[转载]用Ollydbg手脱SafeDisc V2.43.000加壳的DLL
<P>文章作者:Fly</P><P><FONT face=宋体>【作者声明】:只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!<BR><BR>【调试环境】:WinXP、OllydbgV1.10、PEiD、LordPE、ImportREC、WinHex<BR><BR>—————————————————————————————————<BR>【脱壳过程】:<BR><BR><BR>SafeDisc是著名的光碟保护软件,现在也单独加壳PE文件了。<BR>本教程演示的AdobeLM.dllV1.0.2.38是AdobePremiereProV1.5的文件,SafeDiscV2.43.000保护,不是最新版,况且一般壳保护DLL时强度都要降低,SafeDisc对此DLL没有使用驱动和CC解码,因此相对来说难度不高。但是SafeDisc的输入表和SDK修复比较麻烦。<BR>此文件以前jingulong搞定过,感谢heXer和shoooo的帮忙,SDK由heXer修复。<BR>由于没有主程序测试,可能还会有其他隐藏的暗桩。<BR>此教程不适合新手练习。断断续续整理了很长时间,作为2005年的结笔吧,光阴似箭。<BR>—————————————————————————————————<BR>一、准备动作<BR><BR><BR>设置Ollydbg忽略所有的异常选项。用IsDebug插件去掉OllyDBD的调试器标志。<BR><BR>1005A05E55pushebp<BR>1005A05F8BECmovebp,esp<BR>1005A06160pushad<BR>1005A062BB5EA00510movebx,1005A05E<BR>1005A06733C9xorecx,ecx<BR>1005A0698A0D3DA00510movcl,byteptrds:[1005A03D]<BR>1005A06F85C9testecx,ecx<BR>1005A071740Cjeshort1005A07F<BR>1005A073B8D3A00510moveax,1005A0D3<BR>1005A0782BC3subeax,ebx<BR>1005A07A83E805subeax,5<BR>1005A07DEB0Ejmpshort1005A08D<BR>1005A07F51pushecx<BR>1005A080B919A10510movecx,1005A119<BR>1005A0858BC1moveax,ecx<BR>1005A0872BC3subeax,ebx<BR>1005A089034101addeax,dwordptrds:[ecx+1]<BR>1005A08C59popecx<BR>1005A08DC603E9movbyteptrds:[ebx],0E9<BR>1005A090894301movdwordptrds:[ebx+1],eax<BR>1005A09351pushecx<BR>1005A0946809A00510push1005A009<BR>1005A09933C0xoreax,eax<BR>1005A09B85C9testecx,ecx<BR>1005A09D7405jeshort1005A0A4<BR>1005A09F8B4508moveax,dwordptrss:[ebp+8]<BR>1005A0A2EB00jmpshort1005A0A4<BR>1005A0A450pusheax<BR>1005A0A5E876000000call1005A120<BR>//壳处理<BR>1005A0AA83C408addesp,8<BR>1005A0AD59popecx<BR>1005A0AE83F800cmpeax,0<BR>1005A0B1741Cjeshort1005A0CF<BR>1005A0B3C603C2movbyteptrds:[ebx],0C2<BR>1005A0B6C643010Cmovbyteptrds:[ebx+1],0C<BR>1005A0BA85C9testecx,ecx<BR>1005A0BC7409jeshort1005A0C7<BR>1005A0BE61popad<BR>1005A0BF5Dpopebp<BR>1005A0C0B800000000moveax,0<BR>1005A0C5EB97jmpshort1005A05E<BR>1005A0C750pusheax<BR>1005A0C8A129A00510moveax,dwordptrds:[1005A029]<BR>1005A0CDFFD0calleax<BR>1005A0CF61popad<BR>1005A0D05Dpopebp<BR>1005A0D1EB46jmpshort1005A119<BR>1005A0D3807C240800cmpbyteptrss:[esp+8],0<BR>1005A0D8753Fjnzshort1005A119<BR>1005A0DA51pushecx<BR>1005A0DB8B4C2404movecx,dwordptrss:[esp+4]<BR>1005A0DF890D13A10510movdwordptrds:[1005A113],ecx<BR>1005A0E5B9F1A00510movecx,1005A0F1<BR>1005A0EA894C2404movdwordptrss:[esp+4],ecx<BR>1005A0EE59popecx<BR>1005A0EFEB28jmpshort1005A119<BR>1005A0F150pusheax<BR>1005A0F2B82DA00510moveax,1005A02D<BR>1005A0F7FF7008pushdwordptrds:[eax+8]<BR>1005A0FA8B400Cmoveax,dwordptrds:[eax+C]<BR>1005A0FDFFD0calleax<BR>1005A0FFB82DA00510moveax,1005A02D<BR>1005A104FF30pushdwordptrds:[eax]<BR>1005A1068B4004moveax,dwordptrds:[eax+4]<BR>1005A109FFD0calleax<BR>1005A10B58popeax<BR>1005A10CFF3513A10510pushdwordptrds:[1005A113]<BR>1005A112C3retn<BR>1005A119E9A6CEFCFFjmp10026FC4<BR>//飞向光明之巅<BR><BR><BR>—————————————————————————————————<BR>二、Anti<BR><BR><BR>SafeDiscV2.43.000对OllyDBG的反调试还是很少的,下面没有分析对SoftICE的Anti<BR>SafeDisc会在你的Temp目录下生成~df394b.tmp,这个其实是SecServ.dll,里面Anti<BR>————————————————————————<BR>1、IsDebuggerPresent<BR><BR>BPIsDebuggerPresent<BR>Shift+F9,中断后取消断点,Alt+F9<BR><BR>00879ACAFFD0calleax<BR>00879ACC8BF0movesi,eax<BR>//返回这里<BR>00879ACE66:85F6testsi,si<BR>00879AD17413jeshort00879AE6<BR>//IsDebuggerPresent检测<BR>00879AD3E8A277FFFFcall0087127A<BR>00879AD866:8BF0movsi,ax<BR>00879ADB66:F7DEnegsi<BR>00879ADE1BF6sbbesi,esi<BR>00879AE046incesi<BR>00879AE166:85F6testsi,si<BR>00879AE47513jnzshort00879AF9<BR>00879AE68B442408moveax,dwordptrss:[esp+8]<BR>00879AEA8B08movecx,dwordptrds:[eax]<BR>00879AEC81E1EA894267andecx,674289EA<BR>00879AF28908movdwordptrds:[eax],ecx<BR>00879AF466:8BC6movax,si<BR>00879AF75Epopesi<BR>00879AF8C3retn<BR><BR>因为我们已经使用IsDebug插件了,所以这里不必处理,只是借用此断点来继续下面的流程。<BR><BR>————————————————————————<BR>2、ZwQueryInformationProcess<BR><BR>BPGetCurrentProcess<BR>Shift+F9,中断后取消断点,Alt+F9<BR><BR>00879889FF15B4208C00calldwordptrds:[8C20B4];kernel32.GetCurrentProcess<BR>//返回这里<BR>0087988F50pusheax<BR>00879890FFD7calledi;ntdll.ZwQueryInformationProcess<BR>008798928B44240Cmoveax,dwordptrss:[esp+C]<BR>//检测DebugPort,修改[esp+0C]处为0,或者在下面跳转处改标志位<BR>0087989685C0testeax,eax<BR>008798987502jnzshort0087989C<BR>//跳则Over<BR><BR>————————————————————————<BR>3、普通断点检测<BR><BR>脱壳时一般要有好的习惯,用过的断点要立刻清除。在此壳中不要留有普通断点。