[脚本+补区段]-ASProtect 2.1x SKE-文件夹保护
ASProtect 2.1x SKE 此壳俺跑完脚本 修复成功指数 基本为零@发现论坛很多朋友 和我一样 有种既要成功 又面临失败的 窘境。。。。
找来此文 不敢独享 特此发来 大家一起学习下 前辈的经验
在研读了SYSCOM,machenglin两位大侠的文章,历经n天,动手试验n次,终于用补区段的方法搞定一个Asprotect壳,发出来给跟我一样菜的人参考。
贴图片比较麻烦,我还是上传附件。
8.15心血来潮,对此程序进行恢复代码,记录如下:
文件夹保护 2006 2.10
ASProtect 2.1x SKE -> Alexey Solodovnikov
Version: ASProtect 2.11 SKE build 03.13 Release
Microsoft Visual C++ 7.0 Method2
安装后不方便打开文件夹,拷贝地址备用:
E:\Program Files\文件夹保护 2006\fp.exe
1.OEP+DUMP+IAT:
Volx脚本IAT修复,提示Stolen code After API,保存在SCafAPI.bin,然后停在伪OEP:
017002EC 6A 74 push 74 ; 00040E8BD
017002EE F2: prefix repne:
017002EF EB 01 jmp short 017002F2
0040E8BD d>- E9 2A1A2F01jmp 017002EC ; 真正的OEP
有Stolen OEP,上LordPE选择进程dump,保存为dump.exe。
Ctrl+G到401000,Ctrl+B:FF25
0040E052- FF25 6C404D00 jmp dword ptr ds: ; crtool.CCRTools::Init
0040E058- FF25 C4464D00 jmp dword ptr ds: ; <jmp.&MSVCR71.free>
0040E05E- FF25 BC464D00 jmp dword ptr ds: ; MFC71.7C1CAE35
数据窗口:dd 4D46C4,上下翻翻
004D4000 796D1E76 ADVAPI32.RegCloseKey
004D4004 796D6315 ADVAPI32.RegSetValueA
004D4008 796D33CB ADVAPI32.RegSetValueExA
...
004D52C0 00000000
004D52C4 77A344BA OLE32.CoInitialize
004D52C8 77A3435E OLE32.CoUninitialize
004D52CC 00000000
RVA=000D4000,Size=12CC
上ImportREC,选择进程,填入RVA+Size,获取函数,全部有效,修改OEP=0000E052,Refix dump。
2.变形跳转及变形call的分析:
0170046168 690C7001push dumped_1.01700C69 ; 变形call
01700466E8 95FB0700call dumped_1.01780000 ; 进入第一层
第一层:一直F7直到第一个call
01780157/EB 01 jmp short dumped_1.0178015A
0178015AFFD3 call ebx ; 进入第二层
0178015CFF7424 04 push dword ptr ss:
01780160EB 02 jmp short dumped_1.01780164
第二层:经过Route Check后来到循环
014D8A878B45 F8 mov eax,dword ptr ss:
014D8A8A0FB600 movzx eax,byte ptr ds:
014D8A8D8B5483 40 mov edx,dword ptr ds:
014D8A918BC6 mov eax,esi
014D8A93FFD2 call edx
014D8A953B45 FC cmp eax,dword ptr ss:
014D8A9875 1A jnz short dumped_1.014D8AB4
014D8A9A8B45 10 mov eax,dword ptr ss:
014D8A9D50 push eax
014D8A9E8B45 14 mov eax,dword ptr ss:
014D8AA150 push eax
014D8AA2E8 19FAFFFF call dumped_1.014D84C0
014D8AA750 push eax
014D8AA88BCE mov ecx,esi
014D8AAA8B55 18 mov edx,dword ptr ss:
014D8AAD8BC3 mov eax,ebx
014D8AAFE8 D4FDFFFF call dumped_1.014D8888 ; 进入第3层
014D8AB44F dec edi
014D8AB50373 6C add esi,dword ptr ds:
014D8AB885FF test edi,edi
014D8ABA^ 77 CB ja short dumped_1.014D8A87
第3层:变形种类的分类
014D88D8FFD2 call edx
014D88DA2C 02 sub al,2 ; 注意al值
014D88DC72 12 jb short dumped_1.014D88F0
014D88DE74 3D je short dumped_1.014D891D
014D88E0FEC8 dec al
014D88E20F84 82000000je dumped_1.014D896A
014D88E8E9 DA000000 jmp dumped_1.014D89C7
...
