好友
阅读权限10
听众
最后登录1970-1-1
|
aa15
发表于 2015-1-13 15:07
本帖最后由 aa15 于 2015-2-1 13:42 编辑
关于神器WonderWall的更新
WonderWall是一款扩充易语言的插件集合,包含内联汇编、驱动编译、静态库编译、IDE扩展等众多强大功能!
不是什么技术文章也不会做太多解释
虽然开源了但少一个模块 模块是商业的 不能公开也是情理之中的
作者已经很久没更新的,在新的版本是不是可以自己改动一下呢
这只是自己的备忘录 所以不会打太多文字
已经找出新版本更新需要的数据
不脱壳破解也可以用这样的思路
已经找出新版本更新需要的数据
E_pCode, 0044D46C
E_pValidCode, 0044D49B
E_pBreakPoint, 004096B4
E_MemCrcLen, 0015D747
E_pMemCrcCal, 004E58B8
E_pMemCrcSnow, 0049A5E3
E_pMemCrcValue, 005A737C
E_strCompling, 00411BAB
E_strComplied, 0042DE50
E_strECComplied, 0045FBA7
E_OutputDebugString_This,
RPPM ( 005B1318 + #E_OutputDebugString_This_offest1_511 , { #E_OutputDebugString_This_offest2_511 })
E_pHextoDec,
E_pHWID, INC DWORD PTR DS:[5B1E08]
E_SetBreakPoint, 00461A63
E_ProcCode,004139C0
E_ProcPackCode, 00413A5B
E_ProcPackName,004201C9
E_ExportPackCode, 0042DB8E
E_AddResourcePreview, 0043A213
E_AddResourceConfirm,
因为WonderWall加有upx 因为e写的东西普遍大得离谱所以我没打算脱壳但是upx压缩后空间有限所以手动给他加一个区段
加区段
计算地址
od载入 ctrl+g → 101B4000 跳到刚加上去的区段写代码
101B4000 是提示E的版本号的文本
101B4020 文本的指针
代码是从101B4030 开始的
CPU Disasm
地址 十六进制数据 指令 注释
101B4000 C4FA LES EDI,EDX ; 非法使用寄存器
101B4002 B5 B1 MOV CH,0B1
101B4004 C7 DB C7 ; 未知的命令
101B4005 B0 D5 MOV AL,0D5
101B4007 FD STD
101B4008 D4 DA AAM 0DA
101B400A CA B9D3 RETF 0D3B9 ; 长跳转或调用
101B400D C3 RETN
101B400E D2D7 RCL BH,CL
101B4010 D3EF SHR EDI,CL
101B4012 D1D4 RCL ESP,1 ; 可疑的堆栈指针的使用
101B4014 35 2E3331B0 XOR EAX,B031332E
101B4019 E6 B1 OUT 0B1,AL ; I/O 命令
101B401B BE 21000000 MOV ESI,21
101B4020 0040 1B ADD BYTE PTR DS:[EAX+1B],AL
101B4023 1000 ADC BYTE PTR DS:[EAX],AL
101B4025 0000 ADD BYTE PTR DS:[EAX],AL
101B4027 0000 ADD BYTE PTR DS:[EAX],AL
101B4029 90 NOP
101B402A 90 NOP
101B402B 90 NOP
101B402C 90 NOP
101B402D 90 NOP
101B402E 90 NOP
101B402F 90 NOP
101B4030 8B44E4 30 MOV EAX,DWORD PTR SS:[ESP+30]
101B4034 813D A1584E00 43365498 CMP DWORD PTR DS:[4E58A1],98543643
101B403E 0F85 84010000 JNE 101B41C8 ← 不知道大家有没有发现我的马虎
101B4044 36:66:C780 186C0200 8D05 MOV WORD PTR SS:[EAX+26C18],58D
101B404E 8D90 00401B00 LEA EDX,[EAX+1B4000]
101B4054 36:8990 20401B00 MOV DWORD PTR SS:[EAX+1B4020],EDX