<BR>如果上面我们没有清掉API断点,那么这里会检测到<BR><BR>0087952053pushebx<BR>008795218B19movebx,dwordptrds:[ecx]<BR>00879523803C03CCcmpbyteptrds:[ebx+eax],0CC<BR>//自kernel32.dll各函数入口检测普通INT3<BR>008795277501jnzshort0087952A<BR>0087952946incesi<BR>0087952A83C104addecx,4<BR>0087952D4Adecedx<BR>0087952E75F1jnzshort00879521<BR>008795305Bpopebx<BR>0087953133D2xoredx,edx<BR>008795333BD6cmpedx,esi<BR>008795355Epopesi<BR>008795361BC0sbbeax,eax<BR>00879538F7D8negeax<BR>0087953A66:85C0testax,ax<BR>//AX要=0<BR>0087953D7512jnzshort00879551<BR><BR>好了,SafeDiscV2.43.000对OllyDBG的Anti手段就这么点<BR>稍有威胁的是ZwQueryInformationProcess,去除Anti不难<BR><BR><BR>—————————————————————————————————<BR>三、获取正确的函数地址<BR><BR><BR>下面用脚本来演示这部分的处理。<BR>重新加载AdobeLM.dll,运行SafeDiscV2.43.000.osc脚本。脚本运行完毕后OllyDBG自动暂停在OEP<BR><BR>10026FC455pushebp<BR>//OEP<BR>10026FC58BECmovebp,esp<BR>10026FC753pushebx<BR>10026FC88B5D08movebx,dwordptrss:[ebp+8]<BR>10026FCB56pushesi<BR>10026FCC8B750Cmovesi,dwordptrss:[ebp+C]<BR>10026FCF57pushedi<BR>10026FD08B7D10movedi,dwordptrss:[ebp+10]<BR>10026FD385F6testesi,esi<BR>10026FD57509jnzshort10026FE0<BR>10026FD7833D80AE041000cmpdwordptrds:[1004AE80],0<BR>10026FDEEB26jmpshort10027006<BR>10026FE083FE01cmpesi,1<BR>10026FE37405jeshort10026FEA<BR>10026FE583FE02cmpesi,2<BR>10026FE87522jnzshort1002700C<BR>10026FEAA108C60410moveax,dwordptrds:[1004C608]<BR>10026FEF85C0testeax,eax<BR>10026FF17409jeshort10026FFC<BR>10026FF357pushedi<BR>10026FF456pushesi<BR>10026FF553pushebx<BR>10026FF6FFD0calleax<BR><BR>随便从程序中找个API调用:<BR>10026EF8FF15E4610310calldwordptrds:[100361E4];kernel32.GetSystemTime<BR>数据窗口跟随100361E4,输入表函数已经全部获得正确的系统地址了。<BR><BR>10036000BBD5DC778E77DA77E7EBDA77F06BDA77<BR>100360101B76DA778378DA77B377DA7700000000<BR>100360203934175D000000003B6AEF77A66CEF77<BR>10036030FCC6EF77D55FEF77105EEF77829AEF77<BR>10036040C06DEF770B5DEF77F15FEF77A75BEF77<BR>1003605021A8EF770CD1EF77A059EF7700000000<BR>10036060D7EF807C0E18807C779B807CC7A0807C<BR>100360707AA1877C8F0C817CAC92807C3797807C<BR>1003608057B3807CA197837C625F827CAD9C807C<BR>100360904B6F827C28AC807C5128817C3103937C<BR>100360A066AA807C3025807CCBCA817C5935817C<BR>100360B0241A807C1990837C299F807C2516807C<BR>100360C04224807C6E9C807CA926827C7217817C<BR>100360D050F8817CCBD8817C57BB807C80A4807C<BR>100360E0B98C837CC09F807CED70837C7ED4807C<BR>100360F0E312817C53C1817C819A807C149B807C<BR>100361002929817C1011817C6A48817C782C817C<BR>1003611023CC817C5F48817C3FDC817CEE1E807C<BR>100361206910817CA92C817CCFC6807C8A2B867C<BR>100361308603817C58CD807CA60D817C9F0F817C<BR>100361402AE8817C4399807C5097807C4003937C<BR>100361505334817C0F2B817CED09937CB39E807C<BR>10036160C42F887C29B5807C1103817CE0C6807C<BR>100361704E99807C4C17817C542A827CED10927C<BR>100361800510927CA19F807C8A18937C8DB7807C<BR>100361906C94807CFEB9807CFCB7807C2F08817C<BR>100361A03FEB807CBDE4817C289C807C7C2F817C<BR>100361B01BEC807CA724807C0DE0807C8D2C817C<BR>100361C0AB14817CAD97807C9497807C7B97807C<BR>100361D0407A957CE1EA817CF59B807CA9CC807C<BR>100361E0AE94837C6B17807CC1C9807C2B2E837C<BR>100361F03D04937CD405937CFD79937CA2CA817C<BR>100362004EA3807CC4CE807CE62B817C93D2807C<BR>10036210161E807C0000000062DBD177AEE2D177<BR>100362206D86D177C5D3D17756B5D1779786D177<BR>10036230DED4D1775ADCD177E188D277A867D277<BR>10036240C96CD277508ED1777C94D177C5B4D177<BR>10036250EF01D377B1B4D177A452D277AE21D277<BR>100362608EC7D177D3DED177758FD1777CB5D177<BR>100362701A8CD177BBD7D17798ECD377B8E7D177<BR>100362803CFCD1772EF8D3779DB4D177FAE8D177<BR>10036290A8C6D177DCE5D1772F3AD277A9F8D377<BR>100362A02C90D17764C0D1774BE3D1772F15D377<BR>100362B032E0D177D4C4D177068CD177DEA2D177<BR>100362C0BCC6D1770B05D5770000000000000000<BR><BR>OEPRVA=00026FC4IATRVA=00036000IATSize=2C8<BR>用LordPE把AdobeLM.dll抓取出来,修复输入表得到dump_.dll<BR><BR>————————————————————————<BR>SafeDiscV2.43.000.osc辅助脚本如下<BR><BR></FONT><FONT face=宋体><FONT