动画介绍:1.照常,查壳 ASProtect 2.1x SKE -> Alexey Solodovnikov 这里是个很难的壳,不过有了Volx大侠的ASPR脱壳脚本就简单多了,我们现在就来脱
我们在这里看到这些有用的东西:
IAT 的地址 = 00472000
IAT 的相对地址 = 00072000
IAT 的大小 = 00000C48
OEP 的地址 = 0046AC95
OEP 的相对地址 = 0006AC95
这里我们用相对地址 先lordpe转存,在IR修复
我们载入脱壳后的文件,运行软件,注册一下,重启验证,我们在目录里看到这个Key.dat,
说明注册码就保存在这里,我们这里用 bp ReadFile 这个断点,重新运行软件,之前要下好断点
截下来看我操作 :0012FAFC |015A0A90 UNICODE "C:\Program Files\fse\key.dat"
0041AAE3 . 8D8D C4FEFFFF LEA ECX,DWORD PTR SS:[EBP-13C]
0041AAE9 . E8 405D0000 CALL <JMP.&crtool.CCRTools::Init>
0041AAEE . 8BF0 MOV ESI,EAX
0041AAF0 . 7E 03 JLE SHORT dumped_.0041AAF5
0041AAF2 . 7F 01 JG SHORT dumped_.0041AAF5
0041AAF4 E8 DB E8
0041AAF5 > 83FE 21 CMP ESI,21
0041AAF8 . 75 0A JNZ SHORT dumped_.0041AB04
0041AAFA . 70 03 JO SHORT dumped_.0041AAFF
0041AAFC . 71 01 JNO SHORT dumped_.0041AAFF
0041AAFE E8 DB E8
0041AAFF E9 8D000000 JMP dumped_.0041AB91
0041AB04 . 70 03 JO SHORT dumped_.0041AB09
0041AB06 . 71 01 JNO SHORT dumped_.0041AB09
0041AB08 E8 DB E8
0041AB09 > 83FE 2C CMP ESI,2C
0041AB0C . 75 09 JNZ SHORT dumped_.0041AB17
0041AB0E . 7C 03 JL SHORT dumped_.0041AB13
0041AB10 > EB 03 JMP SHORT dumped_.0041AB15
0041AB12 E9 DB E9
0041AB13 >^ 74 FB JE SHORT dumped_.0041AB10
0041AB15 EB 7A JMP SHORT dumped_.0041AB91
0041AB17 > 895D EC MOV DWORD PTR SS:[EBP-14],EBX
0041AB1A . 7C 03 JL SHORT dumped_.0041AB1F
0041AB1C EB 03 JMP SHORT dumped_.0041AB21
0041AB1E E9 DB E9
0041AB1F >^ 74 FB JE SHORT dumped_.0041AB1C
0041AB21 > 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14]
0041AB24 . 51 PUSH ECX
0041AB25 . 8D8D C4FEFFFF LEA ECX,DWORD PTR SS:[EBP-13C]
0041AB2B . E8 F85C0000 CALL <JMP.&crtool.CCRTools::IsOkUse>
0041AB30 . 84C0 TEST AL,AL
0041AB32 74 56 JE SHORT dumped_.0041AB8A
0041AB34 . 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
0041AB37 . 8D50 A8 LEA EDX,DWORD PTR DS:[EAX-58]
0041AB3A . 85D2 TEST EDX,EDX
0041AB3C 75 0E JNZ SHORT dumped_.0041AB4C
0041AB3E . 83FE 4D CMP ESI,4D
0041AB41 . 75 09 JNZ SHORT dumped_.0041AB4C
0041AB43 . 7C 03 JL SHORT dumped_.0041AB48
0041AB45 > EB 03 JMP SHORT dumped_.0041AB4A
0041AB47 E9 DB E9
0041AB48 >^ 74 FB JE SHORT dumped_.0041AB45
0041AB4A EB 45 JMP SHORT dumped_.0041AB91
0041AB4C > 83C0 D4 ADD EAX,-2C
0041AB4F 75 09 JNZ SHORT dumped_.0041AB5A
0041AB51 . 7C 03 JL SHORT dumped_.0041AB56
0041AB53 > EB 03 JMP SHORT dumped_.0041AB58
0041AB55 E9 DB E9
0041AB56 >^ 74 FB JE SHORT dumped_.0041AB53
0041AB58 EB 37 JMP SHORT dumped_.0041AB91
0041AB5A > 8D8D C4FEFFFF LEA ECX,DWORD PTR SS:[EBP-13C]
0041AB60 . C707 58000000 MOV DWORD PTR DS:[EDI],58
0041AB66 . 885D FC MOV BYTE PTR SS:[EBP-4],BL
0041AB69 . E8 A85C0000 CALL <JMP.&crtool.CCRTools::~CCRTools>
0041AB6E . 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
0041AB71 . FF15 6C274700 CALL DWORD PTR DS:[<&mfc80u.#575>] ; mfc80u.7834DD87
0041AB77 . 5E POP ESI
0041AB78 . 5F POP EDI
0041AB79 . B0 01 MOV AL,1
0041AB7B . 5B POP EBX
0041AB7C . 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
0041AB7F . 64:890D 00000>MOV DWORD PTR FS:[0],ECX
0041AB86 . 8BE5 MOV ESP,EBP
0041AB88 . 5D POP EBP
0041AB89 . C3 RETN
0041AB8A > 7C 03 JL SHORT dumped_.0041AB8F
0041AB8C > EB 03 JMP SHORT dumped_.0041AB91
0041AB8E E9 DB E9
0041AB8F >^ 74 FB JE SHORT dumped_.0041AB8C
0041AB91 > 8D8D C4FEFFFF LEA ECX,DWORD PTR SS:[EBP-13C]
0041AB97 . 885D FC MOV BYTE PTR SS:[EBP-4],BL
0041AB9A . E8 775C0000 CALL <JMP.&crtool.CCRTools::~CCRTools>
0041AB9F . 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
0041ABA2 . FF15 6C274700 CALL DWORD PTR DS:[<&mfc80u.#575>] ; mfc80u.7834DD87
0041ABA8 . 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
0041ABAB . 5E POP ESI
0041ABAC . 5F POP EDI
0041ABAD . 32C0 XOR AL,AL
0041ABAF . 5B POP EBX
0041ABB0 . 64:890D 00000>MOV DWORD PTR FS:[0],ECX
0041ABB7 . 8BE5 MOV ESP,EBP
0041ABB9 . 5D POP EBP
0041ABBA . C3 RETN
这么一大段,一开始我也糊涂了,不过看了wan兄的笔记,懂了不少
经过对比,我发现retn下面是注册失败,不信可以自己运行试试,那么我们就把所有跳到下面的跳转改掉
F8慢慢来
正式版,哈哈,注册成功
我们可以再次载入保存一下 呵呵,夏冰软件都是这样破解的,呵呵,大家自己实验把~!88 | |
安全中国首页 > 动画中心 > 软件破解
