吉祥天的壳“手脱Armadillo 3.78 - 4.xx -> Silicon Realms Toolworks
本帖最后由 wgz001 于 2009-3-29 08:13 编辑【破文标题】手脱Armadillo 3.78 - 4.xx -> Silicon Realms Toolworks
【破文作者】一杯凉茶
【作者邮箱】lxk836@126.com
【作者主页】A/N
【破解工具】peid0.94+OD+ArmInline0.96+LordPE+ImportREC+Enjoy
【破解平台】盗版XPsp2
【软件名称】..........
【软件大小】..........
【原版下载】...........
【保护方式】壳
【软件简介】
【破解声明】本文仅供研究学习,本人对因这篇文章而导致的一切后果,不承担任何法律责任。本文中的不足之处请各位多多
【破解过程】1. OD 载入 忽略所有异常,插件隐藏OD.
00946000 > 60 PUSHAD
00946001 E8 00000000 CALL FlyWoool.00946006
00946006 5D POP EBP
00946007 50 PUSH EAX
00946008 51 PUSH ECX
00946009 0FCA BSWAP EDX
0094600B F7D2 NOT EDX
0094600D 9C PUSHFD
0094600E F7D2 NOT EDX
00946010 0FCA BSWAP EDX
00946012 EB 0F JMP SHORT FlyWoool.00946023
00946014 B9 EB0FB8EB MOV ECX,EBB80FEB
00946019 07 POP ES ; 段寄存器修饰
0094601A B9 EB0F90EB MOV ECX,EB900FEB
0094601F 08FD OR CH,BH
++++++++++++++++++++++++++++++++++++++++
下bp OpenMutexA SHIFT+F9到这里
0094F5C3 F0: PREFIX LOCK: ; 多余前缀
0094F5C4 F0:C7 ??? ; 未知命令
0094F5C6 C8 64678F ENTER 6764,8F
0094F5CA 06 PUSH ES
0094F5CB 0000 ADD BYTE PTR DS:,AL
0094F5CD 83C4 04 ADD ESP,4
0094F5D0 C3 RETN
0094F5D1 03C5 ADD EAX,EBP
0094F5D3 C3 RETN
0094F5D4 B9 EA7A0000 MOV ECX,7AEA
0094F5D9 C3 RETN
0094F5DA B8 661A0000 MOV EAX,1A66
0094F5DF C3 RETN
出现异常,手动添加最近的异常,SHIFT+F9到这里
7C80EA1B > 8BFF MOV EDI,EDI
7C80EA1D 55 PUSH EBP
7C80EA1E 8BEC MOV EBP,ESP
7C80EA20 51 PUSH ECX
7C80EA21 51 PUSH ECX
7C80EA22 837D 10 00 CMP DWORD PTR SS:,0
7C80EA26 56 PUSH ESI
++++++++++++++++++++++++++++++++++++++++++++++++
ALT+F9 返回到这里
0091E735 85C0 TEST EAX,EAX
0091E737 74 04 JE SHORT FlyWoool.0091E73D
0091E739 C645 DC 00 MOV BYTE PTR SS:,0
0091E73D 8B45 DC MOV EAX,DWORD PTR SS:
0091E740 25 FF000000 AND EAX,0FF
0091E745 85C0 TEST EAX,EAX
把0091E735 74 04 JE SHORT FlyWoool.0091E73D 改为JNZ
SHIFT+F9 到这里
7C80EA1B > 8BFF MOV EDI,EDI
7C80EA1D 55 PUSH EBP
7C80EA1E 8BEC MOV EBP,ESP
7C80EA20 51 PUSH ECX
7C80EA21 51 PUSH ECX
7C80EA22 837D 10 00 CMP DWORD PTR SS:,0
7C80EA26 56 PUSH ESI
ALT+F9到这里
0091EB37 85C0 TEST EAX,EAX
0091EB39 0F85 7A020000 JNZ FlyWoool.0091EDB9
0091EB3F 6A 01 PUSH 1
0091EB41 FF15 88609500 CALL DWORD PTR DS:[<&KERNEL32.GetCurrent>; kernel32.GetCurrentThread
0091EB47 50 PUSH EAX
把0091EB39 0F85 7A020000 JNZ FlyWoool.0091EDB9 改为JE
SHIFT+F9到这里 取消断点
7C80EA1B > 8BFF MOV EDI,EDI
7C80EA1D 55 PUSH EBP
7C80EA1E 8BEC MOV EBP,ESP