color=blue><BR>//////////////////////////////////////////////////<BR>//FileName:SafeDiscV2.43.000.osc<BR>//Comment:SafeDiscV2.43.000FixedImportingFunction<BR>//Environment:WinXPSP2,OllyDbgV1.10,OllyScriptV0.92<BR>//Author:fly<BR>//WebSite:[url]http://www.unpack.cn[/url]<BR>//Date:2005-11-2322:00<BR>//////////////////////////////////////////////////<BR>#log<BR>dbh<BR><BR><BR>varEP<BR>varTemp<BR>varIsDebuggerPresent<BR>varGetCurrentProcess<BR>varZwQueryInformationProcess<BR>varCreateEventA<BR>varMagicJmp<BR>varFixedOver<BR><BR><BR>//IsDebuggerPresent————————————————<BR><BR>movEP,eip<BR>logEP<BR><BR>gpa"IsDebuggerPresent","KERNEL32.dll"<BR>movIsDebuggerPresent,$RESULT<BR>eobIsDebuggerPresent<BR>bpIsDebuggerPresent<BR><BR>esto<BR>GoOn0:<BR>esto<BR><BR>IsDebuggerPresent:<BR>logeip<BR>cmpeip,IsDebuggerPresent<BR>jneGoOn0<BR>bcIsDebuggerPresent<BR><BR><BR>//ZwQueryInformationProcess————————————<BR><BR>/*<BR>00879889FF15B4208C00calldwordptrds:[8C20B4];kernel32.GetCurrentProcess<BR>0087988F50pusheax<BR>00879890FFD7calledi;ntdll.ZwQueryInformationProcess<BR>008798928B44240Cmoveax,dwordptrss:[esp+C]<BR>0087989685C0testeax,eax<BR>008798987502jnzshort0087989C<BR>*/<BR><BR>gpa"GetCurrentProcess","KERNEL32.dll"<BR>movGetCurrentProcess,$RESULT<BR>eobGetCurrentProcess<BR>bpGetCurrentProcess<BR><BR>esto<BR>GoOn1:<BR>esto<BR><BR>GetCurrentProcess:<BR>cmpeip,GetCurrentProcess<BR>jneGoOn1<BR>bcGetCurrentProcess<BR>rtu<BR><BR>findeip,#8B44240C85C0#<BR>cmp$RESULT,0<BR>jeNoFind<BR><BR>movZwQueryInformationProcess,$RESULT<BR>logZwQueryInformationProcess<BR>eobZwQueryInformationProcess<BR>bpZwQueryInformationProcess<BR>esto<BR><BR>ZwQueryInformationProcess:<BR>bcZwQueryInformationProcess<BR>movTemp,esp<BR>addTemp,0C<BR>mov[Temp],0000<BR><BR><BR>//CreateEventA——————————————————<BR><BR>gpa"CreateEventA","KERNEL32.dll"<BR>movCreateEventA,$RESULT<BR>eobCreateEventA<BR>bphwsCreateEventA,"x"<BR><BR>esto<BR>GoOn2:<BR>esto<BR><BR>CreateEventA:<BR>logeip<BR>cmpeip,CreateEventA<BR>jneGoOn2<BR>bphwcCreateEventA<BR>rtu<BR><BR><BR>//EP———————————————————————<BR><BR>addEP,1<BR>movTemp,[EP]<BR>addTemp,4<BR>addEP,Temp<BR>addEP,6<BR>logEP<BR>movTemp,[EP]<BR>andTemp,0FF<BR>logTemp<BR>addEP,1<BR>addEP,Temp<BR>logEP<BR><BR><BR>//jmpSecond<BR><BR>//FixedImportingFunction—————————————<BR><BR>/*<BR>008BF0888B45F4moveax,dwordptrss:[ebp-C]<BR>008BF08B40inceax<BR>008BF08C8945F4movdwordptrss:[ebp-C],eax<BR>008BF08F8B45F4moveax,dwordptrss:[ebp-C]<BR>008BF0923B4514cmpeax,dwordptrss:[ebp+14]<BR>008BF0957355jnbshort008BF0EC<BR>008BF0978B45F4moveax,dwordptrss:[ebp-C]<BR>008BF09AC1E803shreax,3<BR>008BF09D8B4DF8movecx,dwordptrss:[ebp-8]<BR>008BF0A08B15DCEC8D00movedx,dwordptrds:[8DECDC]<BR>008BF0A68B0C8Amovecx,dwordptrds:[edx+ecx*4]<BR>008BF0A90FB60401movzxeax,byteptrds:[ecx+eax]<BR>008BF0AD8B4DF4movecx,dwordptrss:[ebp-C]<BR>008BF0B083E107andecx,7<BR>008BF0B36A01push1<BR>008BF0B55Apopedx<BR>008BF0B6D3E2shledx,cl<BR>008BF0B823C2andeax,edx<BR>008BF0BA85C0testeax,eax<BR>008BF0BC752Cjnzshort008BF0EA<BR>008BF0BE8B45F8moveax,dwordptrss:[ebp-8]<BR>008BF0C169C08D000000imuleax,eax,8D<BR>008BF0C78B0DE0EC8D00movecx,dwordptrds:[8DECE0]<BR>008BF0CD8B44014Cmoveax,dwordptrds:[ecx+eax+4C]<BR>008BF0D18B4DF4movecx,dwordptrss:[ebp-C]<BR>008BF0D4FF3488pushdwordptrds:[eax+ecx*4]<BR>008BF0D7FF75F8pushdwordptrss:[ebp-8]<BR>008BF0DAE8DB000000call008BF1BA<BR>008BF0DF59popecx<BR>008BF0E059popecx<BR>008BF0E18B4DF4movecx,dwordptrss:[ebp-C]<BR>008BF0E48B5518movedx,dwordptrss:[ebp+18]<BR>008BF0E789048Amovdwordptrds:[edx+ecx*4],eax<BR>008BF0EAEB9Cjmpshort008BF088<BR>008BF0ECEB07jmpshort008BF0F5<BR>*/<BR><BR>eobFixedImportingFunction<BR>findeip,#D3E223C285C0752C8B45F8#<BR>cmp$RESULT,0<BR>jeNoFind<BR>add$RESULT,4<BR>movMagicJmp,$RESULT<BR>bphwsMagicJmp,"x"<BR><BR>findMagicJmp,#EB9CEB07#<BR>cmp$RESULT,0<BR>jeNoFind<BR>add$RESULT,2<BR>movFixedOver,$RESULT<BR>bphwsFixedOver,"x"<BR><BR>bphwsEP,"x"<BR><BR>esto<BR>GoOn3:<BR>esto<BR><BR>FixedImportingFunction:<BR>cmpeip,MagicJmp<BR>jeMagicJmp<BR>cmpeip,FixedOver<BR>jeMagicJmp<BR>cmpeip,EP<BR>jeEP<BR><BR>MagicJmp:<BR>bphwcMagicJmp<BR>asmMagicJmp,"xoreax,eax"<BR><BR>esto<BR><BR>FixedOver:<BR>asmMagicJmp,"testeax,eax"<BR>bphwsMagicJmp,"x"<BR>jmpGoOn3<BR><BR>Second:<BR>bphwsEP,"x"<BR>eobEP<BR>esto<BR><BR>EP:<BR>logEP<BR>bphwcMagicJmp<BR>bphwcFixedOver<BR>bphwcEP<BR>sti<BR><BR><BR>//GameOver————————————————————<BR><BR>logeip<BR>cmteip,"ThisistheOEP!FoundBy:fly"<BR>MSG"Just:OEP!DumpandFixIAT/Reloction.GoodLuck"<BR>ret<BR><BR>NoFind:<BR>MSG"Error!MaybeIt'snotSafeDiscV2.43.000!"<BR>ret<BR></FONT><BR><BR><BR>—————————————————————————————————<BR>四、修复函数调用地址<BR><BR><BR>虽然已经获得了正确的函数系统地址,但是SafeDisc的输入表呼叫地址乱处理了,麻烦就在这里了。<BR>把SafeDiscV2.43.000.osc中“//jmpSecond”的“//”去掉,新开个OllyDBG,重新加载AdobeLM.dll,运行脚本。现在脚本没有处理输入表函数,直接停在OEP处。<BR>把我们第三步获取的10036000-100362C8函数地址复制到10046000处,以备下面比较、修复。