标题:Armadillo V5.X Patch Key And Unpack
链接:http://www.unpack.cn/viewthread.php?tid=18716
贴者:glts
日期:2007-10-29 01:59
目标对像:Armadillo V5.X标准 单进程 带KEY程序 已有其它机器的硬件号 和 可用KEY及用户名
练习目的:学习Armadillo V5.X Patch KEY 和简单脱壳
〖侦 查 敌 情〗
查壳得知为Armadillo V5.0X -> Silicon Realms Toolworks
Armadillo find 显示如下信息 有点吓人 5X版本基本都这样显示 此工具也应该升下级了
======== 29-10-2007 01:44:14 ========
★ 目标为Armadillo保护
★ 特征识别 = B0ABB0F5
保护系统级别为 (专业版)
◆所用到的保护模式有◆
屏蔽调试器
双进程模式
使用输入表乱续模式
使用策略代码衔接模式
使用 Nanomites 处理模式
【备份密钥设置】
不固定的备份密钥
【程序压缩设置】
较好/较慢地压缩方式
【其它保护设置】
存储外部环境变量
使用 Digital River 版本密钥
不要只依赖单机模式经过之前初步分析跟踪之后得出下过程
〖Patch KEY 过程〗
一、bp GetSystemTime 中断后返回引用:
00C5AAF0 FF15 0C43CA00 CALL DWORD PTR DS:[CA430C] ; kernel32.GetSystemTime
00C5AAF6 0FB74D FA MOVZX ECX,WORD PTR SS:[EBP-6]
00C5AAFA 51 PUSH ECX
00C5AAFB 0FB755 F8 MOVZX EDX,WORD PTR SS:[EBP-8]
00C5AAFF 52 PUSH EDX
00C5AB00 0FB745 F6 MOVZX EAX,WORD PTR SS:[EBP-A]
00C5AB04 50 PUSH EAX
00C5AB05 0FB74D F4 MOVZX ECX,WORD PTR SS:[EBP-C]
00C5AB09 51 PUSH ECX
00C5AB0A 0FB755 F2 MOVZX EDX,WORD PTR SS:[EBP-E]
00C5AB0E 52 PUSH EDX
00C5AB0F 0FB745 EE MOVZX EAX,WORD PTR SS:[EBP-12]
00C5AB13 50 PUSH EAX
00C5AB14 0FB74D EC MOVZX ECX,WORD PTR SS:[EBP-14]
00C5AB18 51 PUSH ECX
00C5AB19 E8 22010000 CALL 00C5AC40 //F7
00C5AB1E 50 PUSH EAX
CALL 00C5AC40 //F7————————————————————
00C5AC40 55 PUSH EBP
00C5AC41 8BEC MOV EBP,ESP
00C5AC43 83EC 0C SUB ESP,0C
00C5AC46 6A 00 PUSH 0
00C5AC48 B9 8814CB00 MOV ECX,0CB1488
00C5AC4D E8 BE4DFFFF CALL 00C4FA10
00C5AC52 8BE5 MOV ESP,EBP
00C5AC54 5D POP EBP
00C5AC55 C3 RETN
CALL 00C4FA10 //F7—————————————————————
00C4FA10 55 PUSH EBP
00C4FA11 8BEC MOV EBP,ESP
00C4FA13 83EC 14 SUB ESP,14
00C4FA16 894D F0 MOV DWORD PTR SS:[EBP-10],ECX
00C4FA19 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
00C4FA1C 8B88 5C060000 MOV ECX,DWORD PTR DS:[EAX+65C]
00C4FA22 894D FC MOV DWORD PTR SS:[EBP-4],ECX
00C4FA25 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]
00C4FA28 8B82 5C060000 MOV EAX,DWORD PTR DS:[EDX+65C]
00C4FA2E 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
00C4FA31 6A 01 PUSH 1
00C4FA33 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8]
00C4FA36 E8 B5730100 CALL 00C66DF0
00C4FA3B 8845 F7 MOV BYTE PTR SS:[EBP-9],AL
00C4FA3E B9 01000000 MOV ECX,1
00C4FA43 85C9 TEST ECX,ECX
00C4FA45 7C 21 JL SHORT 00C4FA68
00C4FA47 BA 01000000 MOV EDX,1
00C4FA4C 83FA 01 CMP EDX,1
