Self-checking is one of the protection methods of many software. Adding a simple shell to the software and then adding self-checking can resist a majority of new users in a certain program. However, for many people, this protection is weak. However, there is no systematic article in the search forum. I don't know if everyone is too busy or because they want to keep some secret. In fact, most technologies should be used for communication, and only communication can make progress. Just like old Wang's EPE, netsowell's one-off shell article, it prompted Old Wang to upgrade once, And the protection intensity is getting stronger and stronger. A bunch of nonsense. The following describes several common methods for self-checking. I hope you can add them.
1. General comparison method. It is to compare the programs that have triggered self-checking with the original normal programs. This method is more common, most self-check jobs can be solved through this method (if the software has the restriction of preventing multiple open windows, you need
Solve this problem first .) Sample1.EXE in the attachment is a self-checking program with ASPACK added. Any code or size modification will trigger the checking prompt that the software has been modified. Dumped. EXE is a file after shelling. Because the system prompts "file has been illegally modified" after the verification is triggered, we can solve the file self-checking problem after shelling. Open the program dumped. EXE after shelling, and disconnect BP CreateFileA. F9 twice before an error occurs. CTRL + F2 re-load dumped. EXE, disconnect BP reateFileA, F9 once. At this time, open another OD to open the original program sample1.EXE and use the script to reach the OEP. The command also disconnects BP CreateFileA and F9 once. Then, the two OD stops in the same place, then, we track each step in Two OD scenarios, and encounter JE, JNE, JBE... and so on.
7C801A24> 8BFF mov edi, EDI; BP CreateFileA disconnected here, ALT + F9 returns
7C801A26 55 PUSH EBP
========================
0040111C |. 3BF4 cmp esi and ESP; all of them are stopped here. Perform F8 to compare key jumps.
0040111E |. E8 0D030000 CALL crcdumpe.00401430
00401123 |. 8985 E0FEFFFF mov dword ptr ss: [EBP-120], EAX
00401129 |. 83BD E0FEFFFF> cmp dword ptr ss: [EBP-120],-1
00401130 |. 75 07 jnz short crcdumpe.00401139
Step-by-Step F8. When we get the following code, we find two jumps are different:
0040120C/75 07 jnz short crc.00401215
0040120E | B8 01000000 mov eax, 1
00401213 | EB 02 jmp short crc.00401217
00401215 33C0 xor eax, EAX
======================================
0040120C |./75 07 jnz short crcdumpe.00401215
0040120E |. | B8 01000000 mov eax, 1
00401213 |. | EB 02 jmp short crcdumpe.00401217
00401215 |> 33C0 xor eax, EAX
In this case, the Code NOP in the shell version 0040120C is removed and saved as dumpedFIX. EXE. Try to run it. If it's okay, continue tracking. This example only modifies this field.
2. Trace and exit the function. Sample2 in the attachment is also a self-checking program. Any software modification will automatically exit. We try to use UltraEdit to change the last byte of sample2.EXE to 01 and save it as a sample2-change.EXE, then the sample2-change will automatically exit when running, we just want to start from the exit function. Software exit is generally called ExitProcess, PostQuitMessage and so on, we load the sample2-change.EXE with OD, from the input table we can see that the software is called ExitProcess exit. Therefore, in OD, the BP ExitProcess and F9 are disconnected, and the stack information is displayed after the disconnection:
0012FEB8 004015B5/CALL to ExitProcess from sample2-. 004015AF // from here we can see that ExitProcess is called at 004015AF
0012 FEBC 00000000 ExitCode = 0
0012FEC0 20DFA6E6
In OD, press CTRL + G and enter 004015AF:
004015AF |. FF15 AC514200 call dword ptr ds: [<& KERNEL32.ExitProces>; locate the header of this subcall.
004015B5 |> 8BE5 mov esp, EBP
004015B7 |. 5D POP EBP
004015B8. C3 RETN
========================================================
004014E0/$ Content $ nbsp; 55 push ebp; find here, pay attention to the Content in the Information Column
004014E1 |. 8BEC mov ebp, ESP
004014E3 |. 51 PUSH ECX
004014E4 |. 833D F8354200> cmp dword ptr ds: [4235F8], 1
004014EB |. 75 11 jnz short sample2-. 004014FE
Content in the Information column:
Local CILS from 0040146B, 0040148B, 004014A9, 004014C9
That is to say, there are four places to call ExitProcess to exit, because the exit button of the program and the cross sign of the closure are also called the ExitProcess function, usually in the first few, we right-click the content, "Go to CALL from 0040146B"
0040146B |. E8 70000000 CALL sample2-. 004014E0; here, you can also find the header
00401470 |. 83C4 0C add esp, 0C
00401473 |. 5D POP EBP
00401474. C3 RETN
================
00401460/$ Content $ nbsp; 55 push ebp; here, the message bar prompts: Local CILS from 00401072, <ModuleEntryPoint> + 11A
00401461 |. 8BEC mov ebp, ESP
00401463 |. 6A 00 PUSH 0;/Arg3 = 00000000
00401465 |. 6A 00 PUSH 0; | Arg2 = 00000000
Right-click on Local cballs from 00401072 and choose "CALL from 00401072:
00401048 |. E8 bdffffff call sample2-. 0040100A
0040104D |. 85C0 test eax, EAX
0040104F |. 74 1F je short sample2-. 00401070; skip from here, NOP off
00401051 |. 8BF4 mov esi, ESP
00401053 |. 6A 30 PUSH 30 &