<BR><BR>Alt+M察看AdobeLM.dll内存<BR>1000000000001000(4096.)AdobeLM10000000PEheader<BR>1000100000035000(217088.)AdobeLM10000000.textcode<BR>1003600000008000(32768.)AdobeLM10000000.rdata<BR>1003E0000000F000(61440.)AdobeLM10000000.data<BR>1004D00000005000(20480.)AdobeLM10000000.rsrc<BR>1005200000005000(20480.)AdobeLM10000000.reloc<BR>1005700000003000(12288.)AdobeLM10000000stxt774<BR>1005A00000004000(16384.)AdobeLM10000000stxt371SFX,imports<BR><BR>我们把修复代码放在第3个区段吧,设置这几个区段为完整权限。<BR>Ctrl+G:1003E000,在1003E000处Ctrl+*新建EIP,写入Patch代码:<BR><BR>1003E00060pushad<BR>1003E001BE00100010movesi,10001000<BR>//代码段开始地址<BR>1003E006BF005F0310movedi,10035F00<BR>//代码段结束地址<BR>1003E00B3BF7cmpesi,edi<BR>1003E00D7C05jlshort1003E014<BR>1003E00FE991000000jmp1003E0A5<BR>//修复结束跳转<BR>1003E0148B06moveax,dwordptrds:[esi]<BR>1003E0163D00600310cmpeax,10036000<BR>//输入表开始地址<BR>1003E01B7D03jgeshort1003E020<BR>1003E01D46incesi<BR>1003E01EEBEBjmpshort1003E00B<BR>1003E0203DC8620310cmpeax,100362C8<BR>//输入表结束地址<BR>1003E0257FF6jgshort1003E01D<BR>1003E0278B18movebx,dwordptrds:[eax]<BR>1003E02985DBtestebx,ebx<BR>1003E02B74F0jeshort1003E01D<BR>1003E02D81FB00000010cmpebx,10000000<BR>//判断是否是壳不加密的API<BR>1003E0337FE8jgshort1003E01D<BR>1003E0358D4EFEleaecx,dwordptrds:[esi-2]<BR>//取函数调用的地址<BR>1003E03866:8B19movbx,wordptrds:[ecx]<BR>1003E03B66:81FBFF15cmpbx,15FF<BR>//比较是否是call<BR>1003E04075DBjnzshort1003E01D<BR>//循环扫描符合calldwordptrds:[10036XXX]条件的<BR>1003E0428B1DF0E00310movebx,dwordptrds:[1003E0F0]<BR>//[1003E0F0]处预先写入1003E100★<BR>1003E0488933movdwordptrds:[ebx],esi<BR>//保存搜索进度<BR>1003E04A83C304addebx,4<BR>1003E04D891DF0E00310movdwordptrds:[1003E0F0],ebx<BR>//保存<BR>1003E0538935F4E00310movdwordptrds:[1003E0F4],esi<BR>1003E059FFE1jmpecx<BR>//跳到函数调用的地址处执行<BR>1003E05A90nop<BR>1003E05B90nop<BR>1003E05C90nop<BR>1003E05D90nop<BR>1003E05E90nop<BR>1003E05F90nop<BR>1003E06090nop<BR>1003E06190nop<BR>1003E06290nop<BR>1003E06390nop<BR>1003E0648B1DF0E00310movebx,dwordptrds:[1003E0F0]<BR>//SafeDisc解密后强制跳到这里<BR>1003E06A8B0424moveax,dwordptrss:[esp]<BR>//[ESP]是解密后的函数系统地址<BR>1003E06D8903movdwordptrds:[ebx],eax<BR>//保存函数系统地址<BR>1003E06FB9C8020000movecx,2C8<BR>1003E074BF00600410movedi,10046000<BR>//把我们第三步获取的10036000-100362C8函数地址复制到10046000处★<BR>1003E079F2:AFrepnescasdwordptres:[edi]<BR>//搜寻相同的函数地址<BR>1003E07B7528jnzshort1003E0A5<BR>//没找到?哦,应该都可以找到的<BR>1003E07D90nop<BR>1003E07E90nop<BR>1003E07F90nop<BR>1003E08090nop<BR>1003E08181EF04000100subedi,10004<BR>//10046000-10036000=100000再减4就是找到的存放函数地址的地址了★<BR>1003E0878B35F4E00310movesi,dwordptrds:[1003E0F4]<BR>//函数调用地址<BR>1003E08D893Emovdwordptrds:[esi],edi<BR>//修复吧<BR>1003E08F83C604addesi,4<BR>1003E092E96FFFFFFFjmp1003E006<BR>//继续循环<BR>1003E0978B35F4E00310movesi,dwordptrds:[1003E0F4]<BR>1003E09D83C604addesi,4<BR>1003E0A0E961FFFFFFjmp1003E006<BR>//继续循环<BR>1003E0A561popad<BR>//GameOver修复完毕<BR>1003E0A6EBFEjmpshort1003E0A6<BR><BR>二进制代码复制如下:<BR>60BE00100010BF005F03103BF77C05E9910000008B063D006003107D0346EBEB<BR>3DC86203107FF68B1885DB74F081FB000000107FE88D4EFE668B196681FBFF15<BR>75DB8B1DF0E00310893383C304891DF0E003108935F4E00310FFE19090909090<BR>909090908B1DF0E003108B04248903B9C8020000BF00600410F2AF7528909090<BR>9081EF040001008B35F4E00310893E83C604E96FFFFFFF8B35F4E0031083C604<BR>E961FFFFFF61EBFE<BR><BR>————————————————————————<BR>SafeDisc解密CALL里面的修改<BR><BR>10001403FF15C4620310calldwordptrds:[100362C4]<BR><BR>00AED180681713EABFpushBFEA1317<BR>00AED1859Cpushfd<BR>00AED18660pushad<BR>00AED18754pushesp<BR>00AED18868C0D1AE00push0AED1C0<BR>00AED18DE80322DDFFcall008BF395<BR><BR>008BF39555pushebp<BR>008BF3968BECmovebp,esp<BR>008BF39883EC40subesp,40<BR>008BF39B53pushebx<BR>008BF39C56pushesi<BR>008BF39D57pushedi<BR>008BF39EF0:FF05742F8D00lockincdwordptrds:[8D2F74]<BR>008BF3A5740Ejeshort008BF3B5<BR>008BF3A76AFFpush-1<BR>008BF3A9FF3548ED8D00pushdwordptrds:[8DED48]<BR>008BF3AFFF1584208C00calldwordptrds:[8C2084]<BR>008BF3B5EB0Ajmpshort008BF3C1<BR>008BF3D58B4508moveax,dwordptrss:[ebp+8]<BR>008BF3D88B00moveax,dwordptrds:[eax]<BR>008BF3DA8945E0movdwordptrss:[ebp-20],eax<BR>008BF3DD8B4508moveax,dwordptrss:[ebp+8]<BR>008BF3E08B4004moveax,dwordptrds:[eax+4]<BR>008BF3E38945E4movdwordptrss:[ebp-1C],eax<BR>008BF3E6837DE0FFcmpdwordptrss:[ebp-20],-1<BR>008BF3EA0F85A5000000jnz008BF495<BR>008BF3F08365E000anddwordptrss:[ebp-20],0<BR>008BF3F4EB07jmpshort008BF3FD<BR>008BF3F68B45E0moveax,dwordptrss:[ebp-20]<BR>008BF3F940inceax<BR>008BF3FA8945E0movdwordptrss:[ebp-20],