00C4FA4F 7F 17 JG SHORT 00C4FA68
00C4FA51 B8 01000000 MOV EAX,1
00C4FA56 C1E0 02 SHL EAX,2
00C4FA59 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
00C4FA5C 8B9401 5C200000 MOV EDX,DWORD PTR DS:[ECX+EAX+205C]
00C4FA63 8955 EC MOV DWORD PTR SS:[EBP-14],EDX
00C4FA66 EB 07 JMP SHORT 00C4FA6F
00C4FA68 C745 EC 0000000>MOV DWORD PTR SS:[EBP-14],0
00C4FA6F 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00C4FA72 50 PUSH EAX
00C4FA73 6A 01 PUSH 1
00C4FA75 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
00C4FA78 E8 B3730100 CALL 00C66E30 //F7
00C4FA7D 0FB64D F7 MOVZX ECX,BYTE PTR SS:[EBP-9]
00C4FA81 F7D9 NEG ECX
00C4FA83 1BC9 SBB ECX,ECX
00C4FA85 81E1 11111111 AND ECX,11111111
00C4FA8B 33C1 XOR EAX,ECX
00C4FA8D 3345 EC XOR EAX,DWORD PTR SS:[EBP-14]
00C4FA90 8BE5 MOV ESP,EBP
00C4FA92 5D POP EBP
00C4FA93 C2 0400 RETN 4
CALL 00C66E30 //F7————————————————————
00C66E30 55 PUSH EBP
00C66E31 8BEC MOV EBP,ESP
00C66E33 83EC 10 SUB ESP,10
00C66E36 56 PUSH ESI
00C66E37 894D F0 MOV DWORD PTR SS:[EBP-10],ECX
00C66E3A C745 FC 0000000>MOV DWORD PTR SS:[EBP-4],0
00C66E41 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00C66E44 50 PUSH EAX
00C66E45 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
00C66E48 E8 A3FFFFFF CALL 00C66DF0
00C66E4D 0FB6C8 MOVZX ECX,AL
00C66E50 85C9 TEST ECX,ECX
00C66E52 74 0A JE SHORT 00C66E5E
00C66E54 E8 172B0200 CALL 00C89970
00C66E59 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00C66E5C EB 5E JMP SHORT 00C66EBC
00C66E5E BA 0D000000 MOV EDX,0D
00C66E63 C1E2 02 SHL EDX,2
00C66E66 A1 D41ACB00 MOV EAX,DWORD PTR DS:[CB1AD4]
00C66E6B 8B0C10 MOV ECX,DWORD PTR DS:[EAX+EDX]
00C66E6E 83F1 00 XOR ECX,0
00C66E71 894D F8 MOV DWORD PTR SS:[EBP-8],ECX
00C66E74 BA 15000000 MOV EDX,15
00C66E79 C1E2 02 SHL EDX,2
00C66E7C A1 D41ACB00 MOV EAX,DWORD PTR DS:[CB1AD4]
00C66E81 8B0C10 MOV ECX,DWORD PTR DS:[EAX+EDX]
00C66E84 83F1 00 XOR ECX,0
00C66E87 894D F4 MOV DWORD PTR SS:[EBP-C],ECX
00C66E8A 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
00C66E8D C1E2 08 SHL EDX,8
00C66E90 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
00C66E93 8D4C10 18 LEA ECX,DWORD PTR DS:[EAX+EDX+18]
00C66E97 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
00C66E9A 3355 F4 XOR EDX,DWORD PTR SS:[EBP-C]
00C66E9D B8 0F000000 MOV EAX,0F
00C66EA2 C1E0 02 SHL EAX,2
00C66EA5 8B35 D41ACB00 MOV ESI,DWORD PTR DS:[CB1AD4] ; RainMain.00540378
