首页
论坛
专栏
课程

[原创]《图章制作系统 V3.63》脱壳去校验解除自杀代码[分析篇]

2005-8-2 16:03 12535

[原创]《图章制作系统 V3.63》脱壳去校验解除自杀代码[分析篇]

2005-8-2 16:03
12535
【破文标题】:《图章制作系统 V3.63》脱壳去校验解除自杀代码[分析篇]

【破文作者】: KuNgBiM[DFCG]

【作者邮箱】: [email]gb_1227@163.com[/email]

【软件名称】: 图章制作系统 V3.63

【软件大小】: 724 KB

【软件类别】: 国产软件/共享软件/设计制作

【整理时间】: 2005-07-29

【下载地址】: http://www.downreg.com/Software/View-Software-4587.html

【软件简介】: 制作公章、手章,输出为gif图形,支持图片透明。支持圆形、椭圆、方形、矩形多种外观,多个参数可调,支持自定义文字大小,支持格式保存。

【保护方式】: 注册码 + 试用功能限制

【加密保护】: ASPack 2.12 + 脱壳自校验 + 程序自杀代码(调用系统autoexec.bat命令删除校验失败的程序) + Anti-Loader(反加载)

【编译语言】: Borland Delphi 6.0 - 7.0

【调试环境】: WinXP、PEiD、Ollydbg、LordPE、ImportREC

【破解日期】: 2005-09-01

【破解目的】: 推广使用ESP定律脱壳,去除自校验,以及研究算法分析

【作者声明】: 初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!

―――――――――――――――――――――――――――――――――

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 【脱壳过程】 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

侦壳脱壳:用PEiD查壳,ASPack 2.12 -> Alexey Solodovnikov加壳。

使用法宝:我们既然知道了是ASPack所加壳保护的,所以拿出Ollydbg结合文章题目手动脱之~~

――――――――――――――――――――
Ollydbg载入主程序:

005FA001 >  60                    pushad                               ; 载入程序后停在这里,F8一次
005FA002    E8 03000000           call MakeSign.005FA00A               ; 到这里,这时查看寄存器窗口
005FA007  - E9 EB045D45           jmp 45BCA4F7
005FA00C    55                    push ebp
005FA00D    C3                    retn

\\\\\\\\\\\\\\\寄存器\\\\\\\\\\\\\\\\

EAX 00000000
ECX 0012FFB0
EDX 7FFE0304
EBX 7FFDF000
ESP 0012FFA4       ; esp=0012ffa4
EBP 0012FFF0
ESI 77F57D70 ntdll.77F57D70
EDI 77F944A8 ntdll.77F944A8
EIP 005FA002 MakeSign.005FA002

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

根据ESP定律规则,现在在命令栏中下 hr 0012ffa4 命令,回车,F9运行:

005FA3B0   /75 08                 jnz short MakeSign.005FA3BA          ; 这里断下,F7继续
005FA3B2   |B8 01000000           mov eax,1
005FA3B7   |C2 0C00               retn 0C
005FA3BA   \68 10CA5800           push MakeSign.0058CA10               ; 这里0058CA10所指的就是OEP,F7继续
005FA3BF    C3                    retn                                 ; 返回到程序原始入口,飞向光明之颠~~ F7继续

返回到这里:

0058CA10    55                    push ebp                             ; 在这儿用LordPE纠正ImageSize后完全DUMP这个进程
0058CA11    8BEC                  mov ebp,esp
0058CA13    83C4 F0               add esp,-10
0058CA16    B8 E0C55800           mov eax,MakeSign.0058C5E0
0058CA1B    E8 64A2E7FF           call MakeSign.00406C84
0058CA20    A1 A48B5900           mov eax,dword ptr ds:[598BA4]
0058CA25    8B00                  mov eax,dword ptr ds:[eax]
0058CA27    E8 4427EEFF           call MakeSign.0046F170
0058CA2C    A1 A48B5900           mov eax,dword ptr ds:[598BA4]
0058CA31    8B00                  mov eax,dword ptr ds:[eax]
0058CA33    BA 70CA5800           mov edx,MakeSign.0058CA70
0058CA38    E8 3F23EEFF           call MakeSign.0046ED7C
0058CA3D    8B0D 90885900         mov ecx,dword ptr ds:[598890]          ; MakeSign.005A5BE8
0058CA43    A1 A48B5900           mov eax,dword ptr ds:[598BA4]
0058CA48    8B00                  mov eax,dword ptr ds:[eax]

脱壳修复:

运行ImportREC 1.6,选择这个进程,把OEP改为 0018CA10 ,点IT AutoSearch,指针全部有效。FixDump!

再用LordPE重建优化一下,程序大小变为 1.83 MB,Borland Delphi 6.0 - 7.0编译。

关闭Ollydbg,试运行,正常运行!不过。。。↓

意外发生了:我正准备反编译看看程序的时候,发现我们刚刚脱壳后运行过的程序不见了!~?奇怪~~!?难道这个程序有“脱壳自校验”以及传说中的“程序自杀代码”?,接着我就试着跟了跟,发现真有那么一回事,好吧~~“你”荒废我的“脱壳心血”我就跟“你”没完~!呵呵,下面就接着讲讲怎样去掉这个烦人的“程序自杀自校验”!!!GO~~

―――――――――――――――――――――――――――――――――
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 【去自校验过程】 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

重新打开Ollydbg,载入刚刚我们脱壳修复优化后的“dumped_.exe”文件(这里我采用的是默认脱壳文件名)

在命令栏中下 bpx CreateFileA 断点命令,回车,F9运行:

程序运行后,点圾“确定”关闭提示框后程序断下:

004093BC    50                    push eax
004093BD    E8 C2DAFFFF           call dumped_.00406E84                  ; 这里断下,F7跟进,jmp to kernel32.CreateFileA
004093C2    5F                    pop edi
004093C3    5E                    pop esi
004093C4    5B                    pop ebx
004093C5    C3                    retn

跟进后:

00406E84  - FF25 1C645A00         jmp dword ptr ds:[5A641C]              ; 这里继续F7跳过!kernel32.CreateFileA
00406E8A    8BC0                  mov eax,eax

跳向这里:

77E5B476 >  55                    push ebp                               ; 跳到这里,一路F8!
77E5B477    8BEC                  mov ebp,esp
77E5B479    FF75 08               push dword ptr ss:[ebp+8]
77E5B47C    E8 11FFFFFF           call kernel32.77E5B392
77E5B481    85C0                  test eax,eax
77E5B483    0F84 A3FF0100         je kernel32.77E7B42C
77E5B489    FF75 20               push dword ptr ss:[ebp+20]
77E5B48C    FF75 1C               push dword ptr ss:[ebp+1C]
77E5B48F    FF75 18               push dword ptr ss:[ebp+18]
77E5B492    FF75 14               push dword ptr ss:[ebp+14]
77E5B495    FF75 10               push dword ptr ss:[ebp+10]
77E5B498    FF75 0C               push dword ptr ss:[ebp+C]
77E5B49B    FF70 04               push dword ptr ds:[eax+4]
77E5B49E    E8 EEFBFFFF           call kernel32.CreateFileW
77E5B4A3    5D                    pop ebp
77E5B4A4    C2 1C00               retn 1C                                ; F8到这里返回

返回到这里(也就是上面断点的下一个地址):

004093C2    5F                    pop edi                                ; 赋值数据,F7单步,00B80000
004093C3    5E                    pop esi                                ; 赋值数据,F7单步,00BC689C
004093C4    5B                    pop ebx                                ; 赋值数据,F7单步,00B8942C
004093C5    C3                    retn                                   ; 返回下一个检测空间

返回到这里:

0041F9D5    8BC8                  mov ecx,eax                            ; 返回到这里
0041F9D7    33D2                  xor edx,edx
0041F9D9    8BC3                  mov eax,ebx
0041F9DB    E8 7CFEFFFF           call dumped_.0041F85C
0041F9E0    837B 04 00            cmp dword ptr ds:[ebx+4],0
0041F9E4    7D 24                 jge short dumped_.0041FA0A
0041F9E6    8975 F4               mov dword ptr ss:[ebp-C],esi
0041F9E9    C645 F8 0B            mov byte ptr ss:[ebp-8],0B
0041F9ED    8D45 F4               lea eax,dword ptr ss:[ebp-C]
0041F9F0    50                    push eax
0041F9F1    6A 00                 push 0
0041F9F3    8B0D A08C5900         mov ecx,dword ptr ds:[598CA0]          ; dumped_.00418198
0041F9F9    B2 01                 mov dl,1
0041F9FB    A1 E49E4100           mov eax,dword ptr ds:[419EE4]
0041FA00    E8 03D1FEFF           call dumped_.0040CB08
0041FA05    E8 0E46FEFF           call dumped_.00404018
0041FA0A    8BC3                  mov eax,ebx
0041FA0C    807D FF 00            cmp byte ptr ss:[ebp-1],0
0041FA10    74 0F                 je short dumped_.0041FA21
0041FA12    E8 F141FEFF           call dumped_.00403C08
0041FA17    64:8F05 00000000      pop dword ptr fs:[0]
0041FA1E    83C4 0C               add esp,0C
0041FA21    8BC3                  mov eax,ebx
0041FA23    5F                    pop edi
0041FA24    5E                    pop esi
0041FA25    5B                    pop ebx
0041FA26    8BE5                  mov esp,ebp
0041FA28    5D                    pop ebp
0041FA29    C2 0800               retn 8                                 ; 又一次一路F8后来到这里返回

