加入收藏  |  设为首页  |  联系我们
网站首页 公司概况 公司文化 新闻动态 加密狗展示 工作坏境 招贤纳士 精诚合作 在线留言
精诚合作
精诚合作
使用指南
 
地    址:广东省深圳市地王大厦38层8801号。
客服QQ1:4642967
客服QQ2:5915307
手    机:13528540969(刘先生)
邮    箱:4642967@qq.com
网    址:/a/
精诚合作 当前位置:首页 >> 精诚合作 >> 使用指南

|Themida脱壳之加密狗破解

发表时间:2018-04-12    来源:不详    浏览次数:22

拿fxyang的ThemidaScript.for.V1.9.10+.0.4.oSc来跑,也就是少了一个效验,自己动手加上。跑到伪OEP,我们在这里用LordPE dump程序 引用:
004069B0    53              push ebx <-脚本停在这,Call 4069B0,看寄存器EAX == 004A3F14 记住①
004069B1    8BD8            mov ebx,eax                     ; xkqwwf1.004A3F14
004069B3    33C0            xor eax,eax                     ; xkqwwf1.004A3F14
004069B5    A3 9C504A00     mov dword ptr ds:[4A509C],eax    ; xkqwwf1.004A3F14
004069BA    6A 00           push 0
004069BC    E8 2BFFFFFF     call 004068EC                 ; xkqwwf1.004068EC
004069C1    A3 68764A00     mov dword ptr ds:[4A7668],eax      ; xkqwwf1.004A3F14
004069C6    A1 68764A00     mov eax,dword ptr ds:[4A7668]
004069CB    A3 A8504A00     mov dword ptr ds:[4A50A8],eax      ; xkqwwf1.004A3F14
004069D0    33C0            xor eax,eax                         ; xkqwwf1.004A3F14
004069D2    A3 AC504A00     mov dword ptr ds:[4A50AC],eax           ; xkqwwf1.004A3F14
004069D7    33C0            xor eax,eax                              ; xkqwwf1.004A3F14
004069D9    A3 B0504A00     mov dword ptr ds:[4A50B0],eax           ; xkqwwf1.004A3F14
004069DE    E8 C1FFFFFF     call 004069A4                  ; xkqwwf1.004069A4
004069E3    BA A4504A00     mov edx,4A50A4
004069E8    8BC3            mov eax,ebx
004069EA    E8 69D9FFFF     call 00404358                    ; xkqwwf1.00404358
004069EF    5B              pop ebx                              ; xkqwwf1.00601859
004069F0    C3              retn 直接F4,F8到VM中


在Code段F2,Shift+F9 引用:
0047B15C    53              push ebx <-记Call 0047B15C,记住②
0047B15D    A1 4C6B4A00     mov eax,dword ptr ds:[4A6B4C]
0047B162    8338 00         cmp dword ptr ds:[eax],0
0047B165    74 0A           je short 0047B171                               ; xkqwwf1.0047B171
0047B167    8B1D 4C6B4A00   mov ebx,dword ptr ds:[4A6B4C]                   ; xkqwwf1.004A7044
0047B16D    8B1B            mov ebx,dword ptr ds:[ebx]
0047B16F    FFD3            call ebx
0047B171    5B              pop ebx                                          ; xkqwwf1.00601871
0047B172    C3              retn 直接F4,F8到VM中