014D89E5FF75 0C push dword ptr ss:
014D89E88B45 F8 mov eax,dword ptr ss:; dumped_1.01510E28
014D89EBFF60 20 jmp dword ptr ds: ;跟进到第4层
014D89EE/EB 01 jmp short dumped_1.014D89F1
014D89F0|9A 5F5E5B8B E55D call far 5DE5:8B5B5E5F
014D89F7C2 0C00 retn 0C
014D89FA8BC0 mov eax,eax
第4层:指向最后的地址
017900AD- FF6424 FC jmp dword ptr ss: ; dumped_1.01700A9B
如果不是code,那就是call里还有stolen。
3.Stolen OEP的恢复:
0040E8BD c> 6A 74 push 74
0040E8BF68 20894D00 push cyto-wj.004D8920
0040E8C4E8 F3010000 call cyto-wj.0040EABC ; (1)
0040E8C933DB xor ebx,ebx
0040E8CB895D E0 mov dword ptr ss:,ebx
0040E8CE53 push ebx
0040E8CF8B3D AC414D00 mov edi,dword ptr ds:[<&kernel32.GetModuleHandleA>]
0040E8D5FFD7 call edi
0040E8D766:8138 4D5A cmp word ptr ds:,5A4D
0040E8DC75 1F jnz short cyto-wj.0040E8FD
0040E8DE8B48 3C mov ecx,dword ptr ds:
0040E8E103C8 add ecx,eax
0040E8E38139 50450000 cmp dword ptr ds:,4550
0040E8E975 12 jnz short cyto-wj.0040E8FD
0040E8EB0FB741 18 movzx eax,word ptr ds:
0040E8EF3D 0B010000 cmp eax,10B
0040E8F474 1F je short cyto-wj.0040E915
0040E8F63D 0B020000 cmp eax,20B
0040E8FB74 05 je short cyto-wj.0040E902
0040E8FD895D E4 mov dword ptr ss:,ebx
0040E900EB 27 jmp short cyto-wj.0040E929
0040E90283B9 84000000 0Ecmp dword ptr ds:,0E
0040E909^ 76 F2 jbe short cyto-wj.0040E8FD
0040E90B33C0 xor eax,eax
0040E90D3999 F8000000 cmp dword ptr ds:,ebx
0040E913EB 0E jmp short cyto-wj.0040E923
0040E9158379 74 0E cmp dword ptr ds:,0E
0040E919^ 76 E2 jbe short cyto-wj.0040E8FD
0040E91B33C0 xor eax,eax
0040E91D3999 E8000000 cmp dword ptr ds:,ebx
0040E9230F95C0 setne al
0040E9268945 E4 mov dword ptr ss:,eax
0040E929895D FC mov dword ptr ss:,ebx
0040E92C6A 02 push 2
0040E92EFF15 D04E4D00 call dword ptr ds:[<&msvcr71.__set_app_type>]
0040E93459 pop ecx
0040E935830D 1CE34F00 FFor dword ptr ds:,FFFFFFFF
0040E93C830D 20E34F00 FFor dword ptr ds:,FFFFFFFF
0040E943FF15 D44E4D00 call dword ptr ds:[<&msvcr71.__p__fmode>]
0040E9498B0D BCCD4F00 mov ecx,dword ptr ds:
0040E94F8908 mov dword ptr ds:,ecx
0040E951FF15 D84E4D00 call dword ptr ds:[<&msvcr71.__p__commode>]
0040E9578B0D B8CD4F00 mov ecx,dword ptr ds:
0040E95D8908 mov dword ptr ds:,ecx
0040E95FA1 DC4E4D00 mov eax,dword ptr ds:[<&msvcr71._adjust_fdiv>]
0040E9648B00 mov eax,dword ptr ds:
0040E966A3 18E34F00 mov dword ptr ds:,eax
