—————————————————————————————————
三、401000段 内存断点 大法,直达OEP
Alt+M 查看内存,在401000开始的段上下 内存访问断点,F9运行,直接中断在OEP处
0040DED2 55 push ebp//用LordPE纠正ImageSize后完全DUMP这个进程
0040DED3 8BEC mov ebp,esp
0040DED5 6A FF push -1
0040DED7 68 38C34200 push StayOn_P.0042C338
0040DEDC 68 8C054100 push StayOn_P.0041058C
0040DEE1 64:A1 00000000 mov eax,dword ptr fs:[0]
0040DEE7 50 push eax
0040DEE8 64:8925 00000000 mov dword ptr fs:[0],esp
0040DEEF 83EC 58 sub esp,58
0040DEF2 53 push ebx
0040DEF3 56 push esi
0040DEF4 57 push edi
0040DEF5 8965 E8 mov dword ptr ss:[ebp-18],esp
0040DEF8 FF15 90824200 call dword ptr ds:[428290] ; kernel32.GetVersion
运行ImportREC 1.6,选择这个进程。把OEP改为0000DED2,点IT AutoSearch,所有的函数都是有效的。点“Get Import”,FixDump,正常运行!
—————————————————————————————————
四、破解
脱壳后的程序可以正常运行了,已经不需要注册了,时间限制也没用了。但是启动时的要求注册的NAG居然还弹了出来,这使我疑惑了一会儿,没脱完?载入Ollydbg里看看,真相大白了!原来作者把注册界面写进了主程序,注册验证依旧是在Armadillo壳里面进行。继续搞定他!
00404A46 E8 B18B0000 call dumped_.0040D5FC//判断是否已经注册
00404A4B 59 pop ecx
00404A4C 85C0 test eax,eax
00404A4E 59 pop ecx
00404A4F 75 11 jnz short dumped_.00404A62//跳就弹出要求注册的NAG
00404A51 C787 D0000000010000 mov dword ptr ds:[edi+D0],1
00404A5B 33DB xor ebx,ebx
00404A5D E9 3C010000 jmp dumped_.00404B9E
00404A62 83A7 D0000000 00 and dword ptr ds:[edi+D0],0
00404A69 6A 0E push 0E
00404A6B 53 push ebx
00404A6C 68 40434300 push dumped_.00434340; ASCII "DAYSINSTALLED"
00404A71 FF15 D4814200 call dword ptr ds:[<&kernel32.GetEnvironmentVariableA>]
00404A77 8D45 DC lea eax,dword ptr ss:[ebp-24]
00404A7A 53 push ebx
00404A7B 50 push eax
00404A7C 8BCF mov ecx,edi
00404A7E E8 EFFCFFFF call dumped_.00404772
00404A83 50 push eax
00404A84 8D8F 30010000 lea ecx,dword ptr ds:[edi+130]
00404A8A C645 FC 02 mov byte ptr ss:[ebp-4],2
00404A8E E8 7F6B0100 call dumped_.0041B612
00404A93 8D4D DC lea ecx,dword ptr ss:[ebp-24]
00404A96 C645 FC 01 mov byte ptr ss:[ebp-4],1
00404A9A E8 7E6A0100 call dumped_.0041B51D
00404A9F 8B87 D4000000 mov eax,dword ptr ds:[edi+D4]
00404AA5 8D8F D4000000 lea ecx,dword ptr ds:[edi+D4]
00404AAB FF90 B8000000 call dword ptr ds:[eax+B8]
00404AB1 83BF 34010000 01 cmp dword ptr ds:[edi+134],1
00404AB8 8B87 AC020000 mov eax,dword ptr ds:[edi+2AC]
00404ABE 74 29 je short dumped_.00404AE9
00404AC0 50 push eax
00404AC1 68 50434300 push dumped_.00434350 ; ASCII "sop"
00404AC6 8BCF mov ecx,edi
00404AC8 E8 4FFCFFFF call dumped_.0040471C//调用ArmAccess.DLL验证注册码 ★
00404ACD 85C0 test eax,eax
00404ACF 74 18 je short dumped_.00404AE9
00404AD1 6A 00 push 0
00404AD3 6A 00 push 0
00404AD5 68 18434300 push dumped_.00434318; ASCII "Thank You For registering StayOn Pro!"
00404ADF C787 D0000000010000 mov dword ptr ds:[edi+D0],1
00404AE9 6A 08 push 8
00404AEB 53 push ebx
00404AEC 68 10434300 push dumped_.00434310 ; ASCII "EXPIRED"//过期
00404AF1 FF15 D4814200 call dword ptr ds:[<&kernel32.GetEnvironmentVariableA>]
00404AF7 53 push ebx
00404AF8 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
00404AFB E8 476A0100 call dumped_.0041B547
00404B00 68 08434300 push dumped_.00434308 ; ASCII "True"
已经脱壳了当然找不到ArmAccess.DLL验证注册码啦,我们索性帮忙一下,呵呵。
00404A4F 75 11 jnz short dumped_.00404A62//NOP掉!
这样启动时候的NAG永不再来了,About里面也是Registered了!
—————————————————————————————————
, _/
/| _.-~/ \_ , 青春都一晌
( /~ / \~-._ |\
`\\ _/ \ ~\ ) 忍把浮名
_-~~~-.) )__/;;,. \_ //'
/'_,\ --~ \ ~~~- ,;;\___( (.-~~~-. 换了破解轻狂
`~ _( ,_..--\ ( ,;'' / ~-- /._`\
/~~//' /' `~\ ) /--.._, )_ `~
" `~" " `" /~'`\ `\\~~\
" " "~' ""
Cracked By 巢水工作坊——fly [OCN][FCG][NUKE][DCM]
2004-03-16 16:16 上一页 1 2 |
安全中国首页 > 文章中心 > 脱壳技术