在Code段F2,Shift+F9 引用:
0047AD44    55              push ebp<-记住Call 0047AD44,看寄存器EDX == 004A4254 记住③
0047AD45    8BEC            mov ebp,esp
0047AD47    6A 00           push 0
0047AD49    53              push ebx
0047AD4A    56              push esi
0047AD4B    8BF2            mov esi,edx                                     ; xkqwwf1.004A4254
0047AD4D    8BD8            mov ebx,eax
0047AD4F    33C0            xor eax,eax
0047AD51    55              push ebp
0047AD52    68 C6AD4700     push 47ADC6
0047AD57    64:FF30         push dword ptr fs:[eax]
0047AD5A    64:8920         mov dword ptr fs:[eax],esp
0047AD5D    80BB A4000000 0>cmp byte ptr ds:[ebx+A4],0
0047AD64    74 3D           je short 0047ADA3                               ; xkqwwf1.0047ADA3
0047AD66    8D55 FC         lea edx,dword ptr ss:[ebp-4]
0047AD69    8BC3            mov eax,ebx
0047AD6B    E8 88FFFFFF     call 0047ACF8                                   ; xkqwwf1.0047ACF8
0047AD70    8B45 FC         mov eax,dword ptr ss:[ebp-4]
0047AD73    8BD6            mov edx,esi
0047AD75    E8 2E9DF8FF     call 00404AA8                                   ; xkqwwf1.00404AA8
0047AD7A    75 09           jnz short 0047AD85                              ; xkqwwf1.0047AD85
0047AD7C    83BB 8C000000 0>cmp dword ptr ds:[ebx+8C],0
0047AD83    74 2B           je short 0047ADB0                               ; xkqwwf1.0047ADB0
0047AD85    8BC6            mov eax,esi
0047AD87    E8 D09DF8FF     call 00404B5C                                   ; xkqwwf1.00404B5C
0047AD8C    50              push eax
0047AD8D    8B43 30         mov eax,dword ptr ds:[ebx+30]
0047AD90    50              push eax
0047AD91    E8 5EC8F8FF     call 004075F4                            ; jmp to USER32.SetWindowTextA
0047AD96    8D83 8C000000   lea eax,dword ptr ds:[ebx+8C]
0047AD9C    E8 FB98F8FF     call 0040469C                            ; xkqwwf1.0040469C
0047ADA1    EB 0D           jmp short 0047ADB0                       ; xkqwwf1.0047ADB0
0047ADA3    8D83 8C000000   lea eax,dword ptr ds:[ebx+8C]
0047ADA9    8BD6            mov edx,esi
0047ADAB    E8 4099F8FF     call 004046F0                           ; xkqwwf1.004046F0
0047ADB0    33C0            xor eax,eax
0047ADB2    5A              pop edx                                 ; xkqwwf1.0060187D
0047ADB3    59              pop ecx                                 ; xkqwwf1.0060187D
0047ADB4    59              pop ecx                                 ; xkqwwf1.0060187D
0047ADB5    64:8910         mov dword ptr fs:[eax],edx              ; xkqwwf1.004A4254
0047ADB8    68 CDAD4700     push 47ADCD
0047ADBD    8D45 FC         lea eax,dword ptr ss:[ebp-4]
0047ADC0    E8 D798F8FF     call 0040469C                           ; xkqwwf1.0040469C
0047ADC5    C3              retn 直接F4,F8到VM中


在Code段F2,Shift+F9
可以看到4a422c上面被VM了不少,看来4a442c就是OEP 引用:
004A422C    8B00            mov eax,dword ptr ds:[eax] 
<-记寄存器ECX == 004A7F48 记住④

004A422E    8B15 D8D64900   mov edx,dword ptr ds:[49D6D8]                           ; xkqwwf1.0049D724
004A4234    E8 3B6FFDFF     call 0047B174                                           ; xkqwwf1.0047B174
004A4239    A1 146C4A00     mov eax,dword ptr ds:[4A6C14]
004A423E    8B00            mov eax,dword ptr ds:[eax]
004A4240    E8 AF6FFDFF     call 0047B1F4                                           ; xkqwwf1.0047B1F4
004A4245    E8 D602F6FF     call 00404520                                           ; xkqwwf1.00404520
004A424A    0000            add byte ptr ds:[eax],al


我们需要找的上面被Stolen Code的代码了
根据自己找来的Delphi程序对比下 引用:
004DC014 > $  55                        push ebp
004DC015   .  8BEC                      mov ebp,esp
004DC017   .  83C4 F0                   add esp,-10
004DC01A   .  B8 4CBC4D00               mov eax,004DBC4C ①EAX的值
004DC01F   .  E8 18A3F2FF               call 0040633C ①
004DC024   .  A1 ECF94D00               mov eax,dword ptr ds:[4DF9EC]    加密狗数据开始读取
004DC029   .  8B00                      mov eax,dword ptr ds:[eax]
004DC02B   .  E8 6828FBFF               call 0048E898 ②
004DC030   .  A1 ECF94D00               mov eax,dword ptr ds:[4DF9EC]
004DC035   .  8B00                      mov eax,dword ptr ds:[eax]
004DC037   .  BA 8CC04D00               mov edx,004DC08C       ③EDX的值
004DC03C   .  E8 4F24FBFF               call 0048E490 ③
004DC041   .  8B0D 4CFB4D00             mov ecx,dword ptr ds:[4DFB4C] ④    
004DC047   .  A1 ECF94D00               mov eax,dword ptr ds:[4DF9EC]
004DC04C   .  8B00                      mov eax,dword ptr ds:[eax]
004DC04E   .  8B15 609B4D00             mov edx,dword ptr ds:[4D9B60]   加密狗数据解密
004DC054   .  E8 5728FBFF               call 0048E8B0
004DC059   .  8B0D 8CFB4D00             mov ecx,dword ptr ds:[4DFB8C]    
004DC05F   .  A1 ECF94D00               mov eax,dword ptr ds:[4DF9EC]
004DC064   .  8B00                      mov eax,dword ptr ds:[eax]
004DC066   .  8B15 D87D4D00             mov edx,dword ptr ds:[4D7DD8]   
004DC06C   .  E8 3F28FBFF               call 0048E8B0
004DC071   .  A1 ECF94D00               mov eax,dword ptr ds:[4DF9EC]
004DC076   .  8B00                      mov eax,dword ptr ds:[eax]
004DC078   .  E8 B328FBFF               call 0048E930
004DC07D   .  E8 DE7FF2FF               call 00404060
004DC082   .  0000                      add byte ptr ds:[eax],al