eax<BR>008BF3FDA1E0EC8D00moveax,dwordptrds:[8DECE0]<BR>008BF4028B4DE0movecx,dwordptrss:[ebp-20]<BR>008BF4053B480Fcmpecx,dwordptrds:[eax+F]<BR>008BF4080F8387000000jnb008BF495<BR>008BF40EFF75E0pushdwordptrss:[ebp-20]<BR>008BF411E8F7040000call008BF90D<BR>008BF41659popecx<BR>008BF4170FB7C0movzxeax,ax<BR>008BF41A85C0testeax,eax<BR>008BF41C7472jeshort008BF490<BR>008BF41E8365E400anddwordptrss:[ebp-1C],0<BR>008BF422EB07jmpshort008BF42B<BR>008BF4248B45E4moveax,dwordptrss:[ebp-1C]<BR>008BF42740inceax<BR>008BF4288945E4movdwordptrss:[ebp-1C],eax<BR>008BF42B8B45E0moveax,dwordptrss:[ebp-20]<BR>008BF42E69C08D000000imuleax,eax,8D<BR>008BF4348B0DE0EC8D00movecx,dwordptrds:[8DECE0]<BR>008BF43A8B55E4movedx,dwordptrss:[ebp-1C]<BR>008BF43D3B540158cmpedx,dwordptrds:[ecx+eax+58]<BR>008BF4417343jnbshort008BF486<BR>008BF4438B45E0moveax,dwordptrss:[ebp-20]<BR>008BF44669C08D000000imuleax,eax,8D<BR>008BF44C8B4DE4movecx,dwordptrss:[ebp-1C]<BR>008BF44F69C9C3040000imulecx,ecx,4C3<BR>008BF4558B15E0EC8D00movedx,dwordptrds:[8DECE0]<BR>008BF45B8B8402C3000000moveax,dwordptrds:[edx+eax+C3]<BR>008BF4628B5508movedx,dwordptrss:[ebp+8]<BR>008BF4658B5208movedx,dwordptrds:[edx+8]<BR>008BF4683B9408AA040000cmpedx,dwordptrds:[eax+ecx+4AA]<BR>008BF46F7513jnzshort008BF484<BR>008BF4718B4508moveax,dwordptrss:[ebp+8]<BR>008BF4748B4DE4movecx,dwordptrss:[ebp-1C]<BR>008BF477894804movdwordptrds:[eax+4],ecx<BR>008BF47A8B4508moveax,dwordptrss:[ebp+8]<BR>008BF47D8B4DE0movecx,dwordptrss:[ebp-20]<BR>008BF4808908movdwordptrds:[eax],ecx<BR>008BF482EB02jmpshort008BF486<BR>008BF484EB9Ejmpshort008BF424<BR>008BF4868B4508moveax,dwordptrss:[ebp+8]<BR>008BF4898338FFcmpdwordptrds:[eax],-1<BR>008BF48C7402jeshort008BF490<BR>008BF48EEB05jmpshort008BF495<BR>008BF490E961FFFFFFjmp008BF3F6<BR>008BF4958B45E0moveax,dwordptrss:[ebp-20]<BR>008BF49869C08D000000imuleax,eax,8D<BR>008BF49E8B0DE0EC8D00movecx,dwordptrds:[8DECE0]<BR>008BF4A48B8401C3000000moveax,dwordptrds:[ecx+eax+C3]<BR>008BF4AB8945DCmovdwordptrss:[ebp-24],eax<BR>008BF4AE8B45C8moveax,dwordptrss:[ebp-38]<BR>008BF4B18945FCmovdwordptrss:[ebp-4],eax<BR>008BF4B4FF75C8pushdwordptrss:[ebp-38]<BR>008BF4B7FF75E4pushdwordptrss:[ebp-1C]<BR>008BF4BAFF75DCpushdwordptrss:[ebp-24]<BR>008BF4BDE8E1F1FFFFcall008BE6A3<BR>008BF4C283C40Caddesp,0C<BR>008BF4C58945F4movdwordptrss:[ebp-C],eax<BR>008BF4C8837DF400cmpdwordptrss:[ebp-C],0<BR>008BF4CC7439jeshort008BF507<BR>//Patch①、jmp008BF507★强制每次都解密<BR><BR>008BF5078B45E4moveax,dwordptrss:[ebp-1C]<BR>008BF50A8945D8movdwordptrss:[ebp-28],eax<BR>008BF50D8D45CCleaeax,dwordptrss:[ebp-34]<BR>008BF51050pusheax<BR>008BF5118D45D0leaeax,dwordptrss:[ebp-30]<BR>008BF51450pusheax<BR>008BF5158D45F8leaeax,dwordptrss:[ebp-8]<BR>008BF51850pusheax<BR>008BF519FF75C8pushdwordptrss:[ebp-38]<BR>008BF51CE84F040000call008BF970<BR>008BF52183C410addesp,10<BR>008BF5240FB7C0movzxeax,ax<BR>008BF52783F801cmpeax,1<BR>008BF52A0F8575010000jnz008BF6A5<BR>008BF5308B45C8moveax,dwordptrss:[ebp-38]<BR>008BF5332B45CCsubeax,dwordptrss:[ebp-34]<BR>008BF53650pusheax<BR>008BF537E87C0EFCFFcall008803B8<BR>008BF53C50pusheax<BR>008BF53DE87B0EFCFFcall008803BD<BR>008BF54259popecx<BR>008BF54359popecx<BR>008BF5440FB7C0movzxeax,ax<BR>008BF54785C0testeax,eax<BR>008BF5490F84A5000000je008BF5F4<BR>008BF54F8B45C8moveax,dwordptrss:[ebp-38]<BR>//这里是SafeDisc的暗桩,某些符合上面扫描条件的地址含有SafeDisc暗桩<BR>//Patch②代码:★<BR>008BF54FF0:FF0D742F8D00lockdecdwordptrds:[8D2F74]<BR>008BF556780Cjsshort008BF564<BR>008BF558FF3548ED8D00pushdwordptrds:[8DED48]<BR>008BF55EFF154C208C00calldwordptrds:[8C204C]<BR>008BF5648B650Cmovesp,dwordptrss:[ebp+C]<BR>008BF56761popad<BR>008BF5689Dpopfd<BR>008BF56958popeax<BR>008BF56A83C404addesp,4<BR>008BF56DE925EB770Fjmp1003E097<BR>//平衡堆栈后跳回去继续循环<BR><BR>OllyDBG中二进制代码复制如下:<BR>F0FF0D742F8D00780CFF3548ED8D00FF154C208C008B650C619D5883C404E925<BR>EB770F<BR><BR>008BF5F48B45F8moveax,dwordptrss:[ebp-8]<BR>008BF5F70345CCaddeax,dwordptrss:[ebp-34]<BR>008BF5FA8B4DC8movecx,dwordptrss:[ebp-38]<BR>008BF5FD2BC8subecx,eax<BR>008BF5FF894DF0movdwordptrss:[ebp-10],ecx<BR>008BF602FF75F0pushdwordptrss:[ebp-10]<BR>008BF605E814070000call008BFD1E<BR>008BF60A59popecx<BR>008BF60B0FB7C0movzxeax,ax<BR>008BF60E83F801cmpeax,1<BR>008BF6110F858E000000jnz008BF6A5<BR>008BF6178B45E4moveax,dwordptrss:[ebp-1C]<BR>008BF61A69C0C3040000imuleax,eax,4C3<BR>008BF6208B4DFCmovecx,dwordptrss:[ebp-4]<BR>008BF6238B55DCmovedx