dword ptr [esp+38] 1ED4EF26 |. 68 70A6021F push 1F02A670 ; ASCII "EXPIRED" 1ED4EF4D |. /74 18 je short 1ED4EF67/////////eb 1ED4EF4F |. |8B15 000A0F1F mov edx, dword ptr [1F0F0A00] 1ED4EF55 |. |52 push edx 1ED4EF56 |. |6A 00 push 0 1ED4EF58 |. |68 98A3021F push 1F02A398 ; ASCII "There is a problem with your license for Visual Assist X. Please contact us at http://www.wholetomato.com/support/contact.asp for assistance.",LF,"Error: CEX-3" 1ED4EF5D |.^|E9 68FFFFFF jmp 1ED4EECA 1ED4EF62 |> |E8 199B0300 call 1ED88A80 1ED4EF67 |> \833D 14080F1F>cmp dword ptr [1F0F0814], 0 1ED4EF6E |. 74 0D je short 1ED4EF7D ////////////////eb 1ED4EF70 |. 68 78A3021F push 1F02A378 ; ASCII "InitInstance EdDll loaded"
Visual Assist X is loaded but dormant. You should uninstall the
找到以后看到上面那个最近的Call,进去以后把这些ASC II码粘上
代码:
33 C0 40 C3
代码:
1EEBFFD0 33C0 xor eax, eax 1EEBFFD2 40 inc eax 1EEBFFD3 C3 retn
最后一种还可以用SetEnvironmentVariable
因为我在程序里发现了这么一段
代码:
HMODULE __cdecl CheckByGetEnvironmentVariableA(int VariableName, int ValueAddress, int BufferSize) { HMODULE result; // eax@1 int AddressofValue; // edi@1 HMODULE v5; // esi@1 int v6; // esi@4 AddressofValue = ValueAddress; *(_BYTE *)ValueAddress = 0; result = GetModuleHandleA("kernel32"); v5 = result; if ( result ) { result = GetProcAddress(result, "GetProcAddress"); if ( result ) { result = (HMODULE)((int (__stdcall *)(_DWORD, _DWORD))result)(v5, "GetEnvironmentVariableA"); if ( result ) { v6 = BufferSize; result = (HMODULE)((int (__stdcall *)(_DWORD, _DWORD, _DWORD))result)( VariableName, AddressofValue, BufferSize - 1); // // LPCTSTR lpName, // address of environment variable name // LPTSTR lpBuffer, // address of buffer for variable value // DWORD nSize // size of buffer, in characters *(_BYTE *)(AddressofValue + v6 - 1) = 0; } } } return result; }
代码:
v13 = CheckEnvironment((int)&v32, (int)"DAYSLEFT"); LOBYTE(v31) = 1; v14 = CheckEnvironment((int)&v33, (int)"DAYSINSTALLED"); LOBYTE(v31) = 2; sub_1ED05190((int)&v30, (int)"TI: %s-%s", *(_DWORD *)v14); LOBYTE(v31) = 1; sub_1ED01790((int)&v33); LOBYTE(v31) = 0; sub_1ED01790((int)&v32); sub_1ED89E10(a1, a2, v13, v30, 192, 0); v15 = CheckEnvironment((int)&v32, (int)"DAYSINSTALLED"); LOBYTE(v31) = 3; v16 = *(_DWORD *)(*(_DWORD *)v15 - 12) == 0; LOBYTE(v31) = 0; sub_1ED01790((int)&v32); if ( v16 ) { MessageBoxA(dword_1F08AD00, "Error", "License", 0);
这便是第四种补丁方法……前两种是改代码……这一种是写代码……相比之下当然是前两种方便……
--------------------------------------------------------------------------------
【经验总结】
收工收工……
注:本文仅用于学习交流……
--------------------------------------------------------------------------------
【版权声明】: 转载请注明作者并保持文章的完整, 谢谢!
2008年12月06日 15:57:44