返回到这里:

0041F945    8BC6                  mov eax,esi
0041F947    84DB                  test bl,bl
0041F949    74 0F                 je short dumped_.0041F95A
0041F94B    E8 B842FEFF           call dumped_.00403C08
0041F950    64:8F05 00000000      pop dword ptr fs:[0]
0041F957    83C4 0C               add esp,0C
0041F95A    8BC6                  mov eax,esi
0041F95C    5E                    pop esi
0041F95D    5B                    pop ebx
0041F95E    5D                    pop ebp
0041F95F    C2 0400               retn 4                                 ; 再次一路F8后来到这里返回

返回到这里:(★重要★)

00581E4A    8945 F4               mov dword ptr ss:[ebp-C],eax
00581E4D    33C0                  xor eax,eax                            ; 这里脱壳前和脱壳后数据不一样,eax=00B8942C
00581E4F    55                    push ebp
00581E50    68 7C1E5800           push dumped_.00581E7C
00581E55    64:FF30               push dword ptr fs:[eax]
00581E58    64:8920               mov dword ptr fs:[eax],esp
00581E5B    8B45 F4               mov eax,dword ptr ss:[ebp-C]
00581E5E    E8 D5D5E9FF           call dumped_.0041F438                  ; CRC冗余代码校验CALL
00581E63    8945 F8               mov dword ptr ss:[ebp-8],eax           ; 当前文件大小赋值给eax,eax=001D5200    //1D5200 =1921536字节
00581E66    33C0                  xor eax,eax                            ; 异或,eax=001D5200  
00581E68    5A                    pop edx
00581E69    59                    pop ecx
00581E6A    59                    pop ecx
00581E6B    64:8910               mov dword ptr fs:[eax],edx
00581E6E    68 831E5800           push dumped_.00581E83
00581E73    8B45 F4               mov eax,dword ptr ss:[ebp-C]
00581E76    E8 D119E8FF           call dumped_.0040384C
00581E7B    C3                    retn
00581E7C  ^\E9 5F21E8FF           jmp dumped_.00403FE0
00581E81  ^ EB F0                 jmp short dumped_.00581E73
00581E83    33C0                  xor eax,eax
00581E85    5A                    pop edx
00581E86    59                    pop ecx
00581E87    59                    pop ecx
00581E88    64:8910               mov dword ptr fs:[eax],edx
00581E8B    EB 0A                 jmp short dumped_.00581E97
00581E8D  ^ E9 9A1EE8FF           jmp dumped_.00403D2C
00581E92    E8 FD21E8FF           call dumped_.00404094
00581E97    33C0                  xor eax,eax
00581E99    5A                    pop edx
00581E9A    59                    pop ecx
00581E9B    59                    pop ecx
00581E9C    64:8910               mov dword ptr fs:[eax],edx
00581E9F    68 B41E5800           push dumped_.00581EB4
00581EA4    8D45 FC               lea eax,dword ptr ss:[ebp-4]
00581EA7    E8 9027E8FF           call dumped_.0040463C
00581EAC    C3                    retn
00581EAD  ^\E9 2E21E8FF           jmp dumped_.00403FE0
00581EB2  ^ EB F0                 jmp short dumped_.00581EA4
00581EB4    8B45 F8               mov eax,dword ptr ss:[ebp-8]           ; 最终赋值,堆栈 ss:[0012FDBC]=001D5200
00581EB7    5F                    pop edi
00581EB8    5E                    pop esi
00581EB9    5B                    pop ebx
00581EBA    8BE5                  mov esp,ebp
00581EBC    5D                    pop ebp
00581EBD    C3                    retn                                   ; 返回程序,告诉程序下一步该做什么!

返回到这里:(★重要★【第一处】)

00584B87    E8 78D2FFFF           call dumped_.00581E04
00584B8C    3D 00A00F00           cmp eax,0FA000                         ; 这里作者怕加壳后出错,所以给定了程序一个大小限制范围 FA000
                                                                         ; FA000 = 1024000字节
00584B91    7E 1C                 jle short dumped_.00584BAF             ; 如果文件大小,小于这个数据,那么才能正常运行,必须跳!

*************************
代码修改:

00584B8C    3D 00A00F00           cmp eax,0FA000    // 我改为:cmp eax,0FFFFFFF   (嘿嘿,268435455字节约为256MB,有多少的软件能大过256MB啊?)

*************************

00584B93    8D55 F0               lea edx,dword ptr ss:[ebp-10]
00584B96    A1 A48B5900           mov eax,dword ptr ds:[598BA4]
00584B9B    8B00                  mov eax,dword ptr ds:[eax]
00584B9D    E8 3EACEEFF           call dumped_.0046F7E0
00584BA2    8B45 F0               mov eax,dword ptr ss:[ebp-10]
00584BA5    E8 16D3FFFF           call dumped_.00581EC0
00584BAA    E8 19F9E7FF           call dumped_.004044C8
00584BAF    E8 E0D4FFFF           call dumped_.00582094
00584BB4    84C0                  test al,al
00584BB6    74 1C                 je short dumped_.00584BD4              ; 跳
00584BB8    8D55 EC               lea edx,dword ptr ss:[ebp-14]
00584BBB    A1 A48B5900           mov eax,dword ptr ds:[598BA4]
00584BC0    8B00                  mov eax,dword ptr ds:[eax]
00584BC2    E8 19ACEEFF           call dumped_.0046F7E0
00584BC7    8B45 EC               mov eax,dword ptr ss:[ebp-14]
00584BCA    E8 F1D2FFFF           call dumped_.00581EC0
00584BCF    E8 F4F8E7FF           call dumped_.004044C8
00584BD4    8B83 B8040000         mov eax,dword ptr ds:[ebx+4B8]
00584BDA    E8 8D9CFEFF           call dumped_.0056E86C
00584BDF    E8 ECD7FFFF           call dumped_.005823D0
00584BE4    8B93 44030000         mov edx,dword ptr ds:[ebx+344]
00584BEA    8B52 48               mov edx,dword ptr ds:[edx+48]
00584BED    3BC2                  cmp eax,edx
00584BEF    7E 02                 jle short dumped_.00584BF3             ; 跳
00584BF1    8BC2                  mov eax,edx
00584BF3    8BD0                  mov edx,eax
00584BF5    8B83 48030000         mov eax,dword ptr ds:[ebx+348]
00584BFB    E8 748DECFF           call dumped_.0044D974
00584C00    8B83 C4040000         mov eax,dword ptr ds:[ebx+4C4]
00584C06    E8 619CFEFF           call dumped_.0056E86C
00584C0B    E8 90D8FFFF           call dumped_.005824A0
00584C10    8B93 44030000         mov edx,dword ptr ds:[ebx+344]
00584C16    8B52 4C               mov edx,dword ptr ds:[edx+4C]
00584C19    3BC2                  cmp eax,edx
00584C1B    7E 02                 jle short dumped_.00584C1F             ; 跳
00584C1D    8BC2                  mov eax,edx
00584C1F    8BD0                  mov edx,eax
00584C21    8B83 48030000         mov eax,dword ptr ds:[ebx+348]
00584C27    E8 6C8DECFF           call dumped_.0044D998
00584C2C    8B93 44030000         mov edx,dword ptr ds:[ebx+344]
00584C32    8B52 48               mov edx,dword ptr ds:[edx+48]
00584C35    8B83 48030000         mov eax,dword ptr ds:[ebx+348]
00584C3B    2B50 48               sub edx,dword ptr ds:[eax+48]
00584C3E    D1FA                  sar edx,1
00584C40    79 03                 jns short dumped_.00584C45             ; 跳
00584C42    83D2 00               adc edx,0
00584C45    E8 DE8CECFF           call dumped_.0044D928
00584C4A    8B93 44030000         mov edx,dword ptr ds:[ebx+344]
00584C50    8B52 4C               mov edx,dword ptr ds:[edx+4C]
00584C53    8B83 48030000         mov eax,dword ptr ds:[ebx+348]
00584C59    2B50 4C               sub edx,dword ptr ds:[eax+4C]
00584C5C    D1FA                  sar edx,1
00584C5E    79 03                 jns short dumped_.00584C63             ; 跳
00584C60    83D2 00               adc edx,0
00584C63    E8 E48CECFF           call dumped_.0044D94C
00584C68    B2 06                 mov dl,6
00584C6A    8B83 4C030000         mov eax,dword ptr ds:[ebx+34C]
00584C70    E8 578AECFF           call dumped_.0044D6CC
00584C75    B2 05                 mov dl,5
00584C77    8B83 4C030000         mov eax,dword ptr ds:[ebx+34C]
00584C7D    E8 4A8AECFF           call dumped_.0044D6CC
00584C82    8BC3                  mov eax,ebx
00584C84    E8 939AECFF           call dumped_.0044E71C
00584C89    B2 06                 mov dl,6
00584C8B    8B83 4C030000         mov eax,dword ptr ds:[ebx+34C]
00584C91    E8 368AECFF           call dumped_.0044D6CC
00584C96    8B83 48030000         mov eax,dword ptr ds:[ebx+348]
00584C9C    8B50 48               mov edx,dword ptr ds:[eax+48]
00584C9F    83EA 02               sub edx,2
00584CA2    8B83 4C030000         mov eax,dword ptr ds:[ebx+34C]
00584CA8    E8 C78CECFF           call dumped_.0044D974
00584CAD    8B83 48030000         mov eax,dword ptr ds:[ebx+348]
00584CB3    8B50 4C               mov edx,dword ptr ds:[eax+4C]
00584CB6    83EA 02               sub edx,2
00584CB9    8B83 4C030000         mov eax,dword ptr ds:[ebx+34C]
00584CBF    E8 D48CECFF           call dumped_.0044D998
00584CC4    8B83 64030000         mov eax,dword ptr ds:[ebx+364]
00584CCA    66:BE EBFF            mov si,0FFEB
00584CCE    E8 75EDE7FF           call dumped_.00403A48                  ; 跟进,返回程序,进行2次校验

