标题:[ACProtect]-ConTrolPTZ.exe
链接:http://www.unpack.cn/viewthread.php?tid=8540
贴者:cyto
日期:2006-11-23 19:42
如果发表本文不妥,请说明,我马上删除.
忘了在哪看到有人提到这个软件:ConTrolPTZ.exe因为查不出何种壳,跟了下,算是给些脱壳思路,作为新手学习的参考,有IAT加密,自校验.脱壳后程序是Borland C++ 1999.脱壳后程序能够运行,也不知道功能有没有被限制.
如果发表本文不妥,请说明,我马上删除.
忘了在哪看到有人提到这个软件:ConTrolPTZ.exe
因为查不出何种壳,跟了下,算是给些脱壳思路,作为新手学习的参考,有IAT加密,自校验.
脱壳后程序是Borland C++ 1999.
脱壳后程序能够运行,也不知道功能有没有被限制.
EP:
0051E000 C> 55 push ebp
0051E001 E8 01000000 call ConTrolP.0051E007
0051E006 EA 83042406 C347 jmp far 47C3:06240483
0051E00D 0F84 01000000 je ConTrolP.0051E014
0051E013 F9 stc
0051E014 87C7 xchg edi,eax
0051E016 50 push eax
0051E017 E8 01000000 call ConTrolP.0051E01D
0051E01C - EB 83 jmp short ConTrolP.0051DFA1
0051E01E C40458 les eax,fword ptr ds:[eax+ebx*2]
0051E021 66:81D8 5C02 sbb ax,25C
0051E026 78 03 js short ConTrolP.0051E02B
0051E028 79 01 jns short ConTrolP.0051E02B
0051E02A - 79 D3 jns short ConTrolP.0051DFFF
0051E02C D9EB fldpi
0051E02E 017487 C7 add dword ptr ds:[edi+eax*4-39],esi
0051E032 E8 01000000 call ConTrolP.0051E038
0051E037 - 77 83 ja short ConTrolP.0051DFBC
搜索:0F85 ?? FFFFFF,在下一行代码下段:
为什么这么做?因为我步进了n久后发现了这个规律.
0051E150 F9 stc
0051E151 83C2 FF add edx,-1
0051E154 ^ 0F85 71FFFFFF jnz ConTrolP.0051E0CB ; 第一个
0051E15A EB 01 jmp short ConTrolP.0051E15D
...
0053509F ^\0F85 66FFFFFF jnz ConTrolP.0053500B ; 最后一个
005350A5 EB 01 jmp short ConTrolP.005350A8
005350A7 76 42 jbe short ConTrolP.005350EB
...
005350FD E8 CC87FFFF call ConTrolP.0052D8CE
00535102 AB stos dword ptr es:[edi]
00535103 ^ E2 F8 loopd short ConTrolP.005350FD
00535105 61 popad
00535106 EB 01 jmp short ConTrolP.00535109
00535109 - FF25 4B515300 jmp dword ptr ds:[53514B] ; ConTrolP.00401000
来到OEP:
00401000 /EB 10 jmp short ConTrolP.00401012
00401002 |66:623A bound di,dword ptr ds:[edx]
00401005 |43 inc ebx
00401006 |2B2B sub ebp,dword ptr ds:[ebx]
00401008 |48 dec eax
00401009 |4F dec edi
0040100A |4F dec edi
0040100B |4B dec ebx
0040100C |90 nop
0040100D -|E9 88B44C00 jmp 008CC49A
00401012 \A1 7BB44C00 mov eax,dword ptr ds:[4CB47B]
00401017 C1E0 02 shl eax,2
IAT:
n多加密了:
004DB2F8 0051E010 ConTrolP.0051E010
004DB2FC 0051E01D ConTrolP.0051E01D
对4DB2F8下硬件访问断点:
00532511 8B95 46F84000 mov edx,dword ptr ss:[ebp+40F846]
00532517 8B06 mov eax,dword ptr ds:[esi]
00532519 0BC0 or eax,eax
0053251B 75 07 jnz short ConTrolP.00532524
0053251D 90 nop
0053251E 90 nop
0053251F 90 nop
00532520 90 nop
00532521 8B46 10 mov eax,dword ptr ds:[esi+10]
00532524 03C2 add eax,edx
00532526 0385 42F84000 add eax,dword ptr ss:[ebp+40F842]
0053252C 8B18 mov ebx,dword ptr ds:[eax]
0053252E 8B7E 10 mov edi,dword ptr ds:[esi+10]
00532531 03FA add edi,edx
00532533 03BD 42F84000 add edi,dword ptr ss:[ebp+40F842]
00532539 85DB test ebx,ebx
0053253B 0F84 62010000 je ConTrolP.005326A3
00532541 F7C3 00000080 test ebx,80000000
00532547 75 1D jnz short ConTrolP.00532566
00532549 90 nop
0053254A 90 nop
0053254B 90 nop
0053254C 90 nop
0053254D 03DA add ebx,edx
0053254F 83C3 02 add ebx,2
00532552 56 push esi
00532553 57 push edi
00532554 50 push eax
00532555 8BF3 mov esi,ebx
00532557 8BFB mov edi,ebx
00532559 AC lods byte ptr ds:[esi]
