由于对ACProtectPro v1.09g的主程序脱壳没有成功,所以就想看看他是注册效验是不是能用内存补丁来破解。因为他Anti_Loader我更想测试一下对补丁程序是不是也Anti_Loader。就用OD附加的方式跟踪了他。来看看我有什么收获:
运行ACProtect v1.09主程序,再运行fly修改的Ollydbg v1.09d汉化版。附加上内存中的ACProtect 进程。OD中断在:
77F67FC4 6A 08 PUSH 8
77F67FC6 68 F01AF877 PUSH 77F81AF0
77F67FCB E8 24DAFCFF CALL 77F359F4
77F67FD0 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]
77F67FD6 8B40 30 MOV EAX,DWORD PTR DS:[EAX+30]
77F67FD9 8078 02 00 CMP BYTE PTR DS:[EAX+2],0
77F67FDD ^ 74 D5 JE SHORT 77F67FB4
77F67FDF 8365 FC 00 AND DWORD PTR SS:[EBP-4],0
77F67FE3 E8 5FB8FCFF CALL 77F33847
77F67FE8 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
77F67FEC 6A 00 PUSH 0
77F67FEE E8 93FFFFFF CALL 77F67F86
77F67FF3 FF75 10 PUSH DWORD PTR SS:[EBP+10]
77F67FF6 FF75 0C PUSH DWORD PTR SS:[EBP+C]
77F67FF9 57 PUSH EDI
77F67FFA E8 3AF60200 CALL 77F97639
77F67FFF E9 31010000 JMP 77F68135
来看看怎么回到程序的领空,如果直接F8运行是无法回到ACProtect的领空的。F9运行附加的程序,激活ACProtect程序(一定要看到ACProtect程序出现在上面)再次F12暂停。重新中断在:
7FFE0300 8BD4 MOV EDX,ESP
7FFE0302 0F34 SYSENTER
7FFE0304 C3 RETN
这个异常的出口。F8运行二下就会回到主程序的领空:
0044DAA8 33C0 XOR EAX,EAX
0044DAAA 5A POP EDX
0044DAAB 59 POP ECX
0044DAAC 59 POP ECX
0044DAAD 64:8910 MOV DWORD PTR FS:[EAX],EDX
0044DAB0 68 CADA4400 PUSH 44DACA
0044DAB5 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
0044DAB8 BA 02000000 MOV EDX,2
0044DABD E8 9E61FBFF CALL 00403C60
0044DAC2 C3 RETN
好了,这次在程序的领空了^_^
在Ollydbg中打开搜索字符串窗口。看看有些什么信息,呵呵作者真好提供了许多的注册信息:
文本字符串参考位于 00400000..005C7FFF
地址 反汇编 文本字符
00402DE0 PUSH 402E60 ASCII "SOFTWARE\Borland\Delphi\RTL"
00402E14 PUSH 402E7C ASCII "FPUMaskValue"
00403A6B MOV EBX,4D1044 ASCII " at 00000000"
00403B2E MOV EDX,4D1034 ASCII "Runtime error at 00000000"
00403B4F PUSH 4D1054 ASCII "Error"
00403B54 PUSH 4D1034 ASCII "Runtime error at 00000000"
004054C9 PUSH 405638 ASCII "kernel32.dll"
004054D9 PUSH 405648 ASCII "GetLongPathNameA"
0040568C PUSH 405818 ASCII "Software\Borland\Locales"
004056AA PUSH 405834 ASCII "Software\Borland\Delphi\Locales"
004059D4 CMP DWORD PTR DS:[EBX+4],100 UNICODE "ALLUSERSPROFILE=C:\Documents and Settings\All Users"
004061C9 MOV EDX,4D10C4 ASCII 20," "
004076CA PUSH 407758 ASCII "Magellan MSWHEEL"
004076CF PUSH 40776C ASCII "MouseZ"
004076DB PUSH 407774 ASCII "MSWHEEL_ROLLMSG"
004076EA PUSH 407784 ASCII "MSH_WHEELSUPPORT_MSG"
004076F6 PUSH 40779C ASCII "MSH_SCROLL_LINES_MSG"
004266FB MOV ECX,4267A0 ASCII "EDIT"
00426CAE MOV ECX,426D68 ASCII CR,LF
00426CFC MOV EDX,426D68 ASCII CR,LF
0042787F MOV ECX,4278C8 ASCII "COMBOBOX"
004288CF MOV ECX,4288F4 ASCII "BUTTON"
0042957C MOV ECX,429664 ASCII "LISTBOX"
0042A2D1 PUSH 42A2FC ASCII "Delphi Picture"
0042A2E1 PUSH 42A30C ASCII "Delphi Component"