返回到这里:

004093BC    50                    push eax
004093BD    E8 C2DAFFFF           call dumped_.00406E84                  ; 返回到这里,F7跟进,jmp to kernel32.CreateFileA
004093C2    5F                    pop edi
004093C3    5E                    pop esi
004093C4    5B                    pop ebx
004093C5    C3                    retn

跟进后:

00406E84  - FF25 1C645A00         jmp dword ptr ds:[5A641C]              ; 这里继续F7跳过!kernel32.CreateFileA
00406E8A    8BC0                  mov eax,eax

跳向这里:

77E5B476 >  55                    push ebp                               ; 跳到这里,一路F8!
77E5B477    8BEC                  mov ebp,esp
77E5B479    FF75 08               push dword ptr ss:[ebp+8]
77E5B47C    E8 11FFFFFF           call kernel32.77E5B392
77E5B481    85C0                  test eax,eax
77E5B483    0F84 A3FF0100         je kernel32.77E7B42C
77E5B489    FF75 20               push dword ptr ss:[ebp+20]
77E5B48C    FF75 1C               push dword ptr ss:[ebp+1C]
77E5B48F    FF75 18               push dword ptr ss:[ebp+18]
77E5B492    FF75 14               push dword ptr ss:[ebp+14]
77E5B495    FF75 10               push dword ptr ss:[ebp+10]
77E5B498    FF75 0C               push dword ptr ss:[ebp+C]
77E5B49B    FF70 04               push dword ptr ds:[eax+4]
77E5B49E    E8 EEFBFFFF           call kernel32.CreateFileW
77E5B4A3    5D                    pop ebp
77E5B4A4    C2 1C00               retn 1C                                ; F8到这里返回

返回到这里(也就是上面断点的下一个地址):

004093C2    5F                    pop edi                                ; 赋值数据,F7单步,00B80000
004093C3    5E                    pop esi                                ; 赋值数据,F7单步,00BC689C
004093C4    5B                    pop ebx                                ; 赋值数据,F7单步,00B8942C
004093C5    C3                    retn                                   ; 返回下一个检测空间

返回到这里:

0041F9D5    8BC8                  mov ecx,eax                            ; 返回到这里
0041F9D7    33D2                  xor edx,edx
0041F9D9    8BC3                  mov eax,ebx
0041F9DB    E8 7CFEFFFF           call dumped_.0041F85C
0041F9E0    837B 04 00            cmp dword ptr ds:[ebx+4],0
0041F9E4    7D 24                 jge short dumped_.0041FA0A
0041F9E6    8975 F4               mov dword ptr ss:[ebp-C],esi
0041F9E9    C645 F8 0B            mov byte ptr ss:[ebp-8],0B
0041F9ED    8D45 F4               lea eax,dword ptr ss:[ebp-C]
0041F9F0    50                    push eax
0041F9F1    6A 00                 push 0
0041F9F3    8B0D A08C5900         mov ecx,dword ptr ds:[598CA0]          ; dumped_.00418198
0041F9F9    B2 01                 mov dl,1
0041F9FB    A1 E49E4100           mov eax,dword ptr ds:[419EE4]
0041FA00    E8 03D1FEFF           call dumped_.0040CB08
0041FA05    E8 0E46FEFF           call dumped_.00404018
0041FA0A    8BC3                  mov eax,ebx
0041FA0C    807D FF 00            cmp byte ptr ss:[ebp-1],0
0041FA10    74 0F                 je short dumped_.0041FA21
0041FA12    E8 F141FEFF           call dumped_.00403C08
0041FA17    64:8F05 00000000      pop dword ptr fs:[0]
0041FA1E    83C4 0C               add esp,0C
0041FA21    8BC3                  mov eax,ebx
0041FA23    5F                    pop edi
0041FA24    5E                    pop esi
0041FA25    5B                    pop ebx
0041FA26    8BE5                  mov esp,ebp
0041FA28    5D                    pop ebp
0041FA29    C2 0800               retn 8                                 ; 又一次一路F8后来到这里返回

返回到这里:

0041F945    8BC6                  mov eax,esi
0041F947    84DB                  test bl,bl
0041F949    74 0F                 je short dumped_.0041F95A
0041F94B    E8 B842FEFF           call dumped_.00403C08
0041F950    64:8F05 00000000      pop dword ptr fs:[0]
0041F957    83C4 0C               add esp,0C
0041F95A    8BC6                  mov eax,esi
0041F95C    5E                    pop esi
0041F95D    5B                    pop ebx
0041F95E    5D                    pop ebp
0041F95F    C2 0400               retn 4                                 ; 再次一路F8后来到这里返回

返回到这里:(★重要★)

00581E4A    8945 F4               mov dword ptr ss:[ebp-C],eax
00581E4D    33C0                  xor eax,eax                            ; 这里脱壳前和脱壳后数据不一样,eax=00B8942C
00581E4F    55                    push ebp
00581E50    68 7C1E5800           push dumped_.00581E7C
00581E55    64:FF30               push dword ptr fs:[eax]
00581E58    64:8920               mov dword ptr fs:[eax],esp
00581E5B    8B45 F4               mov eax,dword ptr ss:[ebp-C]
00581E5E    E8 D5D5E9FF           call dumped_.0041F438                  ; CRC冗余代码校验CALL
00581E63    8945 F8               mov dword ptr ss:[ebp-8],eax           ; 当前文件大小赋值给eax,eax=001D5200    //1D5200 =1921536字节
00581E66    33C0                  xor eax,eax                            ; 异或,eax=001D5200  
00581E68    5A                    pop edx
00581E69    59                    pop ecx
00581E6A    59                    pop ecx
00581E6B    64:8910               mov dword ptr fs:[eax],edx
00581E6E    68 831E5800           push dumped_.00581E83
00581E73    8B45 F4               mov eax,dword ptr ss:[ebp-C]
00581E76    E8 D119E8FF           call dumped_.0040384C
00581E7B    C3                    retn
00581E7C  ^\E9 5F21E8FF           jmp dumped_.00403FE0
00581E81  ^ EB F0                 jmp short dumped_.00581E73
00581E83    33C0                  xor eax,eax
00581E85    5A                    pop edx
00581E86    59                    pop ecx
00581E87    59                    pop ecx
00581E88    64:8910               mov dword ptr fs:[eax],edx
00581E8B    EB 0A                 jmp short dumped_.00581E97
00581E8D  ^ E9 9A1EE8FF           jmp dumped_.00403D2C
00581E92    E8 FD21E8FF           call dumped_.00404094
00581E97    33C0                  xor eax,eax
00581E99    5A                    pop edx
00581E9A    59                    pop ecx
00581E9B    59                    pop ecx
00581E9C    64:8910               mov dword ptr fs:[eax],edx
00581E9F    68 B41E5800           push dumped_.00581EB4
00581EA4    8D45 FC               lea eax,dword ptr ss:[ebp-4]
00581EA7    E8 9027E8FF           call dumped_.0040463C
00581EAC    C3                    retn
00581EAD  ^\E9 2E21E8FF           jmp dumped_.00403FE0
00581EB2  ^ EB F0                 jmp short dumped_.00581EA4
00581EB4    8B45 F8               mov eax,dword ptr ss:[ebp-8]           ; 最终赋值,堆栈 ss:[0012FDBC]=001D5200
00581EB7    5F                    pop edi
00581EB8    5E                    pop esi
00581EB9    5B                    pop ebx
00581EBA    8BE5                  mov esp,ebp
00581EBC    5D                    pop ebp
00581EBD    C3                    retn                                   ; 返回程序,告诉程序下一步该做什么!

