ACPr下载: http://www.ultraprotect.com acpro_up.exe
软件大小: 1.44 M
【软件简介】:ACProtect is an application that allows you to protect Windows executable files against piracy,using public keys encryption algorithms (RSA) to create and verify the registration keys and unlock some RSA key locked code,it has embedded cryptor against dump and unpacker.it also has many anti debug tricks. And you can use it to create evaluation and trial application versions. with specialized API system, mutual communication between loader and application is also can be achieved.
【作者声明】:初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
【调试环境】:WinXP、Ollydbg1.09D修改版、LordPE、ImportREC
—————————————————————————————————
【过 程】:
偶的试炼品:用ACProtect V1.09 Pro未注册版加壳的某个小程序。上传在本贴后的附件里。
首先郑重申明:偶仅仅是刚开始学习脱壳的菜鸟,错误之处肯定多多,烦请诸位朋友批评、指点!偶洗耳恭听。以下的一点笔记只是偶跟踪这个试炼品所记录的,不适用于ACProtect主程序;其他用ACProtect注册版加壳的程序偶没看过不清楚。
篇名的所谓“梦幻Ollydbg”云云只是仿 123112 脱侠的《妖幻TRW and videofixer的脱壳方法之我之拙见》,因为用偶修改后的Ollydbg可以避开ACProtect的反跟踪,不会被ACProtect自动关闭。有点“哗众取宠”,无他意。
“严重” 感谢 jingulong 老兄三番五次的指点!如果不是老兄的指教偶现在还找不到思路,jingulong 兄真是深藏不露的脱侠!佩服佩服!
由于ACProtect比较新,侦壳工具均不认识。用ACProtect加壳的程序一般会有一个“.perplex”区段,某些程序运行时会在临时文件夹下释放一个perplex.dll文件,如:videofixer.exe;Win XP的释放在Documents and Settings\用户名\Local Settings\Temp下。当然,还是载入调试器跟踪一下关键代码看的清楚点。
—————————————————————————————————
一、反跟踪
ACProtect 的反跟踪比起 幻影 来说可谓是很“照顾”CRACKER了, 作者别生气呀,其实已经做的很好了。
偶简单整理了一下,分作5类,欢迎朋友们补充! 为了分析这点东西,偶大约调试了两周,比较笨啦。
1、调用CreateFileA 检测诸多CRACK工具。即《加密与解密》上说的“MeltICE”类型
如果发现“违禁”产品则用TerminateProcess杀掉其进程。123112 脱侠已经说的很清楚啦。
0040A46E 56 push esi
0040A46F 50 push eax
0040A470 8B85 0D454000 mov eax,dword ptr ss:[ebp+40450D]
0040A476 8038 CC cmp byte ptr ds:[eax],0CC
0040A479 74 10 je short 试炼ACP.0040A48B
0040A47B 90 nop
0040A47C 90 nop
0040A47D 90 nop
0040A47E 90 nop
0040A47F 58 pop eax
0040A480 FF95 0D454000 call dword ptr ss:[ebp+40450D] ; kernel32.CreateFileA
0040A609 58 pop eax
0040A60A 46 inc esi
0040A60B 803E 00 cmp byte ptr ds:[esi],0
0040A60E 75 FA jnz short 试炼ACP.0040A60A
0040A610 46 inc esi
0040A611 803E 00 cmp byte ptr ds:[esi],0
0040A614 0F84 66010000 je 试炼ACP.0040A780
0040A61A E9 3DFEFFFF jmp 试炼ACP.0040A45C
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
“上榜”产品:
0040A6C5 5C 5C 2E 5C 53 49 43 45 00 5C 5C 2E 5C 4E 54 49 \\.\SICE.\\.\NTI
0040A6D5 43 45 00 5C 5C 2E 5C 4E 54 49 43 45 37 38 37 31 CE.\\.\NTICE7871
0040A6E5 00 5C 5C 2E 5C 4E 54 49 43 45 44 30 35 32 00 5C .\\.\NTICED052.\
0040A6F5 5C 2E 5C 54 52 57 44 45 42 55 47 00 5C 5C 2E 5C \.\TRWDEBUG.\\.\
0040A705 54 52 57 00 5C 5C 2E 5C 54 52 57 32 30 30 30 00 TRW.\\.\TRW2000.
0040A715 5C 5C 2E 5C 53 55 50 45 52 42 50 4D 00 5C 5C 2E \\.\SUPERBPM.\\.
0040A725 5C 49 43 45 44 55 4D 50 00 5C 5C 2E 5C 52 45 47 \ICEDUMP.\\.\REG
0040A735 4D 4F 4E 00 5C 5C 2E 5C 46 49 4C 45 4D 4F 4E 00 MON.\\.\FILEMON.