0040E96BE8 4A020000 call cyto-wj.0040EBBA ; (2)
0040E970E8 E5020000 call cyto-wj.0040EC5A
0040E975391D B0C34F00 cmp dword ptr ds:,ebx
0040E97B75 0C jnz short cyto-wj.0040E989
0040E97D68 5AEC4000 push cyto-wj.0040EC5A
0040E982FF15 E04E4D00 call dword ptr ds:[<&msvcr71.__setusermatherr>]
0040E98859 pop ecx
0040E989E8 BA020000 call cyto-wj.0040EC48 ; (3)
0040E98E68 E0C24F00 push cyto-wj.004FC2E0
0040E99368 DCC24F00 push cyto-wj.004FC2DC
0040E998E8 A5020000 call <jmp.&msvcr71._initterm>
0040E99D68 FEEB4000 push cyto-wj.0040EBFE
0040E9A2E8 87FDFFFF call cyto-wj.0040E72E ; (4)
0040E9A7A1 B4CD4F00 mov eax,dword ptr ds:
0040E9AC8945 D8 mov dword ptr ss:,eax
0040E9AF8D45 D8 lea eax,dword ptr ss:
0040E9B250 push eax
0040E9B3FF35 B0CD4F00 push dword ptr ds:
0040E9B98D45 D0 lea eax,dword ptr ss:
0040E9BC50 push eax
0040E9BD8D45 CC lea eax,dword ptr ss:
0040E9C050 push eax
0040E9C18D45 C8 lea eax,dword ptr ss:
0040E9C450 push eax
0040E9C5FF15 404F4D00 call dword ptr ds:[<&msvcr71.__getmainargs>]
0040E9CB83C4 20 add esp,20
0040E9CE8945 C4 mov dword ptr ss:,eax
0040E9D13BC3 cmp eax,ebx
0040E9D37D 08 jge short cyto-wj.0040E9DD
0040E9D56A 08 push 8
0040E9D7E8 D8010000 call <jmp.&msvcr71._amsg_exit>
0040E9DC59 pop ecx
0040E9DD68 D8C24F00 push cyto-wj.004FC2D8
0040E9E268 00C04F00 push cyto-wj.004FC000
0040E9E7E8 56020000 call <jmp.&msvcr71._initterm>
0040E9EC59 pop ecx
0040E9ED59 pop ecx
0040E9EEA1 484F4D00 mov eax,dword ptr ds:[<&msvcr71._acmdln>]
0040E9F38B30 mov esi,dword ptr ds:
0040E9F58975 DC mov dword ptr ss:,esi
0040E9F88A06 mov al,byte ptr ds:
0040E9FA3C 20 cmp al,20
0040E9FC77 5D ja short cyto-wj.0040EA5B
0040E9FE3AC3 cmp al,bl
0040EA0074 05 je short cyto-wj.0040EA07
0040EA02395D E0 cmp dword ptr ss:,ebx
0040EA0575 54 jnz short cyto-wj.0040EA5B
0040EA078A06 mov al,byte ptr ds:
0040EA093AC3 cmp al,bl
0040EA0B74 0A je short cyto-wj.0040EA17
0040EA0D3C 20 cmp al,20
0040EA0F77 06 ja short cyto-wj.0040EA17
0040EA1146 inc esi
0040EA128975 DC mov dword ptr ss:,esi
0040EA15^ EB F0 jmp short cyto-wj.0040EA07
0040EA17895D A8 mov dword ptr ss:,ebx
0040EA1A8D85 7CFFFFFF lea eax,dword ptr ss:
0040EA2050 push eax
0040EA21FF15 18424D00 call dword ptr ds:[<&kernel32.GetStartupInfoA>]
0040EA27F645 A8 01 test byte ptr ss:,1
0040EA2B74 06 je short cyto-wj.0040EA33
