[收藏本方案]

AcProtect 1.41 外壳分析[14]

[入库:2005年8月19日] [更新:2007年3月24日]

本文简介:选择自 bmd2chen 的 blog
首页 上页 下页 尾页 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] [22] [23] [24] [25] [26] [27] [28] [29] [30] [31] [32] [33] [34] [35] [36] [37] [38] [39] [40] [41] [42] [43] [44] [45] [46] [47] [48] [49] [50] [51] [52] [53] [54] [55] [56] [57] [58] [59] [60] [61] [62] [63] [64] [65] [66] [67] [68] [69]

0057d26a 2bfd sub edi,ebp 0057d26c 03c7 add eax,edi 0057d26e 8946 fc mov dword ptr ds:[esi-4],eax 0057d271 5f pop edi 0057d272 57 push edi 0057d273 33c9 xor ecx,ecx 0057d275 83f9 08 cmp ecx,8 0057d278 74 0e je short 0057d288 0057d27a 90 nop 0057d27b 90 nop 0057d27c 90 nop 0057d27d 90 nop 0057d27e 8b448c 04 mov eax,dword ptr ss:[esp+ecx*4+4] 0057d282 89048c mov dword ptr ss:[esp+ecx*4],eax 0057d285 41 inc ecx 0057d286 ^ eb ed jmp short 0057d275 0057d288 893c8c mov dword ptr ss:[esp+ecx*4],edi ...... 0057d2c7 61 popad 0057d2c8 c3 retn 进了程序代码空间后,现在分三个任务完成脱壳:去除acprotect 用到的sdk保护embedd protect,去除replace code. 去除acprotect 用到的sdk保护embedd protect:   按照任务的顺序一个一个来,我们先解决最大的拌脚石,acprotect的embedd protect应该这个壳里的最大亮点之一。 加上了对程序的保护加强了不少。下面看看我们就去搬走这块石头。 由上篇的文章里的分析,我写个了脚本方便很快就去关键地方,脚本如下: /* set break point at embedd protect start address */ var bpaddr start: bprm 401000,b6000 //在code section处下断点 esto bpmc bp 591079 //断下后,在处理sdk的那个关键地方下个断 lbl1: eob lbl2 run lbl2: cmp esi,0 je lbl3 cob mov bpaddr,esi add bpaddr,400000 //取出sdk的具体地址,然后在相关地址处下断 mov addrval,[bpaddr] bp bpaddr jmp lbl1 lbl3: cob bc 591079 //如果处理完了就结束这个脚本,清除上面的关键断点 ret 写好后,设置od忽略全部异常。运行脚本后最后结束在这里: 00591079 0bf6 or esi,esi ; 如果没有用sdk或sdk处理部分已经操作完成则跳 0059107b 74 31 je short <finished> 0059107d 90 nop 0059107e 90 nop 0059107f 90 nop 断下后,alt+b打开断点窗口:把非pushad处设置的断点取消: breakpoints address module active disassembly comment 0040cc05 maincon always pushad 0040fe71 maincon always sub byte ptr ds:[ecx],2d ;clear it 004132d7 maincon always pushad 004166d1 maincon always pushad 00419a9b maincon always pushad 0041ccd6 maincon always cmp al,0a3 ;clear it 0042089a maincon always pushad 00423adf maincon always cmc ;clear it 00427422 maincon always pushad 0042abd1 maincon always pushad 0042dea1 maincon always pushad 004317a2 maincon always pushad 00436067 maincon always pushad 0043930f maincon always jbe short 00439375 ;clear it 0043c77d maincon always pushad 0043fa3d maincon always pushad 00442dbd maincon always pushad 0044607d maincon always pushad 0044933d maincon always pushad 0044c600 maincon always pushad 0044f8dd maincon always pushad 00452c0f maincon always pushad 00455

首页 上页 下页 尾页 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] [22] [23] [24] [25] [26] [27] [28] [29] [30] [31] [32] [33] [34] [35] [36] [37] [38] [39] [40] [41] [42] [43] [44] [45] [46] [47] [48] [49] [50] [51] [52] [53] [54] [55] [56] [57] [58] [59] [60] [61] [62] [63] [64] [65] [66] [67] [68] [69]
本文关键:AcProtect 1.41 外壳分析
  相关方案
Google
 

本站最佳浏览方式为 分辨率 1024x768 IE 6.0(或更高版本的 IE浏览器)

go top