7C80EA20 51 PUSH ECX
7C80EA21 51 PUSH ECX
7C80EA22 837D 10 00 CMP DWORD PTR SS:,0
7C80EA26 56 PUSH ESI
到这一步是双线程改单线程和方法
++++++++++++++++++++++++++++++++++++++
下he GetModuleHandleA+5 后SHIFT+F9,每次都要注意堆栈
一次
001394A4 /0013EBEC
001394A8 |01078091 返回到 01078091 来自 kernel32.GetModuleHandleA
001394AC |0108CD04 ASCII "kernel32.dll"
001394B0 |0108E084 ASCII "VirtualAlloc"
二次
001394A4 /0013EBEC
001394A8 |010780AE 返回到 010780AE 来自 kernel32.GetModuleHandleA
001394AC |0108CD04 ASCII "kernel32.dll"
001394B0 |0108E078 ASCII "VirtualFree"
三次
00139208 /001394A8
0013920C |010665FF 返回到 010665FF 来自 kernel32.GetModuleHandleA
00139210 |0013935C ASCII "kernel32.dll"
到这里就是返回的时机了
++++++++++++++++++++++++++++++++++++++++++==
取消断点,ALT+F9 到这里
010665FF 8B0D 9C550901 MOV ECX,DWORD PTR DS:
01066605 89040E MOV DWORD PTR DS:,EAX
01066608 A1 9C550901 MOV EAX,DWORD PTR DS:
0106660D 391C06 CMP DWORD PTR DS:,EBX
01066610 75 2E JNZ SHORT 01066640
01066612 F647 04 02 TEST BYTE PTR DS:,2
01066616 74 12 JE SHORT 0106662A
01066618 B9 880F0901 MOV ECX,1090F88
0106661D E8 B86CFFFF CALL 0105D2DA
01066622 84C0 TEST AL,AL
01066624 0F84 53010000 JE 0106677D
0106662A 8D85 B4FEFFFF LEA EAX,DWORD PTR SS:
01066630 50 PUSH EAX
01066631 FF15 E0710801 CALL DWORD PTR DS: ; kernel32.LoadLibraryA
01066637 8B0D 9C550901 MOV ECX,DWORD PTR DS:
0106663D 89040E MOV DWORD PTR DS:,EAX
01066640 A1 9C550901 MOV EAX,DWORD PTR DS:
01066645 391C06 CMP DWORD PTR DS:,EBX
01066648 0F84 2F010000 JE 0106677D 这个跳就是Magic Jump 改为JMP
0106664E 33C9 XOR ECX,ECX
01066650 8B07 MOV EAX,DWORD PTR DS:
01066652 3918 CMP DWORD PTR DS:,EBX
01066654 74 06 JE SHORT 0106665C
01066656 41 INC ECX
01066657 83C0 0C ADD EAX,0C
0106665A ^ EB F6 JMP SHORT 01066652
0106665C 8BD9 MOV EBX,ECX
0106665E C1E3 02 SHL EBX,2
01066661 53 PUSH EBX
01066662 E8 D3020200 CALL 0108693A ; JMP 到 msvcrt.operator new
01066667 8B0D 94550901 MOV ECX,DWORD PTR DS:
0106666D 89040E MOV DWORD PTR DS:,EAX
01066670 53 PUSH EBX
01066671 E8 C4020200 CALL 0108693A ; JMP 到 msvcrt.operator new
01066676 59 POP ECX
01066677 59 POP ECX
01066678 8B0D 98550901 MOV ECX,DWORD PTR DS:
0106667E 89040E MOV DWORD PTR DS:,EAX
01066681 8B07 MOV EAX,DWORD PTR DS:
01066683 8985 ACFEFFFF MOV DWORD PTR SS:,EAX
01066689 8B00 MOV EAX,DWORD PTR DS:
0106668B 85C0 TEST EAX,EAX
0106668D 0F84 D4000000 JE 01066767