0040A745 5C 5C 2E 5C 52 45 47 56 58 44 00 5C 5C 2E 5C 46 \\.\REGVXD.\\.\F
0040A755 49 4C 45 56 58 44 00 5C 5C 2E 5C 56 4B 45 59 50 ILEVXD.\\.\VKEYP
0040A765 52 4F 44 00 5C 5C 2E 5C 42 57 32 4B 00 5C 5C 2E ROD.\\.\BW2K.\\.
0040A775 5C 53 49 57 44 45 42 55 47 00 00 60 E8 00 00 00 \SIWDEBUG..`....
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
^O^ ^O^ →对付方法:修改跳转或用TRW娃娃修改版或用Ollydbg或你自己“照顾”好SoftICE。
————————————————————————
2、检测API断点
检测关键API的入口的第1个字节是否为INT 3(0xCC)?是则OVER
00408DF6 53 push ebx
00408DF7 50 push eax
00408DF8 52 push edx
00408DF9 03C5 add eax,ebp
00408DFB 50 push eax
00408DFC 53 push ebx
00408DFD 50 push eax
00408DFE 8B85 68C24100 mov eax,dword ptr ss:[ebp+41C268]
00408E04 8038 CC cmp byte ptr ds:[eax],0CC
====>比较第1个字节是否为CC?是则被设置了BPX断点
00408E07 74 10 je short 试炼ACP.00408E19
00408E09 90 nop
00408E0A 90 nop
00408E0B 90 nop
00408E0C 90 nop
00408E0D 58 pop eax
00408E0E FF95 68C24100 call dword ptr ss:[ebp+41C268]
00408E14 E9 AD000000 jmp 试炼ACP.00408EC6
下面的每1处CALL检测一个关键API,并且其他地方也随处可见这种方式的检测。
0040C091 B8 72434000 mov eax,试炼ACP.00404372
0040C096 BA E1444000 mov edx,试炼ACP.004044E1
0040C09B E8 56CDFFFF call 试炼ACP.00408DF6
0040C0A0 B8 7E434000 mov eax,试炼ACP.0040437E
0040C0A5 BA E5444000 mov edx,试炼ACP.004044E5
0040C0AA E8 47CDFFFF call 试炼ACP.00408DF6
0040C0AF B8 89434000 mov eax,试炼ACP.00404389
0040C0B4 BA F9444000 mov edx,试炼ACP.004044F9
0040C0B9 E8 38CDFFFF call 试炼ACP.00408DF6
0040C0BE B8 9D434000 mov eax,试炼ACP.0040439D
0040C0C3 BA FD444000 mov edx,试炼ACP.004044FD
0040C0C8 E8 29CDFFFF call 试炼ACP.00408DF6
0040C0CD B8 B6434000 mov eax,试炼ACP.004043B6
0040C0D2 BA 01454000 mov edx,试炼ACP.00404501
0040C0D7 E8 1ACDFFFF call 试炼ACP.00408DF6
0040C0DC B8 C5434000 mov eax,试炼ACP.004043C5
0040C0E1 BA 05454000 mov edx,试炼ACP.00404505
0040C0E6 E8 0BCDFFFF call 试炼ACP.00408DF6
0040C0EB B8 D3434000 mov eax,试炼ACP.004043D3
0040C0F0 BA 09454000 mov edx,试炼ACP.00404509
0040C0F5 E8 FCCCFFFF call 试炼ACP.00408DF6
0040C0FA B8 DF434000 mov eax,试炼ACP.004043DF
0040C0FF BA 0D454000 mov edx,试炼ACP.0040450D
0040C104 E8 EDCCFFFF call 试炼ACP.00408DF6
0040C109 B8 EB434000 mov eax,试炼ACP.004043EB
0040C10E BA 11454000 mov edx,试炼ACP.00404511
0040C113 E8 DECCFFFF call 试炼ACP.00408DF6
0040C118 B8 FC434000 mov eax,试炼ACP.004043FC
0040C11D BA 29454000 mov edx,试炼ACP.00404529
0040C122 E8 CFCCFFFF call 试炼ACP.00408DF6
0040C127 B8 0E444000 mov eax,试炼ACP.0040440E
0040C12C BA 2D454000 mov edx,试炼ACP.0040452D
0040C131 E8 C0CCFFFF call 试炼ACP.00408DF6
0040C136 B8 1A444000 mov eax,试炼ACP.0040441A
0040C13B BA 31454000 mov edx,试炼ACP.00404531
0040C140 E8 B1CCFFFF call 试炼ACP.00408DF6
0040C145 B8 23444000 mov eax,试炼ACP.00404423
0040C14A BA 35454000 mov edx,试炼ACP.00404535
0040C14F E8 A2CCFFFF call 试炼ACP.00408DF6
0040C154 B8 2D444000 mov eax,试炼ACP.0040442D
0040C159 BA 39454000 mov edx,试炼ACP.00404539