0053255A C0C0 03 rol al,3
0053255D AA stos byte ptr es:[edi]
0053255E 803F 00 cmp byte ptr ds:[edi],0
00532561 ^ 75 F6 jnz short ConTrolP.00532559
00532563 58 pop eax
00532564 5F pop edi
00532565 5E pop esi
00532566 3B9D 46F84000 cmp ebx,dword ptr ss:[ebp+40F846]
0053256C 7C 11 jl short ConTrolP.0053257F
0053256E 90 nop
0053256F 90 nop
00532570 90 nop
00532571 90 nop
00532572 83BD 1A204000 0>cmp dword ptr ss:[ebp+40201A],0
00532579 75 0A jnz short ConTrolP.00532585
0053257B 90 nop
0053257C 90 nop
0053257D 90 nop
0053257E 90 nop
0053257F 81E3 FFFFFF0F and ebx,0FFFFFFF
00532585 53 push ebx
00532586 FFB5 3EF84000 push dword ptr ss:[ebp+40F83E]
0053258C FF95 1C854100 call dword ptr ss:[ebp+41851C]
00532592 3B9D 46F84000 cmp ebx,dword ptr ss:[ebp+40F846] ; 这里eax就是函数地址
00532598 7C 0F jl short ConTrolP.005325A9 ; patch
0053259A 90 nop
0053259B 90 nop
0053259C 90 nop
0053259D 90 nop
0053259E 60 pushad
0053259F 2BC0 sub eax,eax ; 这里抹除记录
005325A1 8803 mov byte ptr ds:[ebx],al
005325A3 43 inc ebx
005325A4 3803 cmp byte ptr ds:[ebx],al
005325A6 ^ 75 F9 jnz short ConTrolP.005325A1
005325A8 61 popad
005325A9 0BC0 or eax,eax ; eax就是函数地址
005325AB ^ 0F84 15FFFFFF je ConTrolP.005324C6
005325B1 3B85 2C854100 cmp eax,dword ptr ss:[ebp+41852C] ; 是不是MessageBoxA?
005325B7 74 20 je short ConTrolP.005325D9 ; 是的话另外处理
005325B9 90 nop
005325BA 90 nop
005325BB 90 nop
005325BC 90 nop
005325BD 3B85 C4FD4000 cmp eax,dword ptr ss:[ebp+40FDC4] ; 是不是xx函数
005325C3 74 09 je short ConTrolP.005325CE ; 是的话另外处理
005325C5 90 nop
005325C6 90 nop
005325C7 90 nop
005325C8 90 nop
005325C9 EB 14 jmp short ConTrolP.005325DF
005325CB 90 nop
005325CC 90 nop
005325CD 90 nop
005325CE 8D85 31FE4000 lea eax,dword ptr ss:[ebp+40FE31]
005325D4 EB 09 jmp short ConTrolP.005325DF
005325D6 90 nop
005325D7 90 nop
005325D8 90 nop
005325D9 8D85 4BFE4000 lea eax,dword ptr ss:[ebp+40FE4B]
005325DF 56 push esi
005325E0 FFB5 3EF84000 push dword ptr ss:[ebp+40F83E]
005325E6 5E pop esi
005325E7 39B5 12204000 cmp dword ptr ss:[ebp+402012],esi
005325ED 74 15 je short ConTrolP.00532604
005325EF 90 nop
005325F0 90 nop
005325F1 90 nop
005325F2 90 nop
005325F3 39B5 16204000 cmp dword ptr ss:[ebp+402016],esi
005325F9 74 09 je short ConTrolP.00532604
005325FB 90 nop
005325FC 90 nop
005325FD 90 nop
005325FE 90 nop
005325FF EB 63 jmp short ConTrolP.00532664
00532601 90 nop
00532602 90 nop
00532603 90 nop
00532604 80BD 16564100 0>cmp byte ptr ss:[ebp+415616],0
0053260B 74 57 je short ConTrolP.00532664
0053260D 90 nop
0053260E 90 nop
0053260F 90 nop
00532610 90 nop
00532611 EB 07 jmp short ConTrolP.0053261A
00532613 90 nop
00532614 90 nop
00532615 90 nop
00532616 0100 add dword ptr ds:[eax],eax
00532618 0000 add byte ptr ds:[eax],al
0053261A 8BB5 0BF94000 mov esi,dword ptr ss:[ebp+40F90B]
00532620 83C6 0D add esi,0D
00532623 81EE 02184000 sub esi,ConTrolP.00401802
00532629 2BF5 sub esi,ebp
0053262B 83FE 00 cmp esi,0
0053262E 7F 34 jg short ConTrolP.00532664
00532630 90 nop
00532631 90 nop
00532632 90 nop
00532633 90 nop
00532634 8BB5 0BF94000 mov esi,dword ptr ss:[ebp+40F90B]
0053263A 53 push ebx
0053263B 50 push eax