01066693 33FF XOR EDI,EDI
01066695 68 00010000 PUSH 100
0106669A 8D8D A8FDFFFF LEA ECX,DWORD PTR SS:
010666A0 51 PUSH ECX
010666A1 50 PUSH EAX
010666A2 E8 0CC0FEFF CALL 010526B3
010666A7 83C4 0C ADD ESP,0C
010666AA 8D85 A8FDFFFF LEA EAX,DWORD PTR SS:
010666B0 50 PUSH EAX
010666B1 A1 9C550901 MOV EAX,DWORD PTR DS:
010666B6 FF3406 PUSH DWORD PTR DS:
010666B9 FF15 C4720801 CALL DWORD PTR DS: ; kernel32.GetProcAddress
010666BF 8BD8 MOV EBX,EAX
010666C1 B9 880F0901 MOV ECX,1090F88
010666C6 E8 BF3A0000 CALL 0106A18A
010666CB 33D8 XOR EBX,EAX
010666CD A1 94550901 MOV EAX,DWORD PTR DS:
010666D2 8B0406 MOV EAX,DWORD PTR DS:
010666D5 891C38 MOV DWORD PTR DS:,EBX
010666D8 6A 01 PUSH 1
010666DA 8D85 A8FDFFFF LEA EAX,DWORD PTR SS:
010666E0 50 PUSH EAX
010666E1 A1 9C550901 MOV EAX,DWORD PTR DS:
010666E6 FF3406 PUSH DWORD PTR DS:
010666E9 E8 83050000 CALL 01066C71
010666EE 83C4 0C ADD ESP,0C
010666F1 8B0D 98550901 MOV ECX,DWORD PTR DS:
010666F7 8B0C0E MOV ECX,DWORD PTR DS:
010666FA 890439 MOV DWORD PTR DS:,EAX
010666FD A1 98550901 MOV EAX,DWORD PTR DS:
01066702 8B0406 MOV EAX,DWORD PTR DS:
01066705 833C38 00 CMP DWORD PTR DS:,0
01066709 75 25 JNZ SHORT 01066730
0106670B 6A 00 PUSH 0
0106670D 8D85 A8FDFFFF LEA EAX,DWORD PTR SS:
01066713 50 PUSH EAX
01066714 A1 9C550901 MOV EAX,DWORD PTR DS:
01066719 FF3406 PUSH DWORD PTR DS:
0106671C E8 50050000 CALL 01066C71
01066721 83C4 0C ADD ESP,0C
01066724 8B0D 98550901 MOV ECX,DWORD PTR DS:
0106672A 8B0C0E MOV ECX,DWORD PTR DS:
0106672D 890439 MOV DWORD PTR DS:,EAX
01066730 A1 98550901 MOV EAX,DWORD PTR DS:
01066735 8B0406 MOV EAX,DWORD PTR DS:
01066738 8D1C38 LEA EBX,DWORD PTR DS:
0106673B B9 880F0901 MOV ECX,1090F88
01066740 E8 453A0000 CALL 0106A18A
01066745 3103 XOR DWORD PTR DS:,EAX
01066747 8385 ACFEFFFF 0>ADD DWORD PTR SS:,0C
0106674E 83C7 04 ADD EDI,4
01066751 8B85 ACFEFFFF MOV EAX,DWORD PTR SS:
01066757 8B00 MOV EAX,DWORD PTR DS:
01066759 85C0 TEST EAX,EAX
0106675B ^ 0F85 34FFFFFF JNZ 01066695
01066761 8BBD 78FDFFFF MOV EDI,DWORD PTR SS:
01066767 A1 9C550901 MOV EAX,DWORD PTR DS:
0106676C 8D1C06 LEA EBX,DWORD PTR DS:
0106676F B9 880F0901 MOV ECX,1090F88
01066774 E8 FB390000 CALL 0106A174
01066779 3103 XOR DWORD PTR DS:,EAX
0106677B 33DB XOR EBX,EBX
0106677D 83C7 0C ADD EDI,0C
01066780 89BD 78FDFFFF MOV DWORD PTR SS:,EDI
01066786 83C6 04 ADD ESI,4