,dwordptrss:[ebp-24]<BR>008BF6268B4902movecx,dwordptrds:[ecx+2]<BR>008BF6293B8C02AA040000cmpecx,dwordptrds:[edx+eax+4AA]<BR>008BF6307573jnzshort008BF6A5<BR>008BF6328B45FCmoveax,dwordptrss:[ebp-4]<BR>008BF6350FB600movzxeax,byteptrds:[eax]<BR>008BF6383DFF000000cmpeax,0FF<BR>008BF63D7566jnzshort008BF6A5<BR>008BF63F8B45FCmoveax,dwordptrss:[ebp-4]<BR>008BF6420FB64001movzxeax,byteptrds:[eax+1]<BR>008BF64683F815cmpeax,15<BR>008BF649755Ajnzshort008BF6A5<BR>008BF64B8B45E4moveax,dwordptrss:[ebp-1C]<BR>008BF64E8945D8movdwordptrss:[ebp-28],eax<BR>008BF651A1E0EC8D00moveax,dwordptrds:[8DECE0]<BR>008BF6568B4026moveax,dwordptrds:[eax+26]<BR>008BF6590345F0addeax,dwordptrss:[ebp-10]<BR>008BF65C50pusheax<BR>008BF65DFF75D8pushdwordptrss:[ebp-28]<BR>008BF6608B45E0moveax,dwordptrss:[ebp-20]<BR>008BF66369C08D000000imuleax,eax,8D<BR>008BF6698B0DE0EC8D00movecx,dwordptrds:[8DECE0]<BR>008BF66FFF740158pushdwordptrds:[ecx+eax+58]<BR>008BF673E8AA020000call008BF922<BR>008BF67883C40Caddesp,0C<BR>008BF67B8945D8movdwordptrss:[ebp-28],eax<BR>008BF67E8B45D8moveax,dwordptrss:[ebp-28]<BR>008BF681C1E803shreax,3<BR>008BF6848B4DE0movecx,dwordptrss:[ebp-20]<BR>008BF6878B15DCEC8D00movedx,dwordptrds:[8DECDC]<BR>008BF68D8B0C8Amovecx,dwordptrds:[edx+ecx*4]<BR>008BF6900FB60401movzxeax,byteptrds:[ecx+eax]<BR>008BF6948B4DD8movecx,dwordptrss:[ebp-28]<BR>008BF69783E107andecx,7<BR>008BF69A6A01push1<BR>008BF69C5Apopedx<BR>008BF69DD3E2shledx,cl<BR>008BF69F23C2andeax,edx<BR>008BF6A185C0testeax,eax<BR>008BF6A374ACjeshort008BF651<BR>008BF6A58B45E0moveax,dwordptrss:[ebp-20]<BR>008BF6A869C08D000000imuleax,eax,8D<BR>008BF6AE8B0DE0EC8D00movecx,dwordptrds:[8DECE0]<BR>008BF6B48B44014Cmoveax,dwordptrds:[ecx+eax+4C]<BR>008BF6B88B4DD8movecx,dwordptrss:[ebp-28]<BR>008BF6BB8B0488moveax,dwordptrds:[eax+ecx*4]<BR>008BF6BE8945D8movdwordptrss:[ebp-28],eax<BR>008BF6C18B45D8moveax,dwordptrss:[ebp-28]<BR>008BF6C469C0C3040000imuleax,eax,4C3<BR>008BF6CA8B4DDCmovecx,dwordptrss:[ebp-24]<BR>008BF6CD8B840172040000moveax,dwordptrds:[ecx+eax+472]<BR>008BF6D48945F4movdwordptrss:[ebp-C],eax<BR>008BF6D7837DF400cmpdwordptrss:[ebp-C],0<BR>008BF6DB7526jnzshort008BF703<BR>008BF6DDFF75D8pushdwordptrss:[ebp-28]<BR>008BF6E0FF75E0pushdwordptrss:[ebp-20]<BR>008BF6E3E8D2FAFFFFcall008BF1BA<BR>008BF6E859popecx<BR>008BF6E959popecx<BR>008BF6EA8945F4movdwordptrss:[ebp-C],eax<BR>008BF6ED8B45D8moveax,dwordptrss:[ebp-28]<BR>008BF6F069C0C3040000imuleax,eax,4C3<BR>008BF6F68B4DDCmovecx,dwordptrss:[ebp-24]<BR>008BF6F98B55F4movedx,dwordptrss:[ebp-C]<BR>008BF6FC89940172040000movdwordptrds:[ecx+eax+472],edx<BR>008BF703FF75F4pushdwordptrss:[ebp-C]<BR>008BF706FF75C8pushdwordptrss:[ebp-38]<BR>008BF709FF75E4pushdwordptrss:[ebp-1C]<BR>008BF70CFF75DCpushdwordptrss:[ebp-24]<BR>008BF70FE8F0EFFFFFcall008BE704<BR>008BF71483C410addesp,10<BR>008BF7178B450Cmoveax,dwordptrss:[ebp+C]<BR>008BF71A83C024addeax,24<BR>008BF71D8945C0movdwordptrss:[ebp-40],eax<BR>008BF7208B45C0moveax,dwordptrss:[ebp-40]<BR>008BF7238B4DF4movecx,dwordptrss:[ebp-C]<BR>008BF7268908movdwordptrds:[eax],ecx<BR>008BF7288B45C0moveax,dwordptrss:[ebp-40]<BR>008BF72B83C004addeax,4<BR>008BF72E50pusheax<BR>008BF72FE81F61FDFFcall00895853<BR>008BF73459popecx<BR>008BF735F0:FF0D742F8D00lockdecdwordptrds:[8D2F74]<BR>008BF73C780Cjsshort008BF74A<BR>008BF73EFF3548ED8D00pushdwordptrds:[8DED48]<BR>008BF744FF154C208C00calldwordptrds:[8C204C]<BR>008BF74A8B650Cmovesp,dwordptrss:[ebp+C]<BR>008BF74D61popad<BR>008BF74E9Dpopfd<BR>008BF74FC3retn<BR>//Patch③:jmp1003E064解密完毕后跳回去控制处理,[ESP]是解密后的函数系统地址<BR><BR><BR>—————————————————————————————————<BR>五、类SDK输入表函数调用地址<BR><BR><BR>上面修复完毕后不要关闭OllyDBG,还有一些类似SDK的函数调用需要修复<BR>此SDK同样使用上面的解码CALL,但是Patch②不需要修改,Patch①依旧。<BR>修改上面Patch③的008BF74F处为jmp1003E0DD,控制流程。