Molebox ultra V4.1290 之脱壳 By cyto
再灌水下.看介绍: 引用:MoleBox Ultra packs all application files into a single efficient executable file that works without extracting packed files to the hard drive and creating temporary files. MoleBox Ultra also applies a number of protection techniques to packed files, including anti-crack protection for EXE and dlls, resource protection, protection from modification for data files, and many more.
1.oep:
这个比较容易到达,略过. 引用:00401AE3 E8 BFF8FFFF call 004013A7 ; molebox.004013A7
003C0016 54 push esp
003C0017 6A 00 push 0
003C0019 E8 8E040000 call 003C04AC
003C001E 870424 xchg dword ptr ss:,eax ; molebox.004F18E0
...
003C0021 E8 90060000 call 003C06B6
003C0026 5F pop edi ; molebox.005E43AC
003C0027 5E pop esi ; molebox.005E43AC
003C0028 5E pop esi ; molebox.005E43AC
003C0029 89EC mov esp,ebp ; molebox.00401025
003C002B 5D pop ebp ; molebox.005E43AC
003C002C - FFE0 jmp eax ; molebox.004F18E0
oep:
004F18E0 6A 74 push 74
004F18E2 68 D0E55600 push 56E5D0
004F18E7 E8 A4030000 call 004F1C90 ; molebox.004F1C90
004F18EC 33DB xor ebx,ebx ; molebox.005E43A8
2.iat
除了以下几个,全部有效:
004F1652 - FF25 90CC5100 jmp dword ptr ds:
004F1658 - FF25 A0CC5100 jmp dword ptr ds:
004F165E - FF25 94CC5100 jmp dword ptr ds:
004F1664 - FF25 98CC5100 jmp dword ptr ds:
004F166A - FF25 9CCC5100 jmp dword ptr ds:
后来分析,这个是跟注册相关的函数,推测为捆绑的dll的.
3.扣出dll:
这几个函数的地址指向0e00000的空间.
重新加载
bp VirtualAlloc的末尾retn处
见到申请了00e00000后,下写入断点: 引用:00AD70F3 8A06 mov al,byte ptr ds:
00AD70F5 8807 mov byte ptr ds:,al ; 停在这里
00AD70F7 46 inc esi
00AD70F8 47 inc edi
00AD70F9 49 dec ecx
00AD70FA ^ 75 F7 jnz short 00AD70F3
返回: 引用:00AE3448 8B53 FC mov edx,dword ptr ds:
00AE344B 8B03 mov eax,dword ptr ds:
00AE344D 8B4B F8 mov ecx,dword ptr ds:
00AE3450 52 push edx
00AE3451 8B55 F4 mov edx,dword ptr ss:
00AE3454 03C7 add eax,edi
00AE3456 50 push eax
00AE3457 03CA add ecx,edx
00AE3459 51 push ecx
00AE345A E8 813CFFFF call 00AD70E0
00AE345F 8B45 F8 mov eax,dword ptr ss:
00AE3462 0FB756 06 movzx edx,word ptr ds:
00AE3466 83C4 0C add esp,0C
00AE3469 40 inc eax
00AE346A 83C3 28 add ebx,28
00AE346D 3BC2 cmp eax,edx
00AE346F 8945 F8 mov dword ptr ss:,eax
00AE3472 ^ 7C D4 jl short 00AE3448
00AE3474 8B5D F4 mov ebx,dword ptr ss: ; 这里dump
dump下来后,修正Roffset=Voffset.
它叫masterli.dll,为什么呢?看看它的内容就知道了.
4.解决捆绑dll的函数:
加载dump后的主程序,找空间写:
005E2F406D 61 73 74 65 72 6C 69 2E 64 6C 6C 00 00 00 00masterli.dll....
005E2FC0 68 402F5E00 push 5E2F40 ; ASCII "masterli.dll"
005E2FC5 E8 ADED217C call 7C801D77 ; kernel32.LoadLibraryA
在005E2FC0新建eip,加载dll后就可以修改以下调用地址:
004F1652 - FF25 90CC5100 jmp dword ptr ds: ; masterli.MasterLi_QueryHWID
004F1658 - FF25 A0CC5100 jmp dword ptr ds: ; masterli.MasterLi_Query
004F165E - FF25 94CC5100 jmp dword ptr ds: ; masterli.MasterLi_HasLicense
004F1664 - FF25 98CC5100 jmp dword ptr ds: ; masterli.MasterLi_RequsetLicense
004F166A - FF25 9CCC5100 jmp dword ptr ds: ; masterli.MasterLi_DeleteLicense
5.捆绑了包括dll在内的所有文件郁闷.