0040C15E E8 93CCFFFF call 试炼ACP.00408DF6
0040C163 B8 39444000 mov eax,试炼ACP.00404439
0040C168 BA 3D454000 mov edx,试炼ACP.0040453D
0040C16D E8 84CCFFFF call 试炼ACP.00408DF6
0040C172 B8 46444000 mov eax,试炼ACP.00404446
0040C177 BA 41454000 mov edx,试炼ACP.00404541
0040C17C E8 75CCFFFF call 试炼ACP.00408DF6
0040C181 B8 5F444000 mov eax,试炼ACP.0040445F
0040C186 BA 49454000 mov edx,试炼ACP.00404549
0040C18B E8 66CCFFFF call 试炼ACP.00408DF6
0040C190 B8 70444000 mov eax,试炼ACP.00404470
0040C195 BA 4D454000 mov edx,试炼ACP.0040454D
0040C19A E8 57CCFFFF call 试炼ACP.00408DF6
0040C19F B8 81444000 mov eax,试炼ACP.00404481
0040C1A4 BA 51454000 mov edx,试炼ACP.00404551
0040C1A9 E8 48CCFFFF call 试炼ACP.00408DF6
0040C1AE B8 81454000 mov eax,试炼ACP.00404581
0040C1B3 BA 7D454000 mov edx,试炼ACP.0040457D
0040C1B8 E8 39CCFFFF call 试炼ACP.00408DF6
0040C1BD 83BD F1204000 00 cmp dword ptr ss:[ebp+4020F1],0
====>[ebp+4020F1]应=0
0040C1C4 74 24 je short 试炼ACP.0040C1EA
…… …… 省 略 …… ……
0040C396 B8 9D444000 mov eax,试炼ACP.0040449D
0040C39B BA E9444000 mov edx,试炼ACP.004044E9
0040C3A0 E8 51CAFFFF call 试炼ACP.00408DF6
0040C3A5 B8 A9444000 mov eax,试炼ACP.004044A9
0040C3AA BA ED444000 mov edx,试炼ACP.004044ED
0040C3AF E8 42CAFFFF call 试炼ACP.00408DF6
0040C3B4 B8 B8444000 mov eax,试炼ACP.004044B8
0040C3B9 BA F1444000 mov edx,试炼ACP.004044F1
0040C3BE E8 33CAFFFF call 试炼ACP.00408DF6
0040C3C3 B8 C6444000 mov eax,试炼ACP.004044C6
0040C3C8 BA F5444000 mov edx,试炼ACP.004044F5
0040C3CD E8 24CAFFFF call 试炼ACP.00408DF6
0040C3D2 C3 retn
^O^ ^O^ →对付方法:可下断如 BP GetProcAddress+1 避开第1字节的检测!
————————————————————————
3、调用 IsDebuggerPresent 检测使用 Debug API 跟踪程序的调试器
0040B88B FF95 29454000 call dword ptr ss:[ebp+404529]
0040B891 0BC0 or eax,eax
0040B893 0F84 B4000000 je 试炼ACP.0040B94D
77E52E92 64:A1 18000000 mov eax,dword ptr fs:[18]
77E52E98 8B40 30 mov eax,dword ptr ds:[eax+30]
77E52E9B 0FB640 02 movzx eax,byte ptr ds:[eax+2]
====>或者把这里的返回值改为:0
77E52E9F C3 retn
^O^ ^O^ →对付方法:最方便的直接用Ollydbg的IsDebug插件 去掉调试器标志 即可。
————————————————————————
4、黑名单
0040A100 FF95 01454000 call dword ptr ss:[ebp+404501] ; kernel32.Process32First
…… …… 省 略 …… ……
0040A14D 47 inc edi
0040A14E 8BF0 mov esi,eax
0040A150 E8 01F1FFFF call 试炼ACP.00409256
====>里面逐位比较是否有黑名单中的成员:0040928E cmp dh,dl
0040A155 80FE 01 cmp dh,1
0040A158 74 1C je short 试炼ACP.0040A176
0040A15A 90 nop
0040A15B 90 nop
0040A15C 90 nop
0040A15D 90 nop
0040A15E EB D7 jmp short 试炼ACP.0040A137
0040A160 B8 3D424000 mov eax,试炼ACP.0040423D
0040A165 03C5 add eax,ebp
0040A167 50 push eax
0040A168 FFB5 39424000 push dword ptr ss:[ebp+404239]
0040A16E FF95 05454000 call dword ptr ss:[ebp+404505] ; kernel32.Process32Next
0040A174 EB 90 jmp short 试炼ACP.0040A106
====>循环取进程名
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
1 2 3 4 5 下一页 |
安全中国首页 > 文章中心 > 脱壳技术