101B405B 8D90 20401B00 LEA EDX,[EAX+1B4020]
101B4061 36:8990 1A6C0200 MOV DWORD PTR SS:[EAX+26C1A],EDX
101B4068 36:C780 1E6C0200 90909090 MOV DWORD PTR SS:[EAX+26C1E],90909090
101B4073 36:C780 226C0200 90909090 MOV DWORD PTR SS:[EAX+26C22],90909090
101B407E 36:C780 C1720200 6CD44400 MOV DWORD PTR SS:[EAX+272C1],44D46C
101B4089 36:C780 96CD0200 71D44400 MOV DWORD PTR SS:[EAX+2CD96],44D471
101B4094 36:C780 88CD0200 9BD44400 MOV DWORD PTR SS:[EAX+2CD88],44D49B
101B409F 36:C780 6F720200 B4964000 MOV DWORD PTR SS:[EAX+2726F],4096B4
101B40AA 36:C780 92830200 B9964000 MOV DWORD PTR SS:[EAX+28392],4096B9
101B40B5 36:C780 3D6C0200 47D71500 MOV DWORD PTR SS:[EAX+26C3D],15D747
101B40C0 36:C780 98720200 B8584E00 MOV DWORD PTR SS:[EAX+27298],4E58B8
101B40CB 36:C780 00CC0200 E3A54900 MOV DWORD PTR SS:[EAX+2CC00],49A5E3
101B40D6 36:C780 F3CB0200 7C735A00 MOV DWORD PTR SS:[EAX+2CBF3],5A737C
101B40E1 36:C780 0DCC0200 7C735A00 MOV DWORD PTR SS:[EAX+2CC0D],5A737C
101B40EC 36:C780 3C730200 AB1B4100 MOV DWORD PTR SS:[EAX+2733C],411BAB
101B40F7 36:C780 52ED0200 B01B4100 MOV DWORD PTR SS:[EAX+2ED52],411BB0
101B4102 36:C780 27EE0200 55DE4200 MOV DWORD PTR SS:[EAX+2EE27],42DE55
101B410D 36:C780 65730200 50DE4200 MOV DWORD PTR SS:[EAX+27365],42DE50
101B4118 36:C780 8E730200 A7FB4500 MOV DWORD PTR SS:[EAX+2738E],45FBA7
101B4123 36:C780 E5EF0200 ACFB4500 MOV DWORD PTR SS:[EAX+2EFE5],45FBAC
101B412E 36:C780 0FCF0100 CC1B5B00 MOV DWORD PTR SS:[EAX+1CF0F],5B1BCC
101B4139 36:C780 13730200 725D4B00 MOV DWORD PTR SS:[EAX+27313],4B5D72
101B4144 36:C780 21D80200 775D4B00 MOV DWORD PTR SS:[EAX+2D821],4B5D77
101B414F 36:C780 EA720200 43C14A00 MOV DWORD PTR SS:[EAX+272EA],4AC143
101B415A 36:C780 75D70200 48C14A00 MOV DWORD PTR SS:[EAX+2D775],4AC148
101B4165 36:C780 7AD70200 D0584B00 MOV DWORD PTR SS:[EAX+2D77A],4B58D0
101B4170 36:C780 D3740200 081E5B00 MOV DWORD PTR SS:[EAX+274D3],5B1E08
101B417B 36:C780 B7730200 631A4600 MOV DWORD PTR SS:[EAX+273B7],461A63
101B4186 36:C780 E0730200 C0394100 MOV DWORD PTR SS:[EAX+273E0],4139C0
101B4191 36:C780 09740200 5B3A4100 MOV DWORD PTR SS:[EAX+27409],413A5B