00C66EAB 8B0406 MOV EAX,DWORD PTR DS:[ESI+EAX]
00C66EAE 83F0 00 XOR EAX,0
00C66EB1 33D0 XOR EDX,EAX
00C66EB3 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
00C66EB6 331481 XOR EDX,DWORD PTR DS:[ECX+EAX*4]
00C66EB9 8955 FC MOV DWORD PTR SS:[EBP-4],EDX //EDX 放的是本机硬件号 F2下断
00C66EBC 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00C66EBF 5E POP ESI
00C66EC0 8BE5 MOV ESP,EBP
00C66EC2 5D POP EBP
00C66EC3 C2 0800 RETN 8引用:
33 14 81 89 55 FC引用:
00C59002 50 PUSH EAX
00C59003 68 2C4BCA00 PUSH 0CA4B2C ; ASCII "%04X-%04X"
00C59008 8D8D E8FCFFFF LEA ECX,DWORD PTR SS:[EBP-318]
00C5900E 51 PUSH ECX
00C5900F E8 8A430300 CALL 00C8D39E
00C59014 83C4 10 ADD ESP,10
00C59017 6A 00 PUSH 0
00C59019 8D95 E8FCFFFF LEA EDX,DWORD PTR SS:[EBP-318]
00C5901F 52 PUSH EDX
00C59020 68 D84CCA00 PUSH 0CA4CD8 ; ASCII "FINGERPRINT"
00C59025 8B8D 70FBFFFF MOV ECX,DWORD PTR SS:[EBP-490]
00C5902B 81C1 4C240000 ADD ECX,244C
00C59031 E8 FA1EFFFF CALL 00C4AF30
00C59036 6A 00 PUSH 0
00C59038 8B8D 70FBFFFF MOV ECX,DWORD PTR SS:[EBP-490]
00C5903E E8 6D050000 CALL 00C595B0 ; 此CALL 再次调用 00C66E30 子程序
终上所述为硬件号生成及PATCH过程---在输入用户名和KEY之后还会在00C66EB9 中断N次
中断之后把硬件号都改之为正确KEY的硬件号直到程序运行
如此KEY就PATCH好了接下来脱壳:引用:
1、BP VirtualProtect
SHIFT+F9 N次之后堆栈如下:
0012983C 00C81D8D /CALL 到 VirtualProtect 来自 00C81D87
00129840 004A5DBC |Address = RainMain.004A5DBC
00129844 00000014 |Size = 14 (20.) //此值有变化 故取消断点返回
00129848 00000004 |NewProtect = PAGE_READWRITE
0012984C 0012C2F4 \pOldProtect = 0012C2F4
00129850 1CD2BDAE
00129854 00540378 RainMain.00540378
00C81D8D 6A 14 PUSH 14 //返回到此
00C81D8F E8 3FB40000 CALL 00C8D1D3
00C81D94 83C4 04 ADD ESP,4
00C81D97 8985 A4AEFFFF MOV DWORD PTR SS:[EBP+FFFFAEA4],EAX
00C81D9D 83BD A4AEFFFF 0>CMP DWORD PTR SS:[EBP+FFFFAEA4],0
00C81DA4 74 59 JE SHORT 00C81DFF
00C81DA6 8B0D 8CB3CB00 MOV ECX,DWORD PTR DS:[CBB38C]
00C81DAC 898D ACADFFFF MOV DWORD PTR SS:[EBP+FFFFADAC],ECX
00C81DB2 8B95 74DAFFFF MOV EDX,DWORD PTR SS:[EBP-258C]
00C81DB8 0395 38D6FFFF ADD EDX,DWORD PTR SS:[EBP-29C8]
00C81DBE 8B85 A4AEFFFF MOV EAX,DWORD PTR SS:[EBP+FFFFAEA4]
00C81DC4 8910 MOV DWORD PTR DS:[EAX],EDX
00C81DC6 8B8D 58D7FFFF MOV ECX,DWORD PTR SS:[EBP-28A8]
00C81DCC C1E1 02 SHL ECX,2
00C81DCF 8B95 A4AEFFFF MOV EDX,DWORD PTR SS:[EBP+FFFFAEA4]
00C81DD5 894A 04 MOV DWORD PTR DS:[EDX+4],ECX
00C81DD8 8B85 A4AEFFFF MOV EAX,DWORD PTR SS:[EBP+FFFFAEA4]
