AlphaRom shell removal note

 

AlphaRom is a common protection method for Japanese games. Its new version is much more powerful than before. Recently, I took off a galgame shell and made some experiences. The record is as follows:

 

The first is the increase in anti-debugging intensity. In xp, normal ollydbg cannot be used. It may be that StrongOD and HideOD are not properly adjusted. Fortunately, the nooby ollydbg can run normally.

 

The second is IAT encryption. It copies a majority of API code into its allocated memory and adds a large number of junk commands. If an int 3 breakpoint is placed at any position of the API, an error occurs during the copy process, causing the program to jump out. However, if you have a hardware breakpoint under an API, it is often unable to be broken where necessary, because most of the Code executed by the program ontology is executed in the code after shell replication.

 

The shelling process is as follows:

 

1. Run the alpharomactivation tool alsignup_act_100723_110729.exe and run the game so that the game is activated and can run normally.

 

2. The PEID shows the connector version 6.0. Therefore, find GetVersion and change its last command retn to eb fe. Then run the command for a pause. If the command is stopped, the function is manually returned. Continue to run until it stops at the eb fe of another address. This is the GetVersion copied by the shell. After the return, the push ebp above is OEP.

 

3. After finding the OEP, you only need to enable or disable the hardware breakpoint on the OEP to stop at the OEP. After stopping at OEP, you can dump. You only need the first two sections, and the last five are all shell sections.

 

4. Search for call [address] And jmp [address] in the dump file, that is, call and jmp starting with FF15 and FF25. The address is restricted within the scope of the program body. This can be completed by writing a few C statements.

 

5. Sort out the address found above, which is the address of the iat thunks. Manually enter the starting address and size of iat in importrec, and Save treeto iat.txt after Get Imports. Note that if importrec is used to automatically search for iat, the search is incomplete.

 

6. I found that a small part of iat is the correct API address, and most others are the addresses allocated by the shell. There are also several addresses in the shell section.

 

7. First, the API is copied in the address allocated by the shell. First try to hook GetVersion, and let it jump back to a blank space with E9. Re-run the program. It is surprising that the iat address corresponding to GetVersion is directly changed to jmp GetVersion in the old version of AlphaRom. Conclusion: If the API starts with E9, the shell will not copy the code. By analyzing the memory access breakpoint at the beginning of GetVersion, four jump locations are found and an ODBGScript is written to change the eip in these four jumps, that is to say, let the shell assume that all APIs start with an E9 jump. You cannot directly patch the code. Otherwise, an error occurs. After the process is complete, all iat that part of the code will be copied. ODBGScript is as follows:

 

Lc

Dbh

 

Mov OEP, 43ab20

Mov CHECK_1, 9692db

Mov JUMP_1, 9695cd

Mov checkpoints, 965781

Mov JUMP_2, 965868

Mov CHECK_3 and 967828

Mov JUMP_3, 968443

Mov CHECK_4, 968524

Mov JUMP_4, 968540

 

 

Bphws OEP, "x"

 

Loop:

 

Bphws CHECK_1, "x"

Run

Cmp eip, CHECK_1

Jne end

Mov eip, JUMP_1

Bphwc CHECK_1

 

Bphws CHECK_2, "x"

Run

Cmp eip, CHECK_2

Jne end

Mov eip, JUMP_2

Bphwc CHECK_2

 

Bphws CHECK_3, "x"

Run

Cmp eip, CHECK_3

Jne end

Mov eip, JUMP_3

Bphwc CHECK_3

 

Bphws CHECK_4, "x"

Run

Cmp eip, CHECK_4

Jne end

Mov eip, JUMP_4

Bphwc CHECK_4

 

Jmp loop

 

End:

Cmp eip, OEP

Jne final

Log "Finished"

 

Final:

 

8. Note that the obtained API contains the APIs in ntdll. replace these with the APIs in the corresponding kernel32. And then you can easily find the correspondence between the ntdll function and the kernel32 function. For example, ntdll. RtlFreeHeap is actually kernel32.HeapFree.

 

9. Then there are five iat blocks left, all of which are replicated APIs. This is not simplified by the preceding script. It should be the replication of shells in different places. By comparing them with the remaining names and viewing the places where they are called, it is easy to guess based on the number and type of parameters.

 

10. Finally, use importrec to Load the tree,the modified iat.txt, Fix dump, and complete shelling.

 

Author: cliches