|
|
吾爱游客
发表于 2018-11-22 21:27
1、申 请 I D : 秀才不酸 2、个人邮箱: 271362351@qq.com3、原创技术文章: 08年就在看雪学习技术,也有发过文章,后来再没研究过,学习如逆水行舟,不进则退,退步太大,再重新进入学习模式,申请进入贵站。朋友用个彩票软件,让破解一下,正好拿来练练手!首先拿到软件,查一下壳:
ASPR,用大神的脱壳工具,我记得08年这个壳可就牛坏了,只能用大神的脚本在OD里脱,难倒了一大片人啊!
看来不是很顺利
提示已经脱壳,运行一下试试看:
确实没有脱成功好吧,只能手动脱壳了!OD载入00401000 > 68 01709000 push yespk10_.0090700100401005 E8 01000000 callyespk10_.0040100B0040100A C3 retn0040100B C3 retn0040100C 2138 and dword ptrds:[eax],edi ;yespk10_.<ModuleEntryPoint>0040100E 36:0815 3BBA802>or byte ptr ss:[0x2D80BA3B],dl00401015 43 inc ebx
用吾爱破解专用OD,可以直接运行程序,说明程序反调试没有检测到OD,用常用的内存断点试试
设内存断点,运行00382685 F3:A5 rep movs dword ptres:[edi],dword ptr ds>00382687 89C1 mov ecx,eax00382689 83E1 03 and ecx,0x30038268C 83C6 03 add esi,0x30038268F 83C7 03 add edi,0x300382692 F3:A4 rep movs byte ptres:[edi],byte ptr ds:[>00382694 FC cld00382695 5F pop edi ;yespk10_.008F4F1C00382696 5E pop esi ;yespk10_.008F4F1C00382697 C3 retn00382698 53 push ebx00382699 56 push esi ;yespk10_.008F4F200038269A 81C4 04F0FFFF add esp,-0xFFC003826A0 50 push eax003826A1 8BF2 mov esi,edx003826A3 8BD8 mov ebx,eax003826A5 EB 01 jmp short 003826A8程序来到这里!
二次内存断点,F9运行,断了下来
取消内存断点Ctrl+F9运行到这里
现在已经可以DUMP了,但是OEP怎么办呢,IAT也没有,先DUMP吧这里偷个懒,直接看一下大神脱壳后的文件看一下OEP
我们来到OD中,直接转到这个地址看看
看到OEP了,接下来用IMPORT修复
大小肯定不合适,我们手动查找一下00505FE3 55 push ebp00505FE4 8BEC mov ebp,esp00505FE6 81EC 60000000 sub esp,0x6000505FEC C745 FC 0000000>mov dword ptrss:[ebp-0x4],0x000505FF3 C745 F8 0000000>mov dword ptr ss:[ebp-0x8],0x000505FFA C745 F0 0000000>mov dword ptrss:[ebp-0x10],0x000506001 C745 F4 0000000>mov dword ptrss:[ebp-0xC],0x000506008 B8 68887600 mov eax,yespk10_.007688680050600D 50 push eax0050600E 8B5D 0C mov ebx,dword ptr ss:[ebp+0xC]00506011 8B1B mov ebx,dword ptr ds:[ebx]00506013 85DB test ebx,ebx00506015 74 09 je short yespk10_.0050602000506017 53 push ebx00506018 E8 83EF1300 call yespk10_.00644FA00050601D 83C4 04 add esp,0x400506020 58 pop eax ;yespk10_.008A76D800506021 8B5D 0C mov ebx,dword ptr ss:[ebp+0xC]入口处的第一个CALL,进入00644FA0 /FF25 4C887600 jmp dword ptr ds:[0x76884C] ; yespk10_.0067420000644FA6 |FF25 44887600 jmp dword ptr ds:[0x768844] ; yespk10_.0067410000644FAC |FF25 38887600 jmp dword ptr ds:[0x768838] ; yespk10_.00673C5000644FB2 |FF25 2C887600 jmp dword ptr ds:[0x76882C] ; yespk10_.00673F8000644FB8 |FF25 30887600 jmp dword ptr ds:[0x768830] ; yespk10_.00673C0000644FBE |FF25 48887600 jmp dword ptr ds:[0x768848] ; yespk10_.0067414000644FC4 |FF25 34887600 jmp dword ptr ds:[0x768834] ; yespk10_.00673C1000644FCA |FF25 40887600 jmp dword ptr ds:[0x768840] ; yespk10_.00673FD000644FD0 |FF25 3C887600 jmp dword ptr ds:[0x76883C] ; yespk10_.00673FB000644FD6 |FF25 50887600 jmp dword ptr ds:[0x768850] ; yespk10_.006740E000644FDC |CC int300644FDD |CC int300644FDE |CC int300644FDF |CC int300644FE0 |8B5424 04 mov edx,dword ptr ss:[esp+0x4] ; yespk10_.0040000000644FE4 |8B42 08 mov eax,dword ptr ds:[edx+0x8] 这么多JMP到代码,C++典型程序 00674200 55 push ebp00674201 8BEC mov ebp,esp00674203 837D 08 00 cmp dword ptr ss:[ebp+0x8],0x000674207 74 25 je short yespk10_.0067422E00674209 8B45 08 mov eax,dword ptr ss:[ebp+0x8] ; yespk10_.008A76D80067420C 50 push eax0067420D B9 D8768A00 mov ecx,yespk10_.008A76D800674212 E8 69A4FFFF call yespk10_.0066E68000674217 85C0 test eax,eax00674219 75 13 jnz short yespk10_.0067422E0067421B 8B4D 08 mov ecx,dword ptr ss:[ebp+0x8] ; yespk10_.008A76D80067421E 51 push ecx0067421F 6A 00 push 0x000674221 8B15 E47A8A00 mov edx,dword ptr ds:[0x8A7AE4]00674227 52 push edx00674228 FF15 C4C37500 call dword ptr ds:[0x75C3C4] ; kernel32.HeapFree0067422E 5D pop ebp ;yespk10_.008A76D80067422F C3 retn看到这个CALL中的地址了,在数据窗口跟随!
0075c3c4拉到最前面的地址开始处看看 0075C000 75399330 advapi32.RegCloseKey0075C004 75399480 advapi32.RegOpenKeyExA0075C008 753A6FA0 advapi32.RegSetValueExA0075C00C 753BC5A0 advapi32.RegCreateKeyA0075C010 753ADF60 advapi32.RegDeleteValueA0075C014 753ADF80 advapi32.RegDeleteKeyA0075C018 753BC2E0 advapi32.RegQueryValueA正好是75c000开始,还记得IMPORT提示吗? 35c000,也是这个地址,哈哈,那应该是没错了,一直找到最下面结束的地方 0075C8F8 77147720 combase.CoDisconnectObject0075C8FC 7712AB00 combase.CoGetClassObject0075C900 76AE5F40 ole32.StgOpenStorageOnILockBytes0075C904 76AD4780 ole32.StgCreateDocfileOnILockBytes0075C908 76AFABD0 ole32.CreateILockBytesOnHGlobal0075C90C 7711CCB0 combase.CoFreeUnusedLibraries0075C910 76AF1110 jmp 到 combase.CoRegisterMessageFilter0075C914 77147D00 combase.CoRevokeClassObject0075C918 76AE5B40 ole32.OleFlushClipboard0075C91C 000000000075C920 6D461870 oledlg.OleUIBusyA0075C924 000000000075C928 000000000075C92C 00000000大小确定了是924,开始修复吧
果然找到了,先到这儿吧,这只是破解开始的第一步,先申请加入吾爱,再写破解过程吧! |
|
发帖前要善用【论坛搜索】功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。 |
|
|
|
|
|
|
发表于 2018-11-23 10:53