00C81DDE C640 0C 00 MOV BYTE PTR DS:[EAX+C],0
00C81DE2 8B8D A4AEFFFF MOV ECX,DWORD PTR SS:[EBP+FFFFAEA4]
00C81DE8 8B95 ACADFFFF MOV EDX,DWORD PTR SS:[EBP+FFFFADAC]
00C81DEE 8951 10 MOV DWORD PTR DS:[ECX+10],EDX
00C81DF1 8B85 A4AEFFFF MOV EAX,DWORD PTR SS:[EBP+FFFFAEA4]
00C81DF7 8985 CCACFFFF MOV DWORD PTR SS:[EBP+FFFFACCC],EAX
00C81DFD EB 0A JMP SHORT 00C81E09
00C81DFF C785 CCACFFFF 0>MOV DWORD PTR SS:[EBP+FFFFACCC],0
00C81E09 8B8D CCACFFFF MOV ECX,DWORD PTR SS:[EBP+FFFFACCC]
00C81E0F 890D 8CB3CB00 MOV DWORD PTR DS:[CBB38C],ECX
00C81E15 8B15 8CB3CB00 MOV EDX,DWORD PTR DS:[CBB38C]
00C81E1B 8B85 5CD7FFFF MOV EAX,DWORD PTR SS:[EBP-28A4]
00C81E21 8942 08 MOV DWORD PTR DS:[EDX+8],EAX
00C81E24 C785 60D7FFFF 0>MOV DWORD PTR SS:[EBP-28A0],0
00C81E2E FF15 4043CA00 CALL DWORD PTR DS:[CA4340] ; kernel32.GetTickCount
返回后CTRL+F 搜索"PUSH 100" 注意__整个块 不要选择 来到如下
00C82000 68 00010000 PUSH 100
00C82005 8D8D 00C4FFFF LEA ECX,DWORD PTR SS:[EBP-3C00]
00C8200B 51 PUSH ECX
00C8200C 8B95 00C5FFFF MOV EDX,DWORD PTR SS:[EBP-3B00]
00C82012 8B02 MOV EAX,DWORD PTR DS:[EDX]
00C82014 50 PUSH EAX
00C82015 E8 F6AC0000 CALL 00C8CD10 //ENTER 进入此CALL
00C8CD10 55 PUSH EBP //修改为RET直接让其返回
00C8CD11 8BEC MOV EBP,ESP
00C8CD13 83EC 2C SUB ESP,2C
00C8CD16 833D 7CDCCB00 0>CMP DWORD PTR DS:[CBDC7C],0
00C8CD1D 75 59 JNZ SHORT 00C8CD78
00C8CD1F C745 EC 29BAA06>MOV DWORD PTR SS:[EBP-14],6AA0BA29
00C8CD26 68 00010000 PUSH 100
00C8CD2B E8 A3040000 CALL 00C8D1D3引用:
2、BP CreateThread SHift+F9中断后取消断点 返回 一路F8到如下代码
00C85B43 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] ; RainMain.00546E88
00C85B46 833A 01 CMP DWORD PTR DS:[EDX],1
00C85B49 75 3E JNZ SHORT 00C85B89
00C85B4B A1 D41ACB00 MOV EAX,DWORD PTR DS:[CB1AD4]
00C85B50 8B0D D41ACB00 MOV ECX,DWORD PTR DS:[CB1AD4] ; RainMain.00540378
00C85B56 8B50 60 MOV EDX,DWORD PTR DS:[EAX+60]
00C85B59 3351 64 XOR EDX,DWORD PTR DS:[ECX+64]
00C85B5C A1 D41ACB00 MOV EAX,DWORD PTR DS:[CB1AD4]
00C85B61 3350 14 XOR EDX,DWORD PTR DS:[EAX+14]
00C85B64 8955 DC MOV DWORD PTR SS:[EBP-24],EDX
00C85B67 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
00C85B6A 8B51 04 MOV EDX,DWORD PTR DS:[ECX+4]
00C85B6D 52 PUSH EDX
00C85B6E 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00C85B71 8B48 08 MOV ECX,DWORD PTR DS:[EAX+8]
00C85B74 51 PUSH ECX
00C85B75 6A 00 PUSH 0
00C85B77 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