返回到这里:(★重要★【第二处】)

005842C4    E8 3BDBFFFF           call dumped_.00581E04
005842C9    3D 00A00F00           cmp eax,0FA000                         ; 这里作者怕加壳后出错,所以给定了程序一个大小限制范围 FA000
                                                                         ; FA000 = 1024000字节
005842CE    7E 05                 jle short dumped_.005842D5             ; 如果文件大小,小于这个数据,那么才能正常运行,必须跳!

*************************
代码修改:

005842C9    3D 00A00F00           cmp eax,0FA000    // 我改为:cmp eax,0FFFFFFF   (嘿嘿,268435455字节约为256MB,有多少的软件能大过256MB啊?)

*************************

005842D0    BB 01000000           mov ebx,1
005842D5    4B                    dec ebx
005842D6    0F85 0C020000         jnz dumped_.005844E8                   ; 再次CRC冗余代码检测合格后跳(必须跳)!
005842DC    B9 24475800           mov ecx,dumped_.00584724               ; ASCII "system.ini"
005842E1    B2 01                 mov dl,1
005842E3    A1 04084700           mov eax,dword ptr ds:[470804]
005842E8    E8 C7C5EEFF           call dumped_.004708B4
005842ED    8BF0                  mov esi,eax
005842EF    68 38475800           push dumped_.00584738
005842F4    8D85 70FFFFFF         lea eax,dword ptr ss:[ebp-90]
005842FA    50                    push eax
005842FB    B9 44475800           mov ecx,dumped_.00584744               ; ASCII "date"   ★这里是为什么脱壳程序运行后会被删除的原因之一★
00584300    BA 54475800           mov edx,dumped_.00584754               ; ASCII "hsjsign_install"    ★等会儿会作详细说明★
00584305    8BC6                  mov eax,esi
00584307    8B18                  mov ebx,dword ptr ds:[eax]
00584309    FF13                  call dword ptr ds:[ebx]
0058430B    8B95 70FFFFFF         mov edx,dword ptr ss:[ebp-90]
00584311    8B45 FC               mov eax,dword ptr ss:[ebp-4]
00584314    05 80000000           add eax,80
00584319    E8 7203E8FF           call dumped_.00404690
0058431E    8BC6                  mov eax,esi
00584320    E8 27F5E7FF           call dumped_.0040384C
00584325    8B45 FC               mov eax,dword ptr ss:[ebp-4]
00584328    8B80 80000000         mov eax,dword ptr ds:[eax+80]
0058432E    E8 7963E8FF           call dumped_.0040A6AC
00584333    DBBD 64FFFFFF         fstp tbyte ptr ss:[ebp-9C]
00584339    9B                    wait
0058433A    E8 2568E8FF           call dumped_.0040AB64
0058433F    DBAD 64FFFFFF         fld tbyte ptr ss:[ebp-9C]
00584345    DEE1                  fsubrp st(1),st
00584347    D9E1                  fabs
00584349    D81D 64475800         fcomp dword ptr ds:[584764]
0058434F    DFE0                  fstsw ax
00584351    9E                    sahf
00584352    0F86 90010000         jbe dumped_.005844E8
00584358    B9 24475800           mov ecx,dumped_.00584724               ; ASCII "system.ini"
0058435D    B2 01                 mov dl,1
0058435F    A1 04084700           mov eax,dword ptr ds:[470804]
00584364    E8 4BC5EEFF           call dumped_.004708B4
00584369    8BF0                  mov esi,eax
0058436B    68 38475800           push dumped_.00584738
00584370    8D85 60FFFFFF         lea eax,dword ptr ss:[ebp-A0]
00584376    50                    push eax
00584377    B9 70475800           mov ecx,dumped_.00584770               ; ASCII "protect"   ★这里是为什么脱壳程序运行后会被删除的原因之一★
0058437C    BA 54475800           mov edx,dumped_.00584754               ; ASCII "hsjsign_install"    ★等会儿会作详细说明★
00584381    8BC6                  mov eax,esi
00584383    8B18                  mov ebx,dword ptr ds:[eax]
00584385    FF13                  call dword ptr ds:[ebx]
00584387    8B95 60FFFFFF         mov edx,dword ptr ss:[ebp-A0]
0058438D    8B45 FC               mov eax,dword ptr ss:[ebp-4]
00584390    05 80000000           add eax,80
00584395    E8 F602E8FF           call dumped_.00404690
0058439A    8B45 FC               mov eax,dword ptr ss:[ebp-4]
0058439D    8B80 80000000         mov eax,dword ptr ds:[eax+80]
005843A3    E8 104EE8FF           call dumped_.004091B8
005843A8    8BD8                  mov ebx,eax
005843AA    43                    inc ebx
005843AB    8B45 FC               mov eax,dword ptr ss:[ebp-4]
005843AE    8958 0C               mov dword ptr ds:[eax+C],ebx
005843B1    8D95 5CFFFFFF         lea edx,dword ptr ss:[ebp-A4]
005843B7    8BC3                  mov eax,ebx
005843B9    E8 5A4DE8FF           call dumped_.00409118
005843BE    8B85 5CFFFFFF         mov eax,dword ptr ss:[ebp-A4]
005843C4    50                    push eax
005843C5    B9 70475800           mov ecx,dumped_.00584770               ; ASCII "protect"   ★这里是为什么脱壳程序运行后会被删除的原因之一★
005843CA    BA 54475800           mov edx,dumped_.00584754               ; ASCII "hsjsign_install"    ★等会儿会作详细说明★
005843CF    8BC6                  mov eax,esi
005843D1    8B18                  mov ebx,dword ptr ds:[eax]
005843D3    FF53 04               call dword ptr ds:[ebx+4]
005843D6    8B45 FC               mov eax,dword ptr ss:[ebp-4]
005843D9    8378 0C 01            cmp dword ptr ds:[eax+C],1
005843DD    75 2F                 jnz short dumped_.0058440E
005843DF    E8 8067E8FF           call dumped_.0040AB64
005843E4    83C4 F4               add esp,-0C
005843E7    DB3C24                fstp tbyte ptr ss:[esp]
005843EA    9B                    wait
005843EB    8D85 58FFFFFF         lea eax,dword ptr ss:[ebp-A8]
005843F1    E8 B261E8FF           call dumped_.0040A5A8
005843F6    8B85 58FFFFFF         mov eax,dword ptr ss:[ebp-A8]
005843FC    50                    push eax
005843FD    B9 44475800           mov ecx,dumped_.00584744               ; ASCII "date"   ★这里是为什么脱壳程序运行后会被删除的原因之一★
00584402    BA 54475800           mov edx,dumped_.00584754               ; ASCII "hsjsign_install"    ★等会儿会作详细说明★
00584407    8BC6                  mov eax,esi
00584409    8B18                  mov ebx,dword ptr ds:[eax]
0058440B    FF53 04               call dword ptr ds:[ebx+4]
0058440E    8BC6                  mov eax,esi
00584410    E8 37F4E7FF           call dumped_.0040384C
00584415    8D95 54FFFFFF         lea edx,dword ptr ss:[ebp-AC]
0058441B    A1 A48B5900           mov eax,dword ptr ds:[598BA4]
00584420    8B00                  mov eax,dword ptr ds:[eax]
00584422    E8 B9B3EEFF           call dumped_.0046F7E0
00584427    8B85 54FFFFFF         mov eax,dword ptr ss:[ebp-AC]
0058442D    E8 8EDAFFFF           call dumped_.00581EC0
00584432    8B45 FC               mov eax,dword ptr ss:[ebp-4]
00584435    8B40 0C               mov eax,dword ptr ds:[eax+C]
00584438    83F8 01               cmp eax,1
0058443B    0F8E A2000000         jle dumped_.005844E3
00584441    83F8 02               cmp eax,2
00584444    75 34                 jnz short dumped_.0058447A
00584446    6A 00                 push 0
00584448    68 78475800           push dumped_.00584778
0058444D    68 80475800           push dumped_.00584780
00584452    8B45 FC               mov eax,dword ptr ss:[ebp-4]
00584455    E8 CA05EDFF           call dumped_.00454A24
0058445A    50                    push eax
0058445B    E8 E433E8FF           call dumped_.00407844                  ; jmp to user32.MessageBoxA
00584460    6A 00                 push 0
00584462    68 64485800           push dumped_.00584864
00584467    68 70485800           push dumped_.00584870
0058446C    8B45 FC               mov eax,dword ptr ss:[ebp-4]
0058446F    E8 B005EDFF           call dumped_.00454A24
00584474    50                    push eax
00584475    E8 CA33E8FF           call dumped_.00407844                  ; jmp to user32.MessageBoxA
0058447A    E8 95E6E7FF           call dumped_.00402B14
0058447F    B8 0A000000           mov eax,0A
00584484    E8 7BECE7FF           call dumped_.00403104
00584489    8D95 50FFFFFF         lea edx,dword ptr ss:[ebp-B0]
