[Author] weiyi75 [Dfcg]
[Author mailbox] weiyi75@sohu.com
[Author's homepage] official Dfcg base camp
[Tools] Ollydbg1.10b (Anti-Antidbg version), ImportREC1.42
[Cracking platform] Win2000/XP
[Software name] PE file Analyzer
[] Attachment download
[Software Overview] Acprotect1.10 Build123 "register" to encrypt an encrypted PE file analyzer.
Software size: 553 KB
[Shelling method] UltraProtect 1.x-> RISCO Software Inc.
[Statement of cracking] I am a cainiao. I have a rare experience and would like to share it with you.
Objective: To simulate and track Stolen Code.
Preface: this software is encrypted using Acprotect1.10 Build123 "register" version. It does not use RSA to generate KEY protection and uses all anti-tracking options, about the dynamic code replacement protection software, it has been stated that only C ++ and Dephi are supported. Oh, it's just a simulated tracking + memory image breakpoint to point to the enemy's dead point.
First, load OD into the original program.
004B7220> $ Content $ nbsp; 55 push ebp // typical Dephi language entry point. When Acprotect shell runs to OEP, you will find that some code near the entry point has been modified, if you directly shell it, it will cause you to be unable to run. Several Acprotect entries have been analyzed to modify the number of entry code. Currently, it is found that the number is generally 6 bytes, which need to be verified.
Note:
Every compilation tool, such as VC ++, Delphi, Borland, etc ..
There is a unique/same PE Header in OEP
Some of them are as follows:
Push EBP // The first sentence is the object we simulated for tracking. Fortunately, Acprotect has not yet adopted the Asprotect entry code deformation technology, and it is useless to change it ?!
MOV Ebp, Esp
Add ESP,-010
004B7221. 8BEC mov ebp, ESP
004B7223. 83C4 F0 add esp,-10
004B7226. B8 A86F4B00 mov eax, Pe.004B6FA8
004B722B. E8 6CF4F4FF CALL Pe.0040669C
004B7230. A1 C4A04B00 mov eax, dword ptr ds: [4BA0C4]
004B7235. 8B00 mov eax, dword ptr ds: [EAX]
004B7237. E8 C48CFCFF CALL Pe.0047FF00
004B723C. A1 C4A04B00 mov eax, dword ptr ds: [4BA0C4]
004B7241. 8B00 mov eax, dword ptr ds: [EAX]
004B7243. BA 80724B00 mov edx, Pe.004B7280
004B7248. E8 AB88FCFF CALL Pe.0047FAF8
004B724D. 8B0D F4A14B00 mov ecx, dword ptr ds: [4BA1F4]; Pe.004BBCAC
004B7253. A1 C4A04B00 mov eax, dword ptr ds: [4BA0C4]
004B7258. 8B00 mov eax, dword ptr ds: [EAX]
004B725A. 8B15 48E44A00 mov edx, dword ptr ds: [4AE448]; Pe.004AE494
004B7260. E8 B38CFCFF CALL Pe.0047FF18
........................................ ........................................ ..........
We will review the Dephi language entry signature again.
This time, EBP = 12fff0 does not work. When the program runs to the portal, the EBP value is not 12fff0 at all.
The OD exception settings do not ignore memory exceptions, and all others are ignored. Load the program and use the plug-in to hide the OD.
004EF000> 60 pushad // shell program entry point, F9 run.
004EF001 87E9 xchg ecx, ebp
004EF003 F9 stc
004EF004 41 inc ecx
004EF005 BF 08589F45 mov edi, 459F5808
004EF00A 50 push eax
004EF00B E8 01000000 call Pey.004EF011
004EF010 7E 58 jle short Pey.004EF06A
004EF012 58 pop eax
004EF013 C1ED E9 shr ebp, 0E9
004EF016 EB 01 jmp short Pey.004EF019
004EF018-76 D3 jbe short Pey.004EEFED
004EF01A ED in eax, dx
004EF01B EB 01 jmp short Pey.004EF01E
004EF01D-75 85 jnz short Pey.004EEFA4
........................................ ................................
Memory exception
00415719 CD 01 int 1 // typical Acprotect less than version 1.20 last exception.
004F771B 40 inc eax
004F771C 40 inc eax
004F771D 0BC0 or eax, eax
004F771F 75 05 jnz short Pey.004F7726
004f7790 nop
004F7722 90 nop
004F7723 90 nop
004F7724 90 & n