00C85B7A 8B42 0C MOV EAX,DWORD PTR DS:[EDX+C]
00C85B7D 50 PUSH EAX
00C85B7E 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
00C85B81 2B4D DC SUB ECX,DWORD PTR SS:[EBP-24]
00C85B84 FFD1 CALL ECX //韦幅王直奔光明顶 轻工了得
00C85B86 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00C85B89 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00C85B8C 5E POP ESI
00C85B8D 8BE5 MOV ESP,EBP
00C85B8F 5D POP EBP
00C85B90 C3 RETNOEP:引用:
0049BF5E 55 PUSH EBP
0049BF5F 8BEC MOV EBP,ESP
0049BF61 6A FF PUSH -1
0049BF63 68 781D4B00 PUSH 004B1D78
0049BF68 68 96BE4900 PUSH 0049BE96 ; JMP 到 msvcrt._except_handler3
0049BF6D 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0049BF73 50 PUSH EAX
0049BF74 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
0049BF7B 83EC 68 SUB ESP,68
0049BF7E 53 PUSH EBX
0049BF7F 56 PUSH ESI
0049BF80 57 PUSH EDI
0049BF81 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
0049BF84 33DB XOR EBX,EBX
0049BF86 895D FC MOV DWORD PTR SS:[EBP-4],EBX
0049BF89 6A 02 PUSH 2
0049BF8B FF15 E05C4A00 CALL DWORD PTR DS:[4A5CE0] ; msvcrt.__set_app_type
0049BF91 59 POP ECX
0049BF92 830D 18FF4D00 F>OR DWORD PTR DS:[4DFF18],FFFFFFFF
0049BF99 830D 1CFF4D00 F>OR DWORD PTR DS:[4DFF1C],FFFFFFFF
0049BFA0 FF15 E45C4A00 CALL DWORD PTR DS:[4A5CE4] ; msvcrt.__p__fmode
0049BFA6 8B0D 0CFF4D00 MOV ECX,DWORD PTR DS:[4DFF0C]
0049BFAC 8908 MOV DWORD PTR DS:[EAX],ECX
0049BFAE FF15 E85C4A00 CALL DWORD PTR DS:[4A5CE8] ; msvcrt.__p__commode
0049BFB4 8B0D 08FF4D00 MOV ECX,DWORD PTR DS:[4DFF08]
0049BFBA 8908 MOV DWORD PTR DS:[EAX],ECX
0049BFBC A1 B45D4A00 MOV EAX,DWORD PTR DS:[4A5DB4]
0049BFC1 8B00 MOV EAX,DWORD PTR DS:[EAX]
0049BFC3 A3 14FF4D00 MOV DWORD PTR DS:[4DFF14],EAX
0049BFC8 E8 92020000 CALL 0049C25F
0049BFCD 391D A0344C00 CMP DWORD PTR DS:[4C34A0],EBX
0049BFD3 75 0C JNZ SHORT 0049BFE1
0049BFD5 68 5CC24900 PUSH 0049C25C
0049BFDA FF15 B05D4A00 CALL DWORD PTR DS:[4A5DB0] ; msvcrt.__setusermatherr
0049BFE0 59 POP ECX
0049BFE1 E8 64020000 CALL 0049C24A
0049BFE6 68 20F34B00 PUSH 004BF320
0049BFEB 68 1CF34B00 PUSH 004BF31C
0049BFF0 E8 4F020000 CALL 0049C244 ; JMP 到 msvcrt._initterm
0049BFF5 A1 04FF4D00 MOV EAX,DWORD PTR DS:[4DFF04]
0049BFFA 8945 94 MOV DWORD PTR SS:[EBP-6C],EAX
0049BFFD 8D45 94 LEA EAX,DWORD PTR SS:[EBP-6C]
0049C000 50 PUSH EAXDUMP&FIX CUT掉无效的 程序运行正常 觉得还行的 给+点UB 快混不下去了
附件地址:http://www.unpack.cn/attachment.php?aid=12600
|