0040EA2D0FB745 AC movzx eax,word ptr ss:
0040EA31EB 03 jmp short cyto-wj.0040EA36
0040EA336A 0A push 0A
0040EA3558 pop eax
0040EA3650 push eax
0040EA3756 push esi
0040EA3853 push ebx
0040EA3953 push ebx
0040EA3AFFD7 call edi
0040EA3C50 push eax
0040EA3DE8 9EF10A00 call cyto-wj.004BDBE0
0040EA428BF0 mov esi,eax
0040EA448975 C0 mov dword ptr ss:,esi
0040EA47395D E4 cmp dword ptr ss:,ebx
0040EA4A75 07 jnz short cyto-wj.0040EA53
0040EA4C56 push esi
0040EA4DFF15 4C4F4D00 call dword ptr ds:[<&msvcr71.exit>]
0040EA53FF15 504F4D00 call dword ptr ds:[<&msvcr71._cexit>]
0040EA59EB 55 jmp short cyto-wj.0040EAB0
0040EA5B3C 22 cmp al,22
0040EA5D75 0B jnz short cyto-wj.0040EA6A
0040EA5F33C9 xor ecx,ecx
0040EA61395D E0 cmp dword ptr ss:,ebx
0040EA640F94C1 sete cl
0040EA67894D E0 mov dword ptr ss:,ecx
0040EA6A0FB6C0 movzx eax,al
0040EA6D50 push eax
0040EA6EFF15 544F4D00 call dword ptr ds:[<&msvcr71._ismbblead>]
0040EA7459 pop ecx
0040EA7585C0 test eax,eax
0040EA7774 04 je short cyto-wj.0040EA7D
0040EA7946 inc esi
0040EA7A8975 DC mov dword ptr ss:,esi
0040EA7D46 inc esi
0040EA7E^ E9 72FFFFFF jmp cyto-wj.0040E9F5
OEP中某些call内容也被偷了:
1) call dumped_.0040EABC
0040EABC- E9 DA1F2F01jmp 01700A9B
0040EABC68 6CE84000 push <jmp.&msvcr71._except_handler3>
0040EAC164:A1 00000000mov eax,dword ptr fs:
0040EAC750 push eax
0040EAC88B4424 10 mov eax,dword ptr ss:
0040EACC896C24 10 mov dword ptr ss:,ebp
0040EAD08D6C24 10 lea ebp,dword ptr ss:
0040EAD42BE0 sub esp,eax
0040EAD653 push ebx
0040EAD756 push esi
0040EAD857 push edi
0040EAD98B45 F8 mov eax,dword ptr ss:
0040EADC8965 E8 mov dword ptr ss:,esp
0040EADF50 push eax
0040EAE08B45 FC mov eax,dword ptr ss:
0040EAE3C745 FC FFFFFFFF mov dword ptr ss:,-1
0040EAEA8945 F8 mov dword ptr ss:,eax
0040EAED8D45 F0 lea eax,dword ptr ss:
0040EAF064:A3 00000000mov dword ptr fs:,eax
0040EAF6C3 retn
2) call cyto-wj.0040EBBA
0040EBBA- E9 991E2F01 jmp 01700A58
0040EBBA6A 0C push 0C
0040EBBC68 30894D00 push cyto-wj.004D8930
0040EBC1E8 F6FEFFFF call cyto-wj.0040EABC
0040EBC6C745 E4 48E24E00mov dword ptr ss:,cyto-wj.004EE248
0040EBCD817D E4 48E24E00cmp dword ptr ss:,cyto-wj.004EE248
0040EBD473 22 jnb short cyto-wj.0040EBF8
0040EBD68365 FC 00 and dword ptr ss:,0
0040EBDA8B45 E4 mov eax,dword ptr ss:
0040EBDD8B00 mov eax,dword ptr ds:
0040EBDF85C0 test eax,eax
