Acprotect1.10 Build123 Dephi Language

[Author] weiyi75 [Dfcg]

[Author mailbox] weiyi75@sohu.com

[Author's homepage] official Dfcg base camp

[Tools] Ollydbg1.10b (Anti-Antidbg version), ImportREC1.42

[Cracking platform] Win2000/XP

[Software name] PE file Analyzer

[] Attachment download

[Software Overview] Acprotect1.10 Build123 "register" to encrypt an encrypted PE file analyzer.

Software size: 553 KB

[Shelling method] UltraProtect 1.x-> RISCO Software Inc.

[Statement of cracking] I am a cainiao. I have a rare experience and would like to share it with you.

Objective: To simulate and track Stolen Code.

Preface: this software is encrypted using Acprotect1.10 Build123 "register" version. It does not use RSA to generate KEY protection and uses all anti-tracking options, about the dynamic code replacement protection software, it has been stated that only C ++ and Dephi are supported. Oh, it's just a simulated tracking + memory image breakpoint to point to the enemy's dead point.

First, load OD into the original program.

004B7220> $ Content $ nbsp; 55 push ebp // typical Dephi language entry point. When Acprotect shell runs to OEP, you will find that some code near the entry point has been modified, if you directly shell it, it will cause you to be unable to run. Several Acprotect entries have been analyzed to modify the number of entry code. Currently, it is found that the number is generally 6 bytes, which need to be verified.

Note:

Every compilation tool, such as VC ++, Delphi, Borland, etc ..

There is a unique/same PE Header in OEP

Some of them are as follows:

Push EBP // The first sentence is the object we simulated for tracking. Fortunately, Acprotect has not yet adopted the Asprotect entry code deformation technology, and it is useless to change it ?!
MOV Ebp, Esp

Add ESP,-010

004B7221. 8BEC mov ebp, ESP

004B7223. 83C4 F0 add esp,-10

004B7226. B8 A86F4B00 mov eax, Pe.004B6FA8

004B722B. E8 6CF4F4FF CALL Pe.0040669C

004B7230. A1 C4A04B00 mov eax, dword ptr ds: [4BA0C4]

004B7235. 8B00 mov eax, dword ptr ds: [EAX]

004B7237. E8 C48CFCFF CALL Pe.0047FF00

004B723C. A1 C4A04B00 mov eax, dword ptr ds: [4BA0C4]

004B7241. 8B00 mov eax, dword ptr ds: [EAX]

004B7243. BA 80724B00 mov edx, Pe.004B7280

004B7248. E8 AB88FCFF CALL Pe.0047FAF8

004B724D. 8B0D F4A14B00 mov ecx, dword ptr ds: [4BA1F4]; Pe.004BBCAC

004B7253. A1 C4A04B00 mov eax, dword ptr ds: [4BA0C4]

004B7258. 8B00 mov eax, dword ptr ds: [EAX]

004B725A. 8B15 48E44A00 mov edx, dword ptr ds: [4AE448]; Pe.004AE494

004B7260. E8 B38CFCFF CALL Pe.0047FF18

........................................ ........................................ ..........

We will review the Dephi language entry signature again.

This time, EBP = 12fff0 does not work. When the program runs to the portal, the EBP value is not 12fff0 at all.

The OD exception settings do not ignore memory exceptions, and all others are ignored. Load the program and use the plug-in to hide the OD.

004EF000> 60 pushad // shell program entry point, F9 run.

004EF001 87E9 xchg ecx, ebp

004EF003 F9 stc

004EF004 41 inc ecx

004EF005 BF 08589F45 mov edi, 459F5808

004EF00A 50 push eax

004EF00B E8 01000000 call Pey.004EF011

004EF010 7E 58 jle short Pey.004EF06A

004EF012 58 pop eax

004EF013 C1ED E9 shr ebp, 0E9

004EF016 EB 01 jmp short Pey.004EF019

004EF018-76 D3 jbe short Pey.004EEFED

004EF01A ED in eax, dx

004EF01B EB 01 jmp short Pey.004EF01E

004EF01D-75 85 jnz short Pey.004EEFA4

........................................ ................................

Memory exception

00415719 CD 01 int 1 // typical Acprotect less than version 1.20 last exception.

004F771B 40 inc eax

004F771C 40 inc eax

004F771D 0BC0 or eax, eax

004F771F 75 05 jnz short Pey.004F7726

004f7790 nop

004F7722 90 nop

004F7723 90 nop

004F7724 90 & n