0042AA56 IMUL ESP,DWORD PTR SS:[ESP+E ASCII "T〣"
0042C193 PUSH 42C1E0 ASCII 09,"TDockZone"
0042E239 MOV EAX,42E284 ASCII "%s (%s)"
00430520 MOV EDX,43053C ASCII "IsControl"
00439694 PUSH 4397D0 ASCII "USER32"
004396A0 PUSH 4397D8 ASCII "WINNLSEnableIME"
004396BD PUSH 4397E8 ASCII "IMM32.DLL"
004396D9 PUSH 4397F4 ASCII "ImmGetContext"
004396EE PUSH 439804 ASCII "ImmReleaseContext"
00439703 PUSH 439818 ASCII "ImmGetConversionStatus"
00439718 PUSH 439830 ASCII "ImmSetConversionStatus"
0043972D PUSH 439848 ASCII "ImmSetOpenStatus"
00439742 PUSH 43985C ASCII "ImmSetCompositionWindow"
00439757 PUSH 439874 ASCII "ImmSetCompositionFontA"
0043976C PUSH 43988C ASCII "ImmGetCompositionStringA"
00439781 PUSH 4398A8 ASCII "ImmIsIME"
00439796 PUSH 4398B4 ASCII "ImmNotifyIME"
00439A5B MOV EDX,439B30 ASCII "Delphi%.8X"
00439A97 MOV EDX,439B3C ASCII "ControlOfs%.8X%.8X"
0043BE8B MOV EDX,43BEA8 ASCII "Bitmap"
0043C6AD MOV DWORD PTR DS:[EBX],43C76 ASCII 09,"TMenuItem"
0043E103 MOV EDX,43E11C ASCII "ShortCutText"
00441665 MOV DWORD PTR DS:[EBX+C],100 UNICODE "ALLUSERSPROFILE=C:\Documents and Settings\All Users"
004416B3 MOV DWORD PTR DS:[EBX+C],100 UNICODE "ALLUSERSPROFILE=C:\Documents and Settings\All Users"
00446D58 MOV EDX,446DA8 ASCII "PixelsPerInch"
00446D76 MOV EDX,446DC0 ASCII "TextHeight"
00446D8E MOV EDX,446DD4 ASCII "IgnoreFontProperty"
0044873B PUSH 4487AC ASCII "MDICLIENT"
0044B524 MOV EDX,44B638 ASCII "System\CurrentControlSet\Control\Keyboard Layouts\%.8x"
0044B56B PUSH 44B670 ASCII "layout text"
0044C070 PUSH 44C168 ASCII "MAINICON"
0044CAA1 MOV EAX,44CD68 ASCII "vcltest3.dll"
0044CAC2 PUSH 44CD78 ASCII "RegisterAutomation"
0044DAC2 RETN (初始 CPU 选择)
004512AB IMUL ESI,DWORD PTR SS:[ESP+E ASCII "P5D"
00451CAF MOV EDX,451CC8 ASCII "FileEditStyle"
0045235C MOV EAX,4523DC ASCII "%.6x"
0045237D MOV EDX,4523EC ASCII "Color"
00452428 MOV EDX,4524A8 ASCII "Color"
00452B95 MOV EDX,452DD0 ASCII "Image"
00452BE7 MOV EDX,452DE0 ASCII "Message"
00452F07 PUSH 452F68 ASCII "commdlg_help"
00452F16 PUSH 452F78 ASCII "commdlg_FindReplace"
00452F47 MOV EDX,452F8C ASCII "WndProcPtr%.8X%.8X"
00454699 MOV EAX,4546B4 ASCII "error:poly one step is too long"
0045499F MOV EAX,4549BC ASCII "error:poly one step is too long"
00454CDE MOV EAX,454CFC ASCII "error:poly one step is too long"
00455E55 MOV ECX,456188 ASCII "EZIS"
00455E7D MOV ECX,456198 ASCII "1YEK"
00455EA8 MOV ECX,4561A8 ASCII "O3ROR"
00455F03 MOV ECX,4561B8 ASCII "ROR"
00455F72 MOV ECX,4561C4 ASCII "O1O4IMME"
00455FCD MOV ECX,4561D8 ASCII "O4IM"
004562C4 PUSH 456340 ASCII "Warning:"
004562CC PUSH 456354 ASCII " found more than once!"