0040EBE174 0B je short cyto-wj.0040EBEE
0040EBE3FFD0 call eax
0040EBE5EB 07 jmp short cyto-wj.0040EBEE
0040EBE733C0 xor eax,eax
0040EBE940 inc eax
0040EBEAC3 retn
0040EBEB8B65 E8 mov esp,dword ptr ss:
0040EBEE834D FC FF or dword ptr ss:,FFFFFFFF
0040EBF28345 E4 04 add dword ptr ss:,4
0040EBF6^ EB D5 jmp short cyto-wj.0040EBCD
0040EBF8E8 FAFEFFFF call cyto-wj.0040EAF7
0040EBFDC3 retn
call cyto-wj.0040EAF7
0040EAF7- E9 7C1B2F01 jmp 01700678
0040EAF78B4D F0 mov ecx,dword ptr ss:
0040EAFA64:890D 00000000mov dword ptr fs:,ecx
0040EB0159 pop ecx
0040EB025F pop edi
0040EB035E pop esi
0040EB045B pop ebx
0040EB05C9 leave
0040EB0651 push ecx
0040EB07C3 retn
3) call cyto-wj.0040EC48
0040EC48- E9 BB1B2F01 jmp 01700808
0040EC4868 00000300 push 30000
0040EC4D68 00000100 push 10000
0040EC52E8 07000000 call <jmp.&msvcr71._controlfp>
0040EC5759 pop ecx
0040EC5859 pop ecx
0040EC59C3 retn
4) call cyto-wj.0040E72E
0040E72E- E9 17232F01 jmp 01700A4A
0040E72EFF7424 04 push dword ptr ss:
0040E732E8 D1FFFFFF call cyto-wj.0040E708
0040E737F7D8 neg eax
0040E7391BC0 sbb eax,eax
0040E73BF7D8 neg eax
0040E73D59 pop ecx
0040E73E48 dec eax
0040E73FC3 retn
4.Stolen code After API:
8种Stolen code After API的分类处:
014DAA9B8B55 F8 mov edx,dword ptr ss:
014DAA9E3A42 4A cmp al,byte ptr ds:
014DAAA174 0B je short 014DAAAE
014DAAA38B55 F8 mov edx,dword ptr ss:
014DAAA63A42 4B cmp al,byte ptr ds:
014DAAA975 3E jnz short 014DAAE9
014DAAABEB 01 jmp short 014DAAAE
0=eax,1=ecx,2=edx,3=ebx,4=esp,5=ebp,6=esi,7=edi
打开脚本运行后产生的文件SCafAPI.bin:
004D4000 >00401606 cyto-wj.00401606 // mov ecx,esi,隐藏
004D4004 >00401B75 cyto-wj.00401B75 // mov esi,eax,加密码
004D4008 >00402679 cyto-wj.00402679 //
004D400C >0040588C cyto-wj.0040588C //
004D4010 >00405F4C cyto-wj.00405F4C // mov ecx,edi,输入注册码
004D4014 >0040816B cyto-wj.0040816B //
004D4018 >00409AE4 cyto-wj.00409AE4 // mov ecx,esi,加密码
004D401C >00409C05 cyto-wj.00409C05 //
004D4020 >00411BCC cyto-wj.00411BCC //
004D4024 >0041286A cyto-wj.0041286A // mov eax,esi,程序启动
004D4028 >004167B2 cyto-wj.004167B2 //
004D402C >004167E9 cyto-wj.004167E9 //
004D4030 >00416F94 cyto-wj.00416F94 //
点击各个功能模块,有几个没能断下,可能要注册才能用到? 支持教程,到现在不懂补区段,哎,惭愧 支持下
看上去有点深奥!! 看起来有点深奥.......
老大,我想看啊,可就是看不到,郁闷 我在来顶一下,哈哈,我是老大 学习了, 有的深奥的说,看来还得再等段时间才能理解了 很深奥,看不懂!无法理解! 很难,谈虎色变。
页:
[1]