01066789 395F FC CMP DWORD PTR DS:,EBX
0106678C ^ 0F85 31FEFFFF JNZ 010665C3
01066792 EB 03 JMP SHORT 01066797
01066794 D6 SALC
01066795 D6 SALC
01066796 8F ??? ; 未知命令
在01066792 EB 03 JMP SHORT 01066797 下硬件执行.然后F9 到这里断下,取消硬件断点,撤消Magic Jump处的修改
++++++++++++++++++++++++++++++++++++++++++++++++
下BP GetCurrentThreadId SHIFT+F9 到这里
7C809728 > 64:A1 18000000 MOV EAX,DWORD PTR FS:
7C80972E 8B40 24 MOV EAX,DWORD PTR DS:
7C809731 C3 RETN
取消断点
一路F8 到这里
01080A88 8B65 E8 MOV ESP,DWORD PTR SS:
01080A8B 834D FC FF OR DWORD PTR SS:,FFFFFFFF
01080A8F 8B7D 08 MOV EDI,DWORD PTR SS:
01080A92 8B55 DC MOV EDX,DWORD PTR SS:
01080A95 A1 D4150901 MOV EAX,DWORD PTR DS:
01080A9A 3150 74 XOR DWORD PTR DS:,EDX
01080A9D A1 D4150901 MOV EAX,DWORD PTR DS:
01080AA2 3150 74 XOR DWORD PTR DS:,EDX
01080AA5 A1 D4150901 MOV EAX,DWORD PTR DS:
01080AAA 8B88 88000000 MOV ECX,DWORD PTR DS:
01080AB0 3348 70 XOR ECX,DWORD PTR DS:
01080AB3 3308 XOR ECX,DWORD PTR DS:
01080AB5 030D EC150901 ADD ECX,DWORD PTR DS: ; FlyWoool.00400000
01080ABB 8B17 MOV EDX,DWORD PTR DS:
01080ABD 85D2 TEST EDX,EDX
01080ABF 75 1B JNZ SHORT 01080ADC
01080AC1 FF77 18 PUSH DWORD PTR DS:
01080AC4 FF77 14 PUSH DWORD PTR DS:
01080AC7 FF77 10 PUSH DWORD PTR DS:
01080ACA 8B90 88000000 MOV EDX,DWORD PTR DS:
01080AD0 3350 24 XOR EDX,DWORD PTR DS:
01080AD3 3350 04 XOR EDX,DWORD PTR DS:
01080AD6 2BCA SUB ECX,EDX
01080AD8 FFD1 CALL ECX
01080ADA EB 20 JMP SHORT 01080AFC
01080ADC 83FA 01 CMP EDX,1
01080ADF 75 1E JNZ SHORT 01080AFF
01080AE1 FF77 04 PUSH DWORD PTR DS:
01080AE4 FF77 08 PUSH DWORD PTR DS:
01080AE7 6A 00 PUSH 0
01080AE9 FF77 0C PUSH DWORD PTR DS:
01080AEC 8B90 88000000 MOV EDX,DWORD PTR DS:
01080AF2 3350 24 XOR EDX,DWORD PTR DS:
01080AF5 3350 04 XOR EDX,DWORD PTR DS:
01080AF8 2BCA SUB ECX,EDX
01080AFA FFD1 CALL ECX F7步入 到达OEP
++++++++++++++++++++++++++++++++++++++++++++++++++
下面用ArmInline0.96 拼接代码 整理乱序后就可以用LordPE,DMUP下来了,用ImportREC修复.再用Enjoy修复CC
运行软件,一切正常 终于完成了 呵呵
------------------------------------------------------------------------
【破解总结】寻找到Magic Jump 的返回时机很重要
------------------------------------------------------------------------
【版权声明】转载请注明作者并保持文章的完整, 谢谢! 真搞笑,我在动画区都把这个转载了,要你的这个干嘛?哈哈。。 :victory:感谢转载 看来还得努力学习,现在看这个还是如同看天书一般 敢问楼主这个事哪个版本的?貌似你的这个吉祥天版本很低,呵呵。。 学习一下! 学习了 顶一下!谢谢分享!学习啦!{:1_921:} 有没有附视频的教程呀? 最好录制个视频给我们这些新手学习
页:
[1]