<BR><BR>1002DE3F33C0xoreax,eax<BR>1002DE416A00push0<BR>1002DE4339442408cmpdwordptrss:[esp+8],eax<BR>1002DE476800100000push1000<BR>1002DE4C0F94C0seteal<BR>1002DE4F50pusheax<BR>1002DE50E9D3990200jmpAdobeLM.10057828<BR>//类似SDK的函数调用需要修复<BR>1005782853pushebx<BR>10057829E898FCFFFFcallAdobeLM.100574C6<BR><BR>100574C6870424xchgdwordptrss:[esp],eax<BR>100574C99Cpushfd<BR>100574CA05DF100000addeax,10DF<BR>100574CF8B18movebx,dwordptrds:[eax]<BR>100574D16BDB2Eimulebx,ebx,2E<BR>100574D4035804addebx,dwordptrds:[eax+4]<BR>100574D79Dpopfd<BR>100574D858popeax<BR>100574D9871C24xchgdwordptrss:[esp],ebx<BR>100574DCC3retn<BR>//入壳处理<BR><BR>00AFCBC96856DE0210push1002DE56<BR>00AFCBCE680A13EABFpushBFEA130A<BR>00AFCBD39Cpushfd<BR>00AFCBD460pushad<BR>00AFCBD554pushesp<BR>00AFCBD66809CCAF00push0AFCC09<BR>00AFCBDBE8B527DCFFcall~df394b.008BF395<BR>00AFCBE083C408addesp,8<BR>00AFCBE36A00push0<BR>00AFCBE558popeax<BR>00AFCBE661popad<BR>00AFCBE79Dpopfd<BR>00AFCBE8C3retn<BR><BR>00AE0000区段里面包含了需要处理的函数调用地址,可以依此为突破点<BR>写Patch代码,在1003E0A8处新建EIP<BR><BR>1003E0A860pushad<BR>1003E0A9BE0000AE00movesi,00AE0000<BR>1003E0AEBF00600410movedi,10046000<BR>1003E0B346incesi<BR>1003E0B481FE0050B100cmpesi,00B15000<BR>//00B15000是00AE0000区段的结束地址<BR>1003E0BA7D53jgeshort1003E10F<BR>//扫描完毕后跳转<BR>1003E0BC803E68cmpbyteptrds:[esi],68<BR>1003E0BF75F2jnzshort1003E0B3<BR>1003E0C166:817E041068cmpwordptrds:[esi+4],6810<BR>1003E0C775EAjnzshort1003E0B3<BR>1003E0C9817E0A9C605468cmpdwordptrds:[esi+A],6854609C<BR>1003E0D075E1jnzshort1003E0B3<BR>1003E0D2817E0100000010cmpdwordptrds:[esi+1],10000000<BR>1003E0D97430jeshort1003E10B<BR>//搜索符合条件的地址<BR>1003E0DBFFE6jmpesi<BR>//跳过去执行<BR><BR>1003E0DD3E:8B0424moveax,dwordptrds:[esp]<BR>//SafeDisc解密后强制跳到这里★<BR>//[ESP]是解密后的函数系统地址<BR>1003E0E18B5E01movebx,dwordptrds:[esi+1]<BR>1003E0E466:C743FAFF15movwordptrds:[ebx-6],15FF<BR>1003E0EA33C9xorecx,ecx<BR>1003E0EC3B0439cmpeax,dwordptrds:[ecx+edi]<BR>//自10046000搜寻相同的函数地址<BR>1003E0EF740Fjeshort1003E100<BR>1003E0F183C104addecx,4<BR>1003E0F481F9D0020000cmpecx,2D0<BR>1003E0FA72F0jbshort1003E0EC<BR>1003E0FCEBFEjmpshort1003E0FC<BR>//留一个出错的处理点,不过没用到<BR>1003E0FE90nop<BR>1003E0FF90nop<BR>1003E1008D0C39leaecx,dwordptrds:[ecx+edi]<BR>1003E10381E900000100subecx,10000<BR>//10046000-10036000=100000找到的存放函数地址的地址<BR>1003E109894BFCmovdwordptrds:[ebx-4],ecx<BR>/修复函数调用地址<BR>1003E10CEBA5jmpshort1003E0B3<BR>//循环<BR>1003E10E90nop<BR>1003E10F61popad<BR>//修复完成<BR>1003E110EBFEjmpshort1003E110<BR><BR>二进制代码复制如下:<BR>60BE0000AE00BF006004104681FE0050B1007D53803E6875F266817E04106875<BR>EA817E0A9C60546875E1817E01000000107430FFE63E8B04248B5E0166C743FA<BR>FF1533C93B0439740F83C10481F9D002000072F0EBFE90908D0C3981E9000001<BR>00894BFCEBA59061EBFE<BR><BR>注意:由于目标程序是DLL所以需要考虑重定位表,而这部分地址并没有包含在加壳后DLL的重定位表中,因此可以在上面的修复代码中加点代码保存每次修复时的地址,便于最后修复重定位表。<BR><BR><BR>—————————————————————————————————<BR>六、类CC的SDK<BR><BR><BR>1、DLL虽然无法使用CC,但是却有SDK来控制流程<BR><BR>10002463E8611D0000call100041C9<BR>//有很多call100041C9<BR><BR>100041C951pushecx<BR>100041CA50pusheax<BR>100041CBE813F3FFFFcall100034E3<BR><BR>100034E3B87BEFFFFFmoveax,-1085<BR>100034E859popecx<BR>100034E98D0408leaeax,dwordptrds:[eax+ecx]<BR>100034EC8B00moveax,dwordptrds:[eax]<BR>100034EEFFE0jmpeax;~df394b.0088127D<BR>//进入~df394b.tmp<BR><BR>————————————————————————<BR>2、需要说明的是,文件中有不少假的SDK,SafeDisc真狡猾。<BR><BR>可以手动察看,搜索所有的call100041C9命令,把假的SDK去掉再扫描修复。<BR>如何识别,看你的火眼金睛了,呵呵,举例来说:<BR>1000109BE829310000callAdobeLM.100041C9<BR>滚动一下鼠标,会发现这里有了变化:<BR>1000109A6AE8push-18<BR>1000109C2931subdwordptrds:[ecx],esi<BR>1000109E0000addbyteptrds:[eax],al<BR>100010A08B4C2404movecx,dwordptrss:[esp+4]<BR>100010A485C9testecx,ecx<BR>100010A67406jeshortAdobeLM.100010AE<BR><BR>还有一种有点难判断:<BR>1002AF0AC3retn<BR>1002AF0BE8B992FDFFcallAdobeLM.100041C9<BR>1002AF1055pushebp<BR>1002AF118BECmovebp,esp<BR>看到这个CALL在retn附近,Ctrl+A后没有其他地方调用这里,可以判定是烟雾弹了。<BR><BR>把以下地址暂时修改为call100041CC<BR>1000109Bcall100041C9<BR>10001FABcall100041C9<BR>10002F0Bcall100041C9<BR>1000380Bcall100041C9<BR>10003B8Bcall100041C9<BR>1000476Bcall100041C9<BR>10004FBBcall100041C9<BR>1000572Bcall100041C9<BR>100066ABcall100041C9<BR>1000EB5Bcall100041C9<BR>1000FE3Bcall100041C9<BR>1000FEEBcall100041C9<BR>10011B9Bcall100041C9<BR>10011DDBcall100041C9<BR>1001379Bcall100041C9<BR>10013A5Bcall100041C9<BR>10013BDBcall100041C9<BR>10013C3Bcall100041C9<BR>10013D0Bcall100041C9<BR>1001409Bcall100041C9<BR>1001439Bcall100041C9<BR>1001441Bcall100041C9<BR>1002908Bcall100041C9<BR>1002913Bcall100041C9<BR>1002AF0Bcall100041C9<BR>1002D53Bcall100041C9<BR>等扫描完毕后再全部恢复回来,免得误修复。