0058448F    E8 844CE8FF           call dumped_.00409118
00584494    8B85 50FFFFFF         mov eax,dword ptr ss:[ebp-B0]
0058449A    8A10                  mov dl,byte ptr ds:[eax]
0058449C    8B45 FC               mov eax,dword ptr ss:[ebp-4]
0058449F    05 80000000           add eax,80
005844A4    E8 7303E8FF           call dumped_.0040481C
005844A9    8B45 FC               mov eax,dword ptr ss:[ebp-4]
005844AC    8B80 80000000         mov eax,dword ptr ds:[eax+80]
005844B2    E8 014DE8FF           call dumped_.004091B8
005844B7    8BD8                  mov ebx,eax
005844B9    8B45 FC               mov eax,dword ptr ss:[ebp-4]
005844BC    8958 0C               mov dword ptr ds:[eax+C],ebx
005844BF    D1FB                  sar ebx,1
005844C1    79 03                 jns short dumped_.005844C6
005844C3    83D3 00               adc ebx,0
005844C6    85DB                  test ebx,ebx
005844C8    75 12                 jnz short dumped_.005844DC
005844CA    8B45 FC               mov eax,dword ptr ss:[ebp-4]
005844CD    8B80 7C060000         mov eax,dword ptr ds:[eax+67C]
005844D3    B2 01                 mov dl,1
005844D5    E8 4EF2EBFF           call dumped_.00443728
005844DA    EB 0C                 jmp short dumped_.005844E8
005844DC    E8 E7FFE7FF           call dumped_.004044C8
005844E1    EB 05                 jmp short dumped_.005844E8
005844E3    E8 E0FFE7FF           call dumped_.004044C8
005844E8    33C0                  xor eax,eax                            ; 异或,eax=001D5200
005844EA    5A                    pop edx
005844EB    59                    pop ecx
005844EC    59                    pop ecx
005844ED    64:8910               mov dword ptr fs:[eax],edx
005844F0    68 A8455800           push dumped_.005845A8
005844F5    8B45 FC               mov eax,dword ptr ss:[ebp-4]
005844F8    8B80 9C030000         mov eax,dword ptr ds:[eax+39C]
005844FE    33D2                  xor edx,edx
00584500    E8 57F8EFFF           call dumped_.00483D5C
00584505    8B45 FC               mov eax,dword ptr ss:[ebp-4]
00584508    8B80 4C030000         mov eax,dword ptr ds:[eax+34C]
0058450E    B2 05                 mov dl,5
00584510    E8 B791ECFF           call dumped_.0044D6CC
00584515    8B45 FC               mov eax,dword ptr ss:[ebp-4]
00584518    8B80 28060000         mov eax,dword ptr ds:[eax+628]
0058451E    33D2                  xor edx,edx
00584520    E8 DB9BECFF           call dumped_.0044E100
00584525    8B45 FC               mov eax,dword ptr ss:[ebp-4]
00584528    8B80 5C060000         mov eax,dword ptr ds:[eax+65C]
0058452E    33D2                  xor edx,edx
00584530    E8 CB9BECFF           call dumped_.0044E100
00584535    8B45 FC               mov eax,dword ptr ss:[ebp-4]
00584538    8B80 60030000         mov eax,dword ptr ds:[eax+360]
0058453E    33D2                  xor edx,edx
00584540    E8 BB9BECFF           call dumped_.0044E100
00584545    8B45 FC               mov eax,dword ptr ss:[ebp-4]
00584548    8B80 68030000         mov eax,dword ptr ds:[eax+368]
0058454E    33D2                  xor edx,edx
00584550    E8 AB9BECFF           call dumped_.0044E100
00584555    8B45 FC               mov eax,dword ptr ss:[ebp-4]
00584558    8B80 6C030000         mov eax,dword ptr ds:[eax+36C]
0058455E    33D2                  xor edx,edx
00584560    E8 9B9BECFF           call dumped_.0044E100
00584565    8B45 FC               mov eax,dword ptr ss:[ebp-4]
00584568    8B80 70030000         mov eax,dword ptr ds:[eax+370]
0058456E    33D2                  xor edx,edx
00584570    E8 8B9BECFF           call dumped_.0044E100
00584575    8B45 FC               mov eax,dword ptr ss:[ebp-4]
00584578    8B80 0C060000         mov eax,dword ptr ds:[eax+60C]
0058457E    33D2                  xor edx,edx
00584580    E8 7B9BECFF           call dumped_.0044E100
00584585    8B45 FC               mov eax,dword ptr ss:[ebp-4]
00584588    8B80 4C030000         mov eax,dword ptr ds:[eax+34C]
0058458E    33D2                  xor edx,edx
00584590    E8 6B9BECFF           call dumped_.0044E100
00584595    8B45 F8               mov eax,dword ptr ss:[ebp-8]
00584598    E8 AFF2E7FF           call dumped_.0040384C
0058459D    C3                    retn
0058459E  ^\E9 3DFAE7FF           jmp dumped_.00403FE0
005845A3  ^ E9 4DFFFFFF           jmp dumped_.005844F5
005845A8    33C0                  xor eax,eax                            ; 异或,eax=00000000
005845AA    5A                    pop edx
005845AB    59                    pop ecx                                ; ecx=00000000
005845AC    59                    pop ecx                                ; ecx=00584660
005845AD    64:8910               mov dword ptr fs:[eax],edx
005845B0    68 6A465800           push dumped_.0058466A
005845B5    8D85 50FFFFFF         lea eax,dword ptr ss:[ebp-B0]
005845BB    BA 05000000           mov edx,5
005845C0    E8 9B00E8FF           call dumped_.00404660
005845C5    8D85 70FFFFFF         lea eax,dword ptr ss:[ebp-90]
005845CB    BA 03000000           mov edx,3
005845D0    E8 8B00E8FF           call dumped_.00404660
005845D5    8D85 7CFFFFFF         lea eax,dword ptr ss:[ebp-84]
005845DB    E8 5C00E8FF           call dumped_.0040463C
005845E0    8D45 80               lea eax,dword ptr ss:[ebp-80]
005845E3    E8 8007E8FF           call dumped_.00404D68
005845E8    8D45 84               lea eax,dword ptr ss:[ebp-7C]
005845EB    E8 4C00E8FF           call dumped_.0040463C
005845F0    8D45 88               lea eax,dword ptr ss:[ebp-78]
005845F3    E8 7007E8FF           call dumped_.00404D68
005845F8    8D45 8C               lea eax,dword ptr ss:[ebp-74]
005845FB    E8 3C00E8FF           call dumped_.0040463C
00584600    8D45 90               lea eax,dword ptr ss:[ebp-70]
00584603    E8 6007E8FF           call dumped_.00404D68
00584608    8D45 94               lea eax,dword ptr ss:[ebp-6C]
0058460B    E8 2C00E8FF           call dumped_.0040463C
00584610    8D45 98               lea eax,dword ptr ss:[ebp-68]
00584613    E8 5007E8FF           call dumped_.00404D68
00584618    8D45 9C               lea eax,dword ptr ss:[ebp-64]
0058461B    E8 1C00E8FF           call dumped_.0040463C
00584620    8D45 A0               lea eax,dword ptr ss:[ebp-60]
00584623    E8 4007E8FF           call dumped_.00404D68
00584628    8D45 A4               lea eax,dword ptr ss:[ebp-5C]
0058462B    BA 06000000           mov edx,6
00584630    E8 2B00E8FF           call dumped_.00404660
00584635    8D45 BC               lea eax,dword ptr ss:[ebp-44]
00584638    BA 07000000           mov edx,7
0058463D    E8 1E00E8FF           call dumped_.00404660
00584642    8D45 D8               lea eax,dword ptr ss:[ebp-28]
00584645    E8 F2FFE7FF           call dumped_.0040463C
0058464A    8D45 E0               lea eax,dword ptr ss:[ebp-20]
0058464D    BA 03000000           mov edx,3
00584652    E8 0900E8FF           call dumped_.00404660
00584657    8D45 F4               lea eax,dword ptr ss:[ebp-C]
0058465A    E8 0907E8FF           call dumped_.00404D68
0058465F    C3                    retn
00584660  ^\E9 7BF9E7FF           jmp dumped_.00403FE0
00584665  ^ E9 4BFFFFFF           jmp dumped_.005845B5
0058466A    5F                    pop edi                                ; edi=00470850
0058466B    5E                    pop esi                                ; esi=0043E118
0058466C    5B                    pop ebx                                ; ebx=FFFFFFFF
0058466D    8BE5                  mov esp,ebp
0058466F    5D                    pop ebp
00584670    C3                    retn                                   ; 第二次校验正常,返回校验结果