004562EF MOV ECX,456374 ASCII " not found!"
004580FD MOV ESP,4E0201 ASCII "zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz"...
00459307 MOV ESP,4E0201 ASCII "zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz"...
0045B55B MOV EDX,45B620 ASCII "comctl32.dll"
0045B9ED MOV ECX,45BA44 ASCII "msctls_statusbar32"
0045BBB5 MOV EAX,45BBDC ASCII TAB,TAB
0045BFF3 MOV EAX,45C05C ASCII TAB,TAB
0045DA4B MOV EDX,45DA68 ASCII "Data"
0045DE31 MOV ECX,45DF2C ASCII "SysTreeView32"
0045FC5E MOV EDX,45FC78 ASCII "WidthType"
00461167 MOV EDX,461184 ASCII "Data"
00461A75 MOV ECX,461B78 ASCII "SysListView32"
004628F2 MOV EDX,462974 ASCII "SysHeader32"
004660DB MOV ECX,466138 ASCII "ToolbarWindow32"
00469DE1 MOV EDX,469EC0 ASCII "nil"
0046AAE1 MOV ECX,46AB70 ASCII "SysDateTimePick32"
0047E2E9 MOV ECX,10000 UNICODE "ALLUSERSPROFILE=C:\Documents and Settings\All Users"
00480BAD MOV EDX,480C10 ASCII "jpeg"
00480BD2 MOV EDX,480C20 ASCII "jpg"
004880D1 IMUL EBP,DWORD PTR DS:[ESI+3 ASCII ")1999,2000 by Jeremy Collake. All Rights Reserved."
0048833C MOV EDX,4883A8 ASCII "50%"
0048957E MOV EDX,489604 ASCII "F:\delphi_com\suipackd5\suipack\SUIImagePanel.pas"
00489583 MOV EAX,489640 ASCII "Assertion failure"
00489E68 MOV EBP,10048 UNICODE "tings\All Users"
0048A35B MOV EDX,10048 UNICODE "tings\All Users"
0048A7E6 MOV EDX,10048 UNICODE "tings\All Users"
0048A877 MOV EBP,10048 UNICODE "tings\All Users"
0048AE0E MOV EDX,10048 UNICODE "tings\All Users"
0048D292 MOV EDX,48D2D4 ASCII "suiCheckBox"
0048D702 MOV EDX,48D744 ASCII "suiRadioButton"
00494D42 MOV ECX,494FAC ASCII "SIDECHANNEL_BTN_NOONTOP"
00494DEE MOV EDX,494FCC ASCII "SIDECHANNEL_BAR_NORMAL"
00494E04 MOV EDX,494FEC ASCII "SIDECHANNEL_BAR_MOUSEON"
00494E1A MOV EDX,494FEC ASCII "SIDECHANNEL_BAR_MOUSEON"
0049549C MOV ECX,4954F0 ASCII "SIDECHANNEL_BTN_ONTOP"
004954BC MOV ECX,495510 ASCII "SIDECHANNEL_BTN_NOONTOP"
0049596A MOV ECX,4959B0 ASCII "MACOS_MENU_BAR"
004959E6 MOV ECX,495A2C ASCII "MACOS_MENU_SELECT"
00495A66 MOV ECX,495AAC ASCII "MACOS_MENU_BAR"
004961CA MOV EDX,49624C ASCII "MS Sans Serif"
00497404 MOV ECX,4975B4 ASCII "Sorry, You can create only one TsuiForm component in one form!"
00497973 MOV ECX,497BA4 ASCII "MACOS_MENU_SELECT"
00497C32 MOV ECX,497C6C ASCII "MACOS_MENU_BAR"
00498207 MOV EDX,498338 ASCII 0C,"TsuiMainMenu"
0049822C PUSH 498350 ASCII "Strongly recommend you to use ""TsuiMainMenu"" instead of ""TMainMenu"".",CR,LF,CR,LF,"If you still want to use TMainForm, ",CR,LF,CR,LF,"set "
0049823D PUSH 4983D0 ASCII "’s MENU property to NIL please."