delphi的OEP比较多样化,但是
mov eax,dword ptr ds:[4DF9EC]
mov eax,dword ptr ds:[eax]
这几句都一样的。
参考④,ECX == 004A7F48,我们用crtl + B 去掉 Entire block 查找48 7F 4A 00 找地址 4A6D3B
所以④ = mov ecx,dword ptr ds:[4A6D3B]
得出OEP 引用:
004A41F4 > $  55                        push ebp
004A41F5   .  8BEC                      mov ebp,esp
004A41F7   .  83C4 F0                   add esp,-10
004A41FA   .  B8 143F4A00               mov eax,004A3F14 ①EAX的值
004A41FF   .  E8 AC27F6FF               call 004069B0 ①
004A4204   .  A1 146C4A00               mov eax,dword ptr ds:[4A6C14]
004A4209   .  8B00                      mov eax,dword ptr ds:[eax]
004A420B   .  E8 4C6FFDFF               call 0047B15C ②
004A4210   .  A1 146C4A00               mov eax,dword ptr ds:[4A6C14]
004A4215   .  8B00                      mov eax,dword ptr ds:[eax]
004A4217   .  BA 54424A00               mov edx,004A4254 ③EDX的值
004A421C   .  E8 236BFDFF               call 0047AD44 ③
004A4221   .  8B0D 3C6D4A00             mov ecx,dword ptr ds:[4A6D3C]      ④                   ; 
004A4227   .  A1 146C4A00               mov eax,dword ptr ds:[4A6C14]
004A422C   .  8B00                      mov eax,dword ptr ds:[eax]
004A422E   .  8B15 D8D64900             mov edx,dword ptr ds:[49D6D8]                         ; 
004A4234   .  E8 3B6FFDFF               call 0047B174
004A4239   .  A1 146C4A00               mov eax,dword ptr ds:[4A6C14]
004A423E   .  8B00                      mov eax,dword ptr ds:[eax]                 读取加密狗里面的数据
004A4240   .  E8 AF6FFDFF               call 0047B1F4
004A4245   .  E8 D602F6FF               call 00404520


用WinHex,打开Dump文件查找原来的OEP被VM的十六进制代码 引用:
3C B6 00 18 CD D9 29 D1 52 4A 70 99 5D 85 40 79 B9 28 02 FA 4C 0B EA 31 2F DB BF 9D F3 F3 09 76
8C EE 0A 6C 2F AC 45 D0 21 1E 16 A0 86 BE EF 54 CB A8 A6 02 98 91 0A 45


替换修改代码 引用:
55 8B EC 83 C4 F0 B8 14 3F 4A 00 E8 AC 27 F6 FF A1 14 6C 4A 00 8B 00 E8 4C 6F FD FF A1 14 6C 4A
00 8B 00 BA 54 42 4A 00 E8 23 6B FD FF 8B 0D 3C 6D 4A 00 A1 14 6C 4A 00


新疆时时彩走势图开奖关闭窗口】 【打印本页】 【收藏页面
Copyright (c) 2013 - 2016 加密狗破解网 Inc. All Rights Reserved 备案号:粤ICP备08125688号 版权所有:加密狗破解网
足彩合买 老挝赌场 四川福彩网 湖北体彩11选5彩走势 北京赛车公式
山东福利彩票群英会 福彩3d图谜 排列3玩法 大乐透后区选号技巧 双色球预测专家