点击about,提示data/about.htm没有,根据原版提示的字符查找内存,得到: 引用:00B8C03D60 37 00 00 00 00 00 C1 00 00 00 3C 43 45 4E 54`7.....?..<CENT
00B8C04D45 52 3E 0D 0A 3C 69 6D 67 20 73 72 63 3D 22 75ER>..<img src="u
00B8C05D6C 74 72 61 2E 70 6E 67 22 20 62 6F 72 64 65 72ltra.png" border
00B8C06D3D 30 3E 3C 62 72 3E 0D 0A 3C 66 6F 6E 74 20 73=0><br>..<font s
造一个about.htm,选中所要字节拷贝粘贴,保存为about.htm.
其中的png可以搜索特征码找到: 引用:00B9805489 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52塒NG.......IHDR
00B9806400 00 00 5C 00 00 00 5C 08 02 00 00 00 6C 8D 45...\...\...l岴
...
00B998C400 08 30 00 91 95 98 1A BB 83 3E 4A 00 00 00 00.0.憰?粌>J....
00B998D449 45 4E 44 AE 42 60 82 6E 76 69 72 6F 6E 6D 65IEND瓸`俷vironme
这个就是ultra.png.同样拷贝粘贴.
还有activate.htm,这个需要点击原版后出现提示框,然后搜索内存.然后如法炮制.
6.转移拷贝的位置:
捆绑的文件都通过这里进行转移所需:
00AEF28C E8 8F110000 call 00AF0420
00AF0499 F3:A5 rep movs dword ptr es:,dword ptr ds:
...
00AF0522 F3:A5 rep movs dword ptr es:,dword ptr ds:
7.菜单:notfound
对照原版,发现这里出现notfound字符: 引用:0040FD9D 6A 67 push 67
0040FD9F E8 17320000 call 00412FBB ; cyto.00412FBB
0040FDA4 8945 B4 mov dword ptr ss:,eax ; here,eax
跟进call 00412FBB看看
00412FF3 68 20B85300 push 53B820 ; ASCII "data/.messages"
原来是打开这个文件,然后找到对应的字符显示,如果没有找到就notfound: 引用:0041319E 3BC6 cmp eax,esi
004131A0 74 04 je short 004131A6 ; cyto.004131A6
004131A2 8B00 mov eax,dword ptr ds:
004131A4 EB 05 jmp short 004131AB ; cyto.004131AB
004131A6 B8 F8B75300 mov eax,53B7F8 ; UNICODE "~~~notfound~~~~"
需要构造.messages文件.
重新加载到达oep后,在转移位置00AF0499下断,F9停住:
ecx=000003A6 (十进制 934.)
ds:==0D373431
es:==1D740117
将这些字节扣下,在winhex里粘贴,然后保存为.messages,o了. 引用:00D0004001 10 08 00 84 01 08 01 31 34 37 0D 0A 31 3A 50.?147..1:P
00D0005061 63 6B 61 67 65 20 4F 70 74 69 6F 6E 73 0D 0Aackage Options..
00D0006032 3A 50 61 63 6B 61 67 65 20 70 72 6F 63 65 732:Package proces
00D0007073 69 6E 67 20 70 61 72 61 6D 65 74 65 72 73 0Dsing parameters.
00D000800A 33 3A 4F 75 74 70 75 74 20 66 69 6C 65 0D 0A.3:Output file..
...
00D00EB0 5C 6E 44 69 73 63 61 72 64 3F 5C 6E 0D 0A 31 34\nDiscard?\n..14
00D00EC0 36 3A 44 69 73 63 61 72 64 20 70 61 63 6B 61 676:Discard packag
00D00ED0 65 20 63 6F 6E 66 69 67 75 72 61 74 69 6F 6E 0De configuration.
00D00EE0 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................
8.打完手工. 过来踩一踩. 收藏 慢慢消化 :) 过来踩一踩.
cyto 发表于 2009-5-18 22:04 http://www.52pojie.cn/images/common/back.gif
自己不发,转载没精华~ 咱不差钱,^_^ 下載收藏脫殼教學!
感恩!
页:
[1]