00498242 PUSH 4983F8 ASCII CR,LF,CR,LF
00498247 PUSH 498408 ASCII "And set "
00498252 PUSH 49841C ASCII "’s MENU property to this Menu when you finished designing the menu."
00498535 MOV ECX,49864C ASCII "MACOS_FORM_BACKGROUND"
0049854A MOV ECX,49866C ASCII "PROTEIN_FORM_BACKGROUND"
00498F27 MOV EAX,498FF4 ASCII "Sorry, you can’t select the Form assign to FormPanel property"
00499F6C MOV EDX,499FCC ASCII "Tahoma"
0049A496 PUSH 49A618 ASCII "MAINICON"
0049B266 MOV EAX,49B2B4 ASCII "Sorry, only one section’s Align property can be ""suiClient"""
0049BC3A MOV EAX,49BC88 ASCII "Sorry, only one button’s ButtonType property can be ""suiControlBox"""
0049CBB6 MOV EDX,49CBE8 ASCII "Wg"
0049DE11 MOV EDX,49DE84 ASCII "suiCheckGroup"
0049E390 MOV EDX,49E3C4 ASCII "suiRadioGroup"
0049F1CF MOV ECX,49F280 ASCII "MACOS_COMBOBOX_BUTTON"
004A1FA5 MOV EDX,4A206C ASCII "Tab1"
004A4454 MOV EDX,4A4470 ASCII "Pages"
004A4C60 MOV EDX,4A4C7C ASCII "PageControl"
004AA3C3 MOV EDX,4AA408 ASCII "ColWidths"
004AA3EB MOV EDX,4AA41C ASCII "RowHeights"
004AFCBD MOV EDX,4AFCD4 ASCII "List"
004B29DE MOV EDX,4B2ABC ASCII "cl"
004B2EE4 MOV EAX,4B2F78 ASCII "ColorA=%.8x"
004B3140 MOV ECX,4B319C ASCII "Custom..."
004B4A80 MOV EAX,4B4AF0 ASCII "FONTCOMBO_TRUETYPE_FNT"
004B4A93 MOV EAX,4B4B08 ASCII "FONTCOMBO_DEVICE_FNT"
004BFEBD MOV EDX,4BFF04 ASCII "Welcome to Sunisoft"
004BFECA MOV EDX,4BFF20 ASCII "http://www.sunisoft.com"
004C17D2 MOV EAX,4C1968 ASCII "too many sections,quit"
004C18EA MOV EAX,4C1988 ASCII "Warning:last section’s RVA +size>ImageSize"
004C1FE9 MOV ECX,4C21EC ASCII "FirstDecryptorsBegin"
004C2002 MOV ECX,4C220C ASCII "FirstDecryptorsEnd"
004C201E MOV ECX,4C2228 ASCII "MainDecryptorsBegin"
004C207D MOV EAX,4C2244 ASCII ".EXE"
004C20DB MOV ECX,4C2254 ASCII "MainDecryptorsEnd"
004C20F7 MOV ECX,4C2270 ASCII "ENDSALLZCF"
004C2156 MOV EAX,4C2244 ASCII ".EXE"
004C22F2 MOV ECX,4C2DA0 ASCII "OEPOEP"
004C2572 MOV EAX,4C2DC8 ASCII ".EXE"
004C2612 MOV ECX,4C2DF8 ASCII "dElT"
004C264E MOV ECX,4C2E08 ASCII "aPiR"
004C26EF MOV ECX,4C2E34 ASCII "by unregistered ACProtect"
004C27A3 MOV ECX,4C2E58 ASCII "C:\C0nfig.sav"
004C28BD MOV ECX,4C2E70 ASCII "Expired!"
004C2971 MOV ECX,4C2E84 ASCII "No License or License is not correct"
004C2A25 MOV ECX,4C2EB4 ASCII "PARENT"
004C2A8F MOV EAX,4C2DC8 ASCII ".EXE"
004C2AA8 MOV ECX,4C2EC4 ASCII ".RELOC"
004C2B93 MOV ECX,4C2ED4 ASCII "TRW2000"
004C2C13 MOV ECX,4C2EE4 ASCII "key.dat"
004C2CC1 MOV ECX,4C2EF4 ASCII "GetMachineID"
004C2F64 MOV EAX,4C32D8 ASCII ".data"
004C331D MOV ECX,4C3978 ASCII "MineImport_Begin"
004C33A0 MOV ECX,4C3994 ASCII "MineImport_Endss"
004C33F9 MOV ECX,4C39B0 ASCII "ENDSALLZCF"
004C342B MOV EAX,4C39C4 ASCII "bin error found ENDSALLZCF"
004C348A MOV EAX,4C39E8 ASCII ".EXE"
004C3658 MOV EAX,4C39F8 ASCII "perhaps compress larger than before!"
1 2 3 4 5 下一页 |
安全中国首页 > 文章中心 > 脱壳技术