Exposing AMR privacy-od arm program with KEY removed by hand

Source: Internet
Author: User
Tags 04x

[Shelling author] instantly stunned
[Author email] [email] RegKiller2002@yahoo.com.cn [/email]
[Tools] OllyDBG, LordPE, ImportREC, PEiD v0.94
[Shelling platform] WinXP SP2
[Software name] Win98 notepad
Software size: 568 KB
Protection options: Standard protection only supports Standard protection + KEY protection (single process)
[Shelling method] Armadillo v4.40
[Shell removal statement] I am a little cainiao and may share with you a little bit :)

--------------------------------------------------------------------------------
[Shelling content]

N people have asked questions about ARM with KEY. Once again, we must first have an available KEY. Otherwise, the program cannot be decoded. (For the predecessors, I just stood on their shoulders. hey hey) I know very little about ARM. My understanding is that if your program has no KEY, it's as if you have a RAR but no password to decompress it. Someone may say that RAR can be used up. Please, I have always used Chinese as the password for adding RAR. If you give it, you can send it to me as a souvenir. Haha. Have you run the question? When you run, remember to call me back. OK. Let's continue. First, we need to get an available KEY, and then replace our machine fingerprint with the machine fingerprint of the available KEY, after the registration is correct, shell removal is basically the same as that of the