101B419C 36:C780 32740200 C9014200 MOV DWORD PTR SS:[EAX+27432],4201C9
101B41A7 36:C780 5B740200 8EDB4200 MOV DWORD PTR SS:[EAX+2745B],42DB8E
101B41B2 36:C780 84740200 13A24300 MOV DWORD PTR SS:[EAX+27484],43A213
101B41BD 36:C780 AD740200 146E4300 MOV DWORD PTR SS:[EAX+274AD],436E14
101B41C8 36:C780 E0CC0200 10F04C00 MOV DWORD PTR SS:[EAX+2CCE0],4CF010
101B41D3 36:C780 22EE0200 A4E15900 MOV DWORD PTR SS:[EAX+2EE22],59E1A4
101B41DE 36:C780 E0EF0200 A40E5A00 MOV DWORD PTR SS:[EAX+2EFE0],5A0EA4
101B41E9 36:C780 4DED0200 98DE5900 MOV DWORD PTR SS:[EAX+2ED4D],59DE98
101B41F4 36:C680 20CE0200 C4 MOV BYTE PTR SS:[EAX+2CE20],0C4
101B41FC 36:C680 2ACE0200 CC MOV BYTE PTR SS:[EAX+2CE2A],0CC
101B4204 36:C680 5FB30200 C4 MOV BYTE PTR SS:[EAX+2B35F],0C4
101B420C 36:C680 75B30200 CC MOV BYTE PTR SS:[EAX+2B375],0CC
101B4214 36:C680 8CBC0200 C4 MOV BYTE PTR SS:[EAX+2BC8C],0C4
101B421C 36:C680 A7BC0200 CC MOV BYTE PTR SS:[EAX+2BCA7],0CC
101B4224 36:C680 2D9C0200 E9 MOV BYTE PTR SS:[EAX+29C2D],0E9
101B422C 36:C780 2E9C0200 BF0D0000 MOV DWORD PTR SS:[EAX+29C2E],0DBF
101B4237 36:C680 329C0200 90 MOV BYTE PTR SS:[EAX+29C32],90
101B423F 05 4D120400 ADD EAX,4124D
101B4244 50 PUSH EAX ←应该跳到这里
101B4245 813D A1584E00 43365498 CMP DWORD PTR DS:[4E58A1],98543643
101B424F 75 05 JNE SHORT 101B4256
101B4251 B8 FF010000 MOV EAX,1FF
101B4256 C3 RETN
101B4257 0000 ADD BYTE PTR DS:[EAX],AL
写完后保存一下吧 (当然不保存也可以 只是习惯)
od重新载入停在upx的入口点
CPU Disasm
地址 十六进制数据 指令 注释
101B2AC0 807C24 08 01 CMP BYTE PTR SS:[ESP+8],1
101B2AC5 0F85 E2010000 JNE 101B2CAD
101B2ACB 60 PUSHAD
101B2ACC BE 00C01110 MOV ESI,1011C000
101B2AD1 8DBE 0050EEFF LEA EDI,[ESI+FFEE5000]
101B2AD7 57 PUSH EDI
101B2AD8 83CD FF OR EBP,FFFFFFFF
101B2ADB EB 0D JMP SHORT 101B2AEA
101B2ADD 90 NOP
101B2ADE 90 NOP
101B2ADF 90 NOP
101B2AE0 8A06 MOV AL,BYTE PTR DS:[ESI]
101B2AE2 46 INC ESI
101B2AE3 8807 MOV BYTE PTR DS:[EDI],AL
101B2AE5 47 INC EDI
101B2AE6 01DB ADD EBX,EBX
101B2AE8 75 07 JNE SHORT 101B2AF1
101B2AEA 8B1E MOV EBX,DWORD PTR DS:[ESI]
101B2AEC 83EE FC SUB ESI,-4
101B2AEF 11DB ADC EBX,EBX
讲好的不脱壳 但是要改代码
往下找 找到upx解压完毕的地方
CPU Disasm
地址 十六进制数据 指令 注释