返回到这里:

0044F798    FF93 20010000         call dword ptr ds:[ebx+120]
0044F79E    5B                    pop ebx                                ; 返回到这里,ebx=00B762AC
0044F79F    C3                    retn                                   ; 继续返回校验结果

返回到这里:

0043E134    E8 FB150100           call dumped_.0044F734
0043E139    5B                    pop ebx                                ; 堆栈 [0012FDC4]=00B6D110 (00B6D110),ebx=00B762AC
0043E13A    C3                    retn                                   ; 继续返回校验结果

返回到这里:

00584CCE    E8 75EDE7FF           call dumped_.00403A48
00584CD3    33C0                  xor eax,eax                            ; 返回到这里进行异或,eax=0012FDA8
00584CD5    5A                    pop edx                                ; edx=00000000
00584CD6    59                    pop ecx                                ; ecx=00000000
00584CD7    59                    pop ecx                                ; ecx=00584CEE
00584CD8    64:8910               mov dword ptr fs:[eax],edx
00584CDB    68 F54C5800           push dumped_.00584CF5
00584CE0    8D45 EC               lea eax,dword ptr ss:[ebp-14]
00584CE3    BA 05000000           mov edx,5
00584CE8    E8 73F9E7FF           call dumped_.00404660
00584CED    C3                    retn
00584CEE  ^\E9 EDF2E7FF           jmp dumped_.00403FE0
00584CF3  ^ EB EB                 jmp short dumped_.00584CE0
00584CF5    5F                    pop edi                                ; edi=00470850
00584CF6    5E                    pop esi                                ; esi=0043E118
00584CF7    5B                    pop ebx                                ; ebx=00B6D110
00584CF8    8BE5                  mov esp,ebp
00584CFA    5D                    pop ebp
00584CFB    C3                    retn                                   ; 继续返回校验结果

返回到这里:

0044376F    FF53 38               call dword ptr ds:[ebx+38]
00443772    5B                    pop ebx                                ; 返回到这里,ebx=00BBC654
00443773    C3                    retn                                   ; 继续返回校验结果

返回到这里:

00443658    33C0                  xor eax,eax                            ; 返回到这里进行异或清零,eax=00000000
0044365A    5A                    pop edx
0044365B    59                    pop ecx
0044365C    59                    pop ecx
0044365D    64:8910               mov dword ptr fs:[eax],edx
00443660    EB 33                 jmp short dumped_.00443695
00443662  ^ E9 C506FCFF           jmp dumped_.00403D2C
00443667    A1 A48B5900           mov eax,dword ptr ds:[598BA4]
0044366C    8B00                  mov eax,dword ptr ds:[eax]
0044366E    8B55 FC               mov edx,dword ptr ss:[ebp-4]
00443671    E8 92BC0200           call dumped_.0046F308
00443676    E8 190AFCFF           call dumped_.00404094
0044367B    EB 18                 jmp short dumped_.00443695
0044367D    8B43 08               mov eax,dword ptr ds:[ebx+8]
00443680    50                    push eax
00443681    8B43 04               mov eax,dword ptr ds:[ebx+4]
00443684    50                    push eax
00443685    56                    push esi
00443686    8B45 FC               mov eax,dword ptr ss:[ebp-4]
00443689    8B40 34               mov eax,dword ptr ds:[eax+34]
0044368C    50                    push eax
0044368D    E8 423EFCFF           call dumped_.004074D4                  ; jmp to user32.DefWindowProcA
00443692    8943 0C               mov dword ptr ds:[ebx+C],eax
00443695    5F                    pop edi
00443696    5E                    pop esi
00443697    5B                    pop ebx
00443698    59                    pop ecx
00443699    5D                    pop ebp
0044369A    C3                    retn                                   ; 继续返回校验结果

返回到这里:

00426448    FF11                  call dword ptr ds:[ecx]
0042644A    83C4 0C               add esp,0C                             ; 返回到这里
0042644D    58                    pop eax                                ; eax清零,eax=00000000
0042644E    5D                    pop ebp
0042644F    C2 1000               retn 10                                ; 继续返回校验结果

返回到这里:

77D37AD7    817C24 04 CDABBADC    cmp dword ptr ss:[esp+4],DCBAABCD      ; 返回到这里,堆栈 ss:[0012FE58]=DCBAABCD
77D37ADF    74 11                 je short user32.77D37AF2
77D37AE1    813C24 CDABBADC       cmp dword ptr ss:[esp],DCBAABCD
77D37AE8    75 05                 jnz short user32.77D37AEF
77D37AEA    83EC 04               sub esp,4
77D37AED    EB 03                 jmp short user32.77D37AF2
77D37AEF    83C4 10               add esp,10
77D37AF2    83C4 08               add esp,8
77D37AF5    5B                    pop ebx
77D37AF6    5F                    pop edi
77D37AF7    5E                    pop esi
77D37AF8    5D                    pop ebp
77D37AF9    C2 1400               retn 14                                ; 继续返回校验结果

返回到这里:

77D3CCD4    8945 E4               mov dword ptr ss:[ebp-1C],eax          ; 返回到这里
77D3CCD7  ^ EB B0                 jmp short user32.77D3CC89              ; 向上跳转

向上跳转到这里:

77D3CC89    834D FC FF            or dword ptr ss:[ebp-4],FFFFFFFF
77D3CC8D    E8 49000000           call user32.77D3CCDB
77D3CC92    8B45 E4               mov eax,dword ptr ss:[ebp-1C]
77D3CC95    E8 B7070200           call user32.77D5D451
77D3CC9A    C2 2000               retn 20

返回到这里:

77D14455    8BC8                  mov ecx,eax                            ; 返回到这里
77D14457    A1 585ED677           mov eax,dword ptr ds:[77D65E58]
77D1445C    F640 02 04            test byte ptr ds:[eax+2],4
77D14460  ^ 75 AF                 jnz short user32.77D14411              ; 向下跳转

向下跳转到这里:

77D14411    33D2                  xor edx,edx
77D14413    3955 E4               cmp dword ptr ss:[ebp-1C],edx
77D14416    74 4A                 je short user32.77D14462               ; 向下跳转

向下跳转到这里:

77D14416   /74 4A                 je short user32.77D14462               ; 向下跳转
77D14418   |64:A1 18000000        mov eax,dword ptr fs:[18]
77D1441E   |3990 40070000         cmp dword ptr ds:[eax+740],edx
77D14424   |74 3C                 je short user32.77D14462
77D14426   |64:A1 18000000        mov eax,dword ptr fs:[18]
......(代码太多以次省略一部分)

0046F047    E8 C084F9FF           call dumped_.0040750C                  ; jmp to user32.DispatchMessageA
0046F04C    EB 07                 jmp short dumped_.0046F055             ; 最终返回到这里,说名在第2次校验时,作者很下了一点功夫滴~~
0046F04E    C686 9C000000 01      mov byte ptr ds:[esi+9C],1
0046F055    8BC3                  mov eax,ebx
0046F057    5A                    pop edx
0046F058    5F                    pop edi
0046F059    5E                    pop esi
0046F05A    5B                    pop ebx
0046F05B    C3                    retn                                   ; 为返回程序做最后准备

返回到这里:

0046F07E    E8 41FFFFFF           call dumped_.0046EFC4
0046F083    84C0                  test al,al                             ; 返回到这里,al=01
0046F085    75 09                 jnz short dumped_.0046F090
0046F087    8BD4                  mov edx,esp
0046F089    8BC3                  mov eax,ebx
0046F08B    E8 98080000           call dumped_.0046F928
0046F090    83C4 1C               add esp,1C
0046F093    5B                    pop ebx
0046F094    C3                    retn                                   ; 为返回程序做最后准备

返回到这里:(★)

0046F2A3    33C0                  xor eax,eax                            ; 返回到这里
0046F2A5    5A                    pop edx
0046F2A6    59                    pop ecx
0046F2A7    59                    pop ecx
0046F2A8    64:8910               mov dword ptr fs:[eax],edx
0046F2AB    EB 15                 jmp short dumped_.0046F2C2
0046F2AD  ^ E9 7A4AF9FF           jmp dumped_.00403D2C
0046F2B2    8B55 FC               mov edx,dword ptr ss:[ebp-4]
0046F2B5    8B45 FC               mov eax,dword ptr ss:[ebp-4]
0046F2B8    E8 4B000000           call dumped_.0046F308
0046F2BD    E8 D24DF9FF           call dumped_.00404094
0046F2C2    8B45 FC               mov eax,dword ptr ss:[ebp-4]
0046F2C5    80B8 9C000000 00      cmp byte ptr ds:[eax+9C],0
0046F2CC  ^ 74 BF                 je short dumped_.0046F28D              ; 向上跳转,作循环运算
0046F2CE    33C0                  xor eax,eax
0046F2D0    5A                    pop edx
0046F2D1    59                    pop ecx
0046F2D2    59                    pop ecx
0046F2D3    64:8910               mov dword ptr fs:[eax],edx
0046F2D6    68 EDF24600           push dumped_.0046F2ED
0046F2DB    8B45 FC               mov eax,dword ptr ss:[ebp-4]
0046F2DE    C680 A5000000 00      mov byte ptr ds:[eax+A5],0
0046F2E5    C3                    retn                                   ; 返回程序,时时刻刻作校验