<BR><BR>————————————————————————<BR>3、写Patch代码,在1003E112处新建EIP<BR><BR>1003E11260pushad<BR>1003E113BE00100010movesi,10001000<BR>1003E11846incesi<BR>1003E11981FE905A0310cmpesi,10035A90<BR>1003E11F7718jashort1003E139<BR>//扫描完毕后跳转<BR>1003E121803EE8cmpbyteptrds:[esi],0E8<BR>1003E12475F2jnzshort1003E118<BR>1003E1268B4601moveax,dwordptrds:[esi+1]<BR>1003E12903C6addeax,esi<BR>1003E12B83C005addeax,5<BR>1003E12E3DC9410010cmpeax,100041C9<BR>1003E13375E3jnzshort1003E118<BR>//循环扫描所有call100041C9的地方<BR>1003E135FFD6callesi<BR>//调用<BR>1003E137EBDFjmpshort1003E118<BR>//循环<BR>1003E13961popad<BR>//解码完毕后中断在这里<BR>1003E13AEBFEjmpshort1003E13A<BR><BR>二进制代码复制如下:<BR>60BE001000104681FE905A03107718803EE875F28B460103C683C0053DC94100<BR>1075E3FFD6EBDF61EBFE<BR><BR>————————————————————————<BR>4、SafeDisc解密CALL里面的修改,和上面的解码地方不同了<BR><BR>0088127D58popeax<BR>0088127E59popecx<BR>0088127F6800004000push400000<BR>008812849Cpushfd<BR>0088128560pushad<BR>0088128654pushesp<BR>00881287E8D2FFFFFFcall0088125E<BR>0088128C5Cpopesp<BR>0088128D61popad<BR>0088128E9Dpopfd<BR>0088128FC3retn<BR>//Patch④修改为:<BR>0088128FBCC0E10600movesp,6E1C0<BR>//控制流程,返回Patch代码的地方<BR>00881294C3retn<BR>注意,这里的movesp,XXXXXXXX具体是何要看此时的堆栈。<BR>如这次中断在0088128F处堆栈为:<BR>0006E1BC1000F0FEAdobeLM.1000F0FE<BR>0006E1C01003E137返回到AdobeLM.1003E137<BR><BR>0088119255pushebp<BR>008811938BECmovebp,esp<BR>0088119581ECD0020000subesp,2D0<BR>0088119B53pushebx<BR>0088119C8BD9movebx,ecx<BR>0088119E56pushesi<BR>0088119F57pushedi<BR>008811A08D4320leaeax,dwordptrds:[ebx+20]<BR>008811A350pusheax<BR>008811A48945FCmovdwordptrss:[ebp-4],eax<BR>008811A7FF1570208C00calldwordptrds:[8C2070]<BR>008811AD8D8530FDFFFFleaeax,dwordptrss:[ebp-2D0]<BR>008811B38BCBmovecx,ebx<BR>008811B550pusheax<BR>008811B6FF7508pushdwordptrss:[ebp+8]<BR>008811B9E8E5FEFFFFcall008810A3<BR>008811BE8B85E8FDFFFFmoveax,dwordptrss:[ebp-218]<BR>008811C4B960ED8D00movecx,8DED60<BR>008811C98BF8movedi,eax<BR>008811CB2B4304subeax,dwordptrds:[ebx+4]<BR>008811CE50pusheax<BR>008811CFE8E6FE0300call008C10BA<BR>008811D450pusheax<BR>008811D5E8F1010000call008813CB<BR>008811DA8BC8movecx,eax<BR>008811DCE8FC010000call008813DD<BR>//判断是否是SDK<BR>008811E18BF0movesi,eax<BR>008811E385F6testesi,esi<BR>008811E5743Fjeshort00881226<BR>008811E766:837B0801cmpwordptrds:[ebx+8],1<BR>008811EC753Djnzshort0088122B<BR>008811EE8D8530FDFFFFleaeax,dwordptrss:[ebp-2D0]<BR>008811F48BCEmovecx,esi<BR>008811F650pusheax<BR>008811F7E8E7550100call008967E3<BR>008811FC8BCBmovecx,ebx<BR>008811FEE88AFEFFFFcall0088108D<BR>0088120383F804cmpeax,4<BR>//记数<BR>008812067214jbshort0088121C<BR>//Patch⑤:NOP强制解码<BR>008812088BCEmovecx,esi<BR>0088120AE8BA540100call008966C9<BR>0088120F83F804cmpeax,4<BR>//Patch⑥:cmpeax,6解码字节数<BR>008812127208jbshort0088121C<BR>//Patch⑦:jashort0088121C超过6位则不解码<BR>0088121457pushedi<BR>008812158BCEmovecx,esi<BR>00881217E8FE540100call0089671A<BR>//解码<BR>0088121C56pushesi<BR>0088121D8BCBmovecx,ebx<BR>0088121FE833FEFFFFcall00881057<BR>00881224EB05jmpshort0088122B<BR><BR>0088140E39442414cmpdwordptrss:[esp+14],eax<BR>00881412740Bjeshort0088141F<BR>0088141445incebp<BR>0088141581FD80000000cmpebp,80<BR>0088141B72CFjbshort008813EC<BR>0088141DEB0Cjmpshort0088142B<BR>0088141F8D1C76leaebx,dwordptrds:[esi+esi*2]<BR>00881422C1E304shlebx,4<BR>0088142581C3E0EE8D00addebx,8DEEE0<BR>0088142B5Fpopedi<BR>0088142C5Epopesi<BR>0088142D8BC3moveax,ebx<BR>0088142F5Dpopebp<BR>008814305Bpopebx<BR>00881431C20400retn4<BR>00881434A1DCED8D00moveax,dwordptrds:[8DEDDC]<BR>00881439C3retn<BR>//Patch⑧修改为:<BR>0088141DEB15jmpshort00881434<BR>0088141F8D1C76leaebx,dwordptrds:[esi+esi*2]<BR>00881422C1E304shlebx,4<BR>0088142581C3E0EE8D00addebx,8DEEE0<BR>0088142B5Fpopedi<BR>0088142C5Epopesi<BR>0088142D8BC3moveax,ebx<BR>0088142F5Dpopebp<BR>008814305Bpopebx<BR>00881431C20400retn4<BR>0088143433DBxorebx,ebx<BR>//若不是SDK,则ebx清0使其跳转<BR>00881436EBF3jmpshort0088142B<BR><BR>————————————————————————<BR><BR>好了,当我们中断在1003E139处时所有SDK都修复完毕了。<BR>现在把代码段10001000-10036000数据复制下来,用WinHex复制数据写入到dump_.dll相应处<BR><BR><BR>—————————————————————————————————<BR>七、PE优化+修复重定位表<BR><BR><BR>把dump_.dll复制一份,另存为UnPacKed.dll<BR>用LordPE把UnPacKed.dll后面2个壳区段删除,用WinHex删除0X00057000至末尾的数据<BR>可以用ImportREC把输入表放在RVA=0003D380处,当然,也可以放在其他可用的空白处<BR>修正各区段的RSize和VSize为实际值<BR><BR>由于删除了壳区段,重定位表部分需要调整<BR>把下面壳区段的重定位表数据清0<BR>000560A000A00500<BR>000560B02000000063306B30743081309530C930<BR>000560C0E130E630F33000310E31000000C00500<BR>000560D0100000008A339233733F000000000000<BR>000560E000000000603B683B703B783B803B883B<BR>000560F0903B983BA03BA83BB03BB83BC03BC83B<BR>00056100D03B6C3C703C00000000000000000000<BR><BR>最重要的一点是,第五步的“类SDK输入表函数调用地址”要加到重定位表里面,如:<BR>1002DE50FF1500610310calldwordptrds:[10036100];kernel32.HeapCreate<BR>这部分操作比较麻烦,可以手动添加后修正相应Size。<BR>也可以在完成上面六步修复后复制AdobeLM.dll,在当前OllyDBG里面直接写代码Load复制的AdobeLM.dll,同样的方法修复SDK后再用Relox修复最终的重定位表。</FONT><BR><BR></P>
页:
[1]