Acprotect1.09g Standard Edition shelling + pseudo repair

[Author] weiyi75 [Dfcg]

[Author mailbox] weiyi75@sohu.com

[Author's homepage] official Dfcg base camp

[Tools] Ollydbg1.10b Antidbg, ImportREC1.42, LoadPe, Winhex

[Cracking platform] Win2000/XP

[Software name] Acprotect1.09g Standard Edition

[] Attachment download

[Software Overview] powerful encryption software. If any debugger is found, Kill it. Encryption compatibility is good. It can be used with other encryption software for multiple times, anti-shell protection (some Code is dynamically extracted), and some program Stolen Code, unlike Asprotect, It is not replaced by 00.

[Software size] 1.36 M

[Shelling method] UltraProtect 1.x-> RISCO Software Inc

[Statement of cracking] I am a cainiao. I have a rare experience and would like to share it with you.

Objective: To manually search for the specific content of Stolen Code and add the Code pointing to the shell.

Although the heroes are currently studying the new version of Acprotect1.21, these cainiao are following the steps developed by the heroes. In my opinion, the shelling technology is updated quickly, without a solid foundation, it is impossible to blindly follow the game. Acprotect is a strong shell, and versions of previous generations have changed greatly. The decoding technology from 1.09g to 1.10 is completely different, we must be able to identify the 1.09g encryption program. All the friends who have tracked Acprotect know that there are at least thousands of small jumps from the last Seh exception to the Oep. If they are not careful, they can fly to the Oep for at least two hours, although it is easy to reach Oep with memory breakpoint and simulated tracking, if you encounter a Stolen Code program, you can add Stolen Code at a glance. If you are unfamiliar with the entry features, let's look for the specific location of Stolen Code.

Before that, you should first look for a few C ++, Dephi, and other programs that are not shelled. Use Od to load and observe the changes in the Esp values when the previous code is executed,

For example.

005B1AF3 55 PUSH EBP
005B1AF4 8BEC mov ebp, ESP // after this sentence is executed, ebp and esp are of the same value, generally 12ffc0 = 12ffc0.
005B1AF6 83C4 F4 add esp,-0C

These statements are C ++, and Dephi almost all have signatures. The shelling software must access 12ffc0 during Stolen Code, which is also our tracking breakpoint.

Second, this time the goal is to encrypt the program itself. We know that some code points to the shell after the Dephi program is shelled by the FLY Xia perfect uninstall Xp and videofixer, the same is true in this article. You don't have to waste time demonstrating the process of case-removing and fixing. Now, let the program decompress the code in the program at runtime. The specific process is as follows.

1. use PEDITOR to add a New partition: Name: New, size 00050000, about the size of the configuration is generally between 20000-50000, the larger the security, if the value is too small, you cannot put down all the lost code, and then use WinHex to paste the 00050000-length 00 bytes at the end of the program. Some characters can be written for search, such as David.

Then, use PEDITOR rebuilder PE to check whether the program can run.

2. Use unkillodto download acprotect.exe after adding a fat box, ignore all Exception options, and hide the OD

00597000> 60 PUSHAD // start point.
00597001 FC CLD
00597002 66: 81C8 D0EE or ax, 0EED0
00597007 4A DEC EDX
00597008 40 INC EAX
00597009 87C1 xchg ecx, EAX
0059700B F9 STC
0059700C 74 03 je short ACProtec.00597011
0059700E 75 01 jnz short ACProtec.00597011
00597010 72 66 jb short ACProtec.00597078
00597012 D3E0 shl eax, CL
00597014 EB 01 jmp short ACProtec.00597017
........................................ .....................

Command Line breakpoint BP GlobalAlloc

For more information about the breakpoint, see the Api manual. It is estimated that memory is allocated.

F9 operation, 5 interruptions, Ctrl + F9 return program airspace. Different programs have different interruptions. They are regarded as the specific locations of their hands and feet. If you are afraid of missing them, they will be interrupted once, and Ctrl + F9 will return to the program's airspace immediately, generally, it is between 3 and 5 times.

0059AD3E 8BF8 mov edi, EAX // I understand this sentence as a signature. The EAX value is the memory address to be written by the program, that is, the code we lost after shelling.

0059AD40 81C7 A00F0000 add edi, 0FA0

0059AD46 50 PUSH EAX

0059AD47 B9 70170000 mov ecx, 1770

0059AD4C 8DB5 F5204000 lea esi, dword ptr ss: [EBP + 4020F5]

0059AD52 F3: A4 rep movs byte ptr es: [EDI], byte ptr ds: [>

0059AD54 5A POP EDX

0059AD55 8BF2 mov esi, EDX

0059AD57 81C6 A00F0000 add esi, 0FA0

0059AD5D 8BFE mov edi, ESI

0059AD5F B9 70170000 mov ecx, 1770

0059AD64 ac lods byte ptr ds: [ESI]

0059AD65 32C3 xor al, BL

0059AD67 aa stos byte ptr es: [EDI]

0059AD68 ^ E2 fa loopd short ACProtec.0059AD64

........................................ .....................

Alt + M open the memory image window,

Memory Image

The initial access ing for the Contains type access in the address size Owner segment is

00506000 00001000 ACProtec. rdata Imag R RWE

00507000 127d000 ACProtec. reloc Imag R RWE

00514000 00083000 ACProtec. rsrc resources Imag R RWE

00597000 00021000 ACProtec. perplex SFX, imports Imag R & n