●KuNgBiM小帖士●

程序一般采用了CRC冗余校验方式,那么,肯定它不会只用在一处,所以,我们应趁热打铁,用代码搜索的方法,一气呵成,把能改的相同处一起改掉!
但这种方法不是万能的,不是很全面,所以最好的办法还是用UE、WinHEX等16进制搜索代码修改,比较全面,这里主要讲的是跟踪代码,获得关键信息的方法。

利用上述办法,我们在OD中用 Ctrl + S 搜索“cmp eax,0FA000”,还真搜到一处:

(★重要★【第三处】)

00584E88    E8 77CFFFFF           call dumped_.00581E04
00584E8D    3D 00A00F00           cmp eax,0FA000                         ; 这里作者怕加壳后出错,所以给定了程序一个大小限制范围 FA000
                                                                         ; FA000 = 1024000字节
00584E92    7E 1C                 jle short dumped_.00584EB0             ; 如果文件大小,小于这个数据,那么才能正常运行,必须跳!

*************************
代码修改:

00584E8D    3D 00A00F00           cmp eax,0FA000    // 我改为:cmp eax,0FFFFFFF   (嘿嘿,268435455字节约为256MB,有多少的软件能大过256MB啊?)

*************************

●KuNgBiM小帖士●

好了,到此代码就算修改完毕了,不过提醒一点,用UE、WinHEX等16进制搜索代码修改时,搜索“00A00F”一共搜索到了4处,而程序需要改的只有3处,有一处为程序界面校验,这处关系到程序有无边框,若你觉得“无边框”的程序窗口看的过去,那么,就使用UE、WinHEX等16进制搜索代码修改,否则,还是学我乖乖的一步一步用“土办法”来吧~~~呵呵~~

――――――――――――――――――――――――――――――――――――――――

【总结去自校验修改点】

00584B8C    3D 00A00F00           cmp eax,0FA000
005842C9    3D 00A00F00           cmp eax,0FA000
00584E8D    3D 00A00F00           cmp eax,0FA000

以上的汇编代码“cmp eax,0FA000”全部替换为“cmp eax,0FFFFFFF”保存即可!

再次运行我们修改保存后的程序,OK,正常运行!自校验解除咯~~~~哈哈~~~程序也不会“自杀”了~~方便以后我研究这个软件的算法分析了~~~~

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 【程序自杀(原因)代码分析过程】 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

呼~~总算完成了上面的脱壳去校验分析了,下面我们又来研究一下程序脱壳后校验失败从而引发的“自杀”原因:

既然是“自杀”,无非就是2种可能性:

①程序作者在程序中编写加入的“自杀”代码
②调用系统自身的“autoexec.bat”批处理命令,从而达到删除校验失败的程序

我们在程序的分析过程中却定了该程序是使用后者(②)的“自杀”方式,下面跟我来目睹程序的“自杀”吧:

准备条件:脱壳未去校验的原始程序(N个)以防万一,不成功失去程序目标,嘿嘿~~~ 我们的好帮手:Ollydbg

――――――――――――――――――――――――――――――――――――――――

打开Ollydbg,载入我们准备好的脱壳修复优化后的“dumped_.exe”文件(这里我采用的是默认脱壳文件名)

重复去自校验完全过程,到达下面这一步时请勿改动任何代码:

00584B87    E8 78D2FFFF           call dumped_.00581E04
00584B8C    3D 00A00F00           cmp eax,0FA000                         ; 大小校验数据
00584B91   /7E 1C                 jle short dumped_.00584BAF             ; 到这里时,任其发展,不要改动任何代码,让它校验失败!
00584B93   |8D55 F0               lea edx,dword ptr ss:[ebp-10]
00584B96   |A1 A48B5900           mov eax,dword ptr ds:[598BA4]
00584B9B   |8B00                  mov eax,dword ptr ds:[eax]
00584B9D   |E8 3EACEEFF           call dumped_.0046F7E0
00584BA2   |8B45 F0               mov eax,dword ptr ss:[ebp-10]
00584BA5   |E8 16D3FFFF           call dumped_.00581EC0
00584BAA   |E8 19F9E7FF           call dumped_.004044C8                  ; F8到这里,程序再次被 bpx CreateFileA 断点中断
00584BAF   \E8 E0D4FFFF           call dumped_.00582094
00584BB4    84C0                  test al,al
00584BB6    74 1C                 je short dumped_.00584BD4

断点效应:

004093E5    E8 9ADAFFFF           call dumped_.00406E84                  ; 断在这里,重复去校验过程,jmp to kernel32.CreateFileA
004093EA    5B                    pop ebx                                ; 程序返回一个失败的数据
004093EB    C3                    retn
004093EC    E8 D7FFFFFF           call dumped_.004093C8
004093F1    C3                    retn                                   ; 这里继续返回,准备下一步校验!

返回到这里:(★)

0041F994    8BC8                  mov ecx,eax                            ; 返回到这里,F8继续分析
0041F996    33D2                  xor edx,edx
0041F998    8BC3                  mov eax,ebx
0041F99A    E8 BDFEFFFF           call dumped_.0041F85C
0041F99F    837B 04 00            cmp dword ptr ds:[ebx+4],0
0041F9A3    7D 65                 jge short dumped_.0041FA0A             ; 这里跳了
0041F9A5    8975 F4               mov dword ptr ss:[ebp-C],esi
0041F9A8    C645 F8 0B            mov byte ptr ss:[ebp-8],0B
0041F9AC    8D45 F4               lea eax,dword ptr ss:[ebp-C]
0041F9AF    50                    push eax
0041F9B0    6A 00                 push 0
0041F9B2    8B0D 848C5900         mov ecx,dword ptr ds:[598C84]          ; dumped_.00418180
0041F9B8    B2 01                 mov dl,1
0041F9BA    A1 889E4100           mov eax,dword ptr ds:[419E88]
0041F9BF    E8 44D1FEFF           call dumped_.0040CB08
0041F9C4    E8 4F46FEFF           call dumped_.00404018
0041F9C9    EB 3F                 jmp short dumped_.0041FA0A
0041F9CB    0FB7D7                movzx edx,di
0041F9CE    8BC6                  mov eax,esi
0041F9D0    E8 9799FEFF           call dumped_.0040936C
0041F9D5    8BC8                  mov ecx,eax
0041F9D7    33D2                  xor edx,edx
0041F9D9    8BC3                  mov eax,ebx
0041F9DB    E8 7CFEFFFF           call dumped_.0041F85C
0041F9E0    837B 04 00            cmp dword ptr ds:[ebx+4],0
0041F9E4    7D 24                 jge short dumped_.0041FA0A
0041F9E6    8975 F4               mov dword ptr ss:[ebp-C],esi
0041F9E9    C645 F8 0B            mov byte ptr ss:[ebp-8],0B
0041F9ED    8D45 F4               lea eax,dword ptr ss:[ebp-C]
0041F9F0    50                    push eax
0041F9F1    6A 00                 push 0
0041F9F3    8B0D A08C5900         mov ecx,dword ptr ds:[598CA0]          ; dumped_.00418198
0041F9F9    B2 01                 mov dl,1
0041F9FB    A1 E49E4100           mov eax,dword ptr ds:[419EE4]
0041FA00    E8 03D1FEFF           call dumped_.0040CB08
0041FA05    E8 0E46FEFF           call dumped_.00404018
0041FA0A    8BC3                  mov eax,ebx                            ; 跳向这里
0041FA0C    807D FF 00            cmp byte ptr ss:[ebp-1],0
0041FA10    74 0F                 je short dumped_.0041FA21              ; 又跳了
0041FA12    E8 F141FEFF           call dumped_.00403C08
0041FA17    64:8F05 00000000      pop dword ptr fs:[0]
0041FA1E    83C4 0C               add esp,0C
0041FA21    8BC3                  mov eax,ebx
0041FA23    5F                    pop edi
0041FA24    5E                    pop esi
0041FA25    5B                    pop ebx
0041FA26    8BE5                  mov esp,ebp
0041FA28    5D                    pop ebp
0041FA29    C2 0800               retn 8                                 ; 返回到下一个命令地址

返回到这里:

0041F945    8BC6                  mov eax,esi                            ; 返回到这里
0041F947    84DB                  test bl,bl
0041F949    74 0F                 je short dumped_.0041F95A              ; 现在这里不跳了
0041F94B    E8 B842FEFF           call dumped_.00403C08
0041F950    64:8F05 00000000      pop dword ptr fs:[0]
0041F957    83C4 0C               add esp,0C
0041F95A    8BC6                  mov eax,esi
0041F95C    5E                    pop esi
0041F95D    5B                    pop ebx
0041F95E    5D                    pop ebp
0041F95F    C2 0400               retn 4                                 ; 继续返回到命令地址

返回到这里:(★)

0041EA96    8945 FC               mov dword ptr ss:[ebp-4],eax           ; 返回到这里
0041EA99    33C0                  xor eax,eax                            ; eax=00B7D24C
0041EA9B    55                    push ebp
0041EA9C    68 C7EA4100           push dumped_.0041EAC7
0041EAA1    64:FF30               push dword ptr fs:[eax]
0041EAA4    64:8920               mov dword ptr fs:[eax],esp
0041EAA7    8B55 FC               mov edx,dword ptr ss:[ebp-4]
0041EAAA    8BC6                  mov eax,esi
0041EAAC    8B08                  mov ecx,dword ptr ds:[eax]
0041EAAE    FF51 78               call dword ptr ds:[ecx+78]
0041EAB1    33C0                  xor eax,eax
0041EAB3    5A                    pop edx
0041EAB4    59                    pop ecx
0041EAB5    59                    pop ecx
0041EAB6    64:8910               mov dword ptr fs:[eax],edx
0041EAB9    68 CEEA4100           push dumped_.0041EACE
0041EABE    8B45 FC               mov eax,dword ptr ss:[ebp-4]
0041EAC1    E8 864DFEFF           call dumped_.0040384C
0041EAC6    C3                    retn
0041EAC7  ^ E9 1455FEFF           jmp dumped_.00403FE0
0041EACC  ^ EB F0                 jmp short dumped_.0041EABE
0041EACE    5E                    pop esi
0041EACF    59                    pop ecx
0041EAD0    5D                    pop ebp
0041EAD1    C3                    retn                                   ; 关键的返回,程序“自杀”根本原因所在

返回到这里:(★★★★★)

00581F9E    6A 00                 push 0
00581FA0    68 80205800           push dumped_.00582080                  ; ASCII "c:\autoexec1.bat"
                                                                         ; 在C盘目录下生成一个批处理文件,执行程序所向系统发出的删除命令
                                                                         ; ★跟到这里,我已经拷贝了那个“作恶”的批处理文件★
00581FA5    E8 5251E8FF           call dumped_.004070FC                  ; jmp to kernel32.WinExec
00581FAA    33C0                  xor eax,eax                            ; eax=00000021
00581FAC    5A                    pop edx
00581FAD    59                    pop ecx
00581FAE    59                    pop ecx
00581FAF    64:8910               mov dword ptr fs:[eax],edx
00581FB2    EB 0A                 jmp short dumped_.00581FBE
00581FB4  ^ E9 731DE8FF           jmp dumped_.00403D2C
00581FB9    E8 D620E8FF           call dumped_.00404094
00581FBE    8B45 F8               mov eax,dword ptr ss:[ebp-8]           ; 清零,eax=00000000
00581FC1    E8 8618E8FF           call dumped_.0040384C
00581FC6    33C0                  xor eax,eax                            ; 异或清零,eax=00000000
00581FC8    5A                    pop edx
00581FC9    59                    pop ecx
00581FCA    59                    pop ecx
00581FCB    64:8910               mov dword ptr fs:[eax],edx
00581FCE    68 F01F5800           push dumped_.00581FF0
00581FD3    8D45 EC               lea eax,dword ptr ss:[ebp-14]
00581FD6    BA 03000000           mov edx,3
00581FDB    E8 8026E8FF           call dumped_.00404660
00581FE0    8D45 FC               lea eax,dword ptr ss:[ebp-4]           ; 清零,eax=00000000
00581FE3    E8 5426E8FF           call dumped_.0040463C
00581FE8    C3                    retn
00581FE9  ^ E9 F21FE8FF           jmp dumped_.00403FE0
00581FEE  ^ EB E3                 jmp short dumped_.00581FD3
00581FF0    5F                    pop edi                                ; dumped_.00470850
00581FF1    5E                    pop esi
00581FF2    5B                    pop ebx
00581FF3    8BE5                  mov esp,ebp
00581FF5    5D                    pop ebp
00581FF6    C3                    retn                                   ; 返回程序并执行命令

返回到这里:(★★★★★)

00584BAA    E8 19F9E7FF           call dumped_.004044C8                  ; 程序到这里,就已经执行该命令了,Game Over ~
00584BAF    E8 E0D4FFFF           call dumped_.00582094
00584BB4    84C0                  test al,al
........

【程序“自杀”原因|批处理文件内容】

:loop
if exist "D:\文章试验品\图章制作系统\dumped_.exe" del "D:\文章试验品\图章制作系统\dumped_.exe"
if exist "D:\文章试验品\图章制作系统\dumped_.exe" goto loop
if not exist "D:\文章试验品\图章制作系统\dumped_.exe" del "c:\autoexec1.bat"

--------------------------------------------------------------------------------------------

【本章总结】

作者同样采用CRC冗余代码校验方式,检测程序是否已遭受破解,狠心的是在检测程序完整性失败完后(非脱壳校验失败),调用“autoexec.bat”批处理命令以及系统配置文件“system.ini”,在后台随机删除一个系统文件,从而达到程序避免遭受破解的可能性,由之加大了对破解者机器的威胁,而检测是时时刻刻存在的,所以一定要分析完后再做修改!

提醒一点:在脱壳未去校验前,千万请勿对程序作任何代码修改,避免不必要的事件发生!

--------------------------------------------------------------------------------------------

版权所有(C)2005 KuNgBiM[DFCG]         Copyright (C) 2005 KuNgBiM[DFCG]

--------------------------------------------------------------------------------------------
     UnPacked & Cracked By KuNgBiM[DFCG]

                2005-08-01

                23:09:18 PM

[公告]看雪20周年会 | 感恩有你,一路同行

最新回复 (24)
lnn1123 13 2005-8-2 17:48
2
0
需要耐心的说
heng9ml 1 2005-8-2 18:08
3
0
佩服你的耐心啊!呵呵
pendan2001 4 2005-8-2 18:09
4
0
学习!
小剑 2005-8-2 18:12
5
0
大侠的帖要顶
ni10256 2005-8-2 18:17
6
0
不顶不行啊!
prince 16 2005-8-2 19:00
7
0
呵呵,如果是分析算法,何不用我的偷天换日大法?  
水豆腐 2005-8-2 19:03
8
0
佩服你
ljy3282393 1 2005-8-2 22:27
9
0
学习并支持
dfui 2005-8-2 22:34
10
0
精采,真精采
ww990 1 2005-8-3 07:45
11
0
鄙视含破坏代码的软件作者
学习 2005-8-3 09:31
12
0
不脱壳,带壳分析较好(对此类软件)
ferrari_fei 2005-8-3 15:02
13
0
push ebp     ; 在这儿用LordPE纠正ImageSize后完全DUMP这个进程

请问如何dump进程?
LordPE没看到相应的选项.
alphabet 1 2005-8-4 13:25
14
0
[QUOTE]最初由 prince 发布
呵呵,如果是分析算法,何不用我的偷天换日大法?   [/QUOT

你的偷天换日大法是什么?
忘告知
国士无双 2005-8-4 17:32
15
0
精.祥.妙.
linsion 2005-8-5 10:21
16
0
请问怎么样才能做到像楼主那样,几乎每个步骤都那么清楚呀!!!
chenfnu 2005-8-6 17:46
17
0
很精彩,楼主强!
阿杰 2005-8-7 15:23
18
0
不错~
学习了~
wester 2005-8-7 15:46
19
0
佩服!多谢指导!
KuNgBiM 66 2005-8-10 16:12
20
0
最初由 linsion 发布
请问怎么样才能做到像楼主那样,几乎每个步骤都那么清楚呀!!!


主要工具:坚持 + 毅力 + 汗水

辅助工具:香烟
冷血书生 28 2005-8-22 02:07
21
0
最初由 KuNgBiM 发布


主要工具:坚持 + 毅力 + 汗水

辅助工具:香烟


这话说得不错!我喜欢!

支持啦!
深海游侠 10 2005-8-24 02:20
22
0
详细的说,支持个
PS:香烟+熬夜
lanmao 2005-8-24 10:00
23
0
学习,谢谢分享!
KuNgBiM 66 2005-8-25 20:38
24
0
最初由 深海游侠 发布
详细的说,支持个
PS:香烟+熬夜


游侠兄说得没错!主要是熬夜~!
夜凉如水 3 2005-9-1 15:46
25
0
嘿嘿 精华 真的太完美分析的 学习了
游客
登录 | 注册 方可回帖
返回