0053263C E8 8DB2FFFF call ConTrolP.0052D8CE
00532641 8BD8 mov ebx,eax
00532643 58 pop eax
00532644 33C3 xor eax,ebx
00532646 C606 68 mov byte ptr ds:[esi],68
00532649 8946 01 mov dword ptr ds:[esi+1],eax
0053264C C746 05 8134240>mov dword ptr ds:[esi+5],243481
00532653 895E 08 mov dword ptr ds:[esi+8],ebx
00532656 C646 0C C3 mov byte ptr ds:[esi+C],0C3
0053265A 5B pop ebx
0053265B 8BC6 mov eax,esi
0053265D 8385 0BF94000 0>add dword ptr ss:[ebp+40F90B],0D
00532664 5E pop esi
00532665 60 pushad
00532666 8BD0 mov edx,eax
00532668 2BBD 46F84000 sub edi,dword ptr ss:[ebp+40F846]
0053266E 8BC7 mov eax,edi
00532670 B9 01010000 mov ecx,101
00532675 8DBD EBEC4000 lea edi,dword ptr ss:[ebp+40ECEB]
0053267B F2:AF repne scas dword ptr es:[edi]
0053267D 0BC9 or ecx,ecx
0053267F 74 13 je short ConTrolP.00532694
00532681 90 nop
00532682 90 nop
00532683 90 nop
00532684 90 nop
00532685 81E9 01010000 sub ecx,101
0053268B F7D1 not ecx
0053268D 89948D EBE84000 mov dword ptr ss:[ebp+ecx*4+40E8EB],edx
00532694 61 popad
00532695 8907 mov dword ptr ds:[edi],eax ; 写入函数地址或虚拟地址
00532697 8385 42F84000 0>add dword ptr ss:[ebp+40F842],4 ; 停在此
0053269E ^ E9 6EFEFFFF jmp ConTrolP.00532511
patch:
00532586 FFB5 3EF84000 push dword ptr ss:[ebp+40F83E]
0053258C FF95 1C854100 call dword ptr ss:[ebp+41851C]
00532592 3B9D 46F84000 cmp ebx,dword ptr ss:[ebp+40F846]
00532598 E9 F8000000 jmp ConTrolP.00532695 ;
00532695 8907 mov dword ptr ds:[edi],eax
00532697 8385 42F84000 0>add dword ptr ss:[ebp+40F842],4
0053269E ^ E9 6EFEFFFF jmp ConTrolP.00532511
让得到的函数地址eax直接填充,F9,一直运行,函数地址全部出来了,ImportREC获取.
重新申请内存:这个算是自校验
004BADE3 803D AC524D00 >cmp byte ptr ds:[4D52AC],0 ; 清0
004BADEA 75 13 jnz short cyto.004BADFF
004BADEC E8 13F9FFFF call cyto.004BA704
004BADF1 84C0 test al,al
004BADF3 75 0A jnz short cyto.004BADFF
004BADF5 33C0 xor eax,eax
004BADF7 8945 FC mov dword ptr ss:[ebp-4],eax
004BADFA E9 54010000 jmp cyto.004BAF53
004BADFF 33C9 xor ecx,ecx
004BAE01 55 push ebp
004BAE02 68 4CAF4B00 push cyto.004BAF4C
004BAE07 64:FF31 push dword ptr fs:[ecx]
004BAE0A 64:8921 mov dword ptr fs:[ecx],esp
004BAE0D 803D C54E4D00 >cmp byte ptr ds:[4D4EC5],0
004BAE14 74 0A je short cyto.004BAE20
004BAE16 68 B4524D00 push cyto.004D52B4
004BAE1B E8 5EF30000 call
004BAE20 83C3 07 add ebx,7
004BAE23 83E3 FC and ebx,FFFFFFFC
004BAE26 83FB 0C cmp ebx,0C
004BAE29 7D 05 jge short cyto.004BAE30
004BAE2B BB 0C000000 mov ebx,0C
004BAE30 81FB 00100000 cmp ebx,1000
004BAE36 0F8F 93000000 jg cyto.004BAECF
004BAE3C 8BC3 mov eax,ebx
004BAE3E 85C0 test eax,eax
004BAE40 79 03 jns short cyto.004BAE45
004BAE42 83C0 03 add eax,3
004BAE45 C1F8 02 sar eax,2
004BAE48 8B15 0C534D00 mov edx,dword ptr ds:[4D530C]
004BAE4E 8B5482 F4 mov edx,dword ptr ds:[edx+eax*4-C] ; 否则这里异常
004BAE52 85D2 test edx,edx
004BAE54 74 79 je short cyto.004BAECF
004BA07A BE D0524D00 mov esi,cyto.004D52D0
004BA07F 833E 00 cmp dword ptr ds:[esi],0 ; 清0
004BA082 75 3A jnz short cyto.004BA0BE
004BA084 68 44060000 push 644
004BA089 6A 00 push 0
004BA08B E8 74020100 call
004BA090 8BC8 mov ecx,eax
004BA092 85C9 test ecx,ecx
004BA094 75 05 jnz short cyto.004BA09B
|