101B2C81 50 PUSH EAX
101B2C82 54 PUSH ESP
101B2C83 6A 04 PUSH 4
101B2C85 53 PUSH EBX
101B2C86 57 PUSH EDI
101B2C87 FFD5 CALL EBP
101B2C89 8D87 27020000 LEA EAX,[EDI+227]
101B2C8F 8020 7F AND BYTE PTR DS:[EAX],7F
101B2C92 8060 28 7F AND BYTE PTR DS:[EAX+28],7F
101B2C96 58 POP EAX
101B2C97 50 PUSH EAX
101B2C98 54 PUSH ESP
101B2C99 50 PUSH EAX
101B2C9A 53 PUSH EBX
101B2C9B 57 PUSH EDI
101B2C9C FFD5 CALL EBP
101B2C9E 58 POP EAX
101B2C9F 61 POPAD
101B2CA0 8D4424 80 LEA EAX,[ESP-80]
101B2CA4 6A 00 PUSH 0
101B2CA6 39C4 CMP ESP,EAX
101B2CA8 ^ 75 FA JNE SHORT 101B2CA4
101B2CAA 83EC 80 SUB ESP,-80
101B2CAD ^ E9 471AF6FF JMP 101146F9
101B2CB2 0000 ADD BYTE PTR DS:[EAX],AL
这个很熟悉的jmp 就是条到原oep的跳转了 这里我们改动一点代码
CPU Disasm
地址 十六进制数据 指令 注释
101B2CAA 83EC 80 SUB ESP,-80
101B2CAD 8B44E4 04 MOV EAX,DWORD PTR SS:[ESP+4] ; 这里原来是jmp,[esp+4]是基址的指针
101B2CB1 36:C780 49120400 E32D1700 MOV DWORD PTR SS:[EAX+41249],172DE3 ; [EAX+41249]s是WW判断完E版本的jmp
101B2CBC 05 F9461100 ADD EAX,1146F9 ; JMP 101146F9 所以这里是基址+1146F9
101B2CC1 50 PUSH EAX ; push ret 跳 当然jmp也没问题的
101B2CC2 C3 RETN ; 起跳
101B2CC3 0000 ADD BYTE PTR DS:[EAX],AL
101B2CC5 0000 ADD BYTE PTR DS:[EAX],AL
101B2CC7 0000 ADD BYTE PTR DS:[EAX],AL
上面代码的目的就是在WonderWall判断完E版本并且不是WonderWal支持的版本就跳到刚加的区段
看看原来 的代码 不肯贴完 只贴关键部分
MOV DWORD PTR SS:[EAX+41249],172DE3
CPU Dump 执行MOV DWORD PTR SS:[EAX+41249],172DE3 之前
地址 十六进制数据 指令 注释
10041230 3945 F8 CMP DWORD PTR SS:[EBP-8],EAX
10041233 0F85 0A000000 JNE 10041243
10041239 B8 92010000 MOV EAX,192
1004123E E9 0A000000 JMP 1004124D
10041243 B8 00000000 MOV EAX,0 ; WonderWall识别不了的版本返回0
10041248 E9 00000000 JMP 1004124D ;注意这里
1004124D 8BE5 MOV ESP,EBP
1004124F 5D POP EBP
10041250 C3 RETN
CPU Dump 执行MOV DWORD PTR SS:[EAX+41249],172DE3 之后
地址 十六进制数据 指令 注释
10041230 3945 F8 CMP DWORD PTR SS:[EBP-8],EAX
10041233 0F85 0A000000 JNE 10041243
10041239 B8 92010000 MOV EAX,192
1004123E E9 0A000000 JMP 1004124D
10041243 B8 00000000 MOV EAX,0 ; WonderWall识别不了的版本返回0
10041248 E9 E32D1700 JMP 101B4030 ; 注意这里
1004124D 8BE5 MOV ESP,EBP
1004124F 5D POP EBP
10041250 C3 RETN
再次保存 就大功告成了~~~~~
|
免费评分
-
查看全部评分
|
[复制链接]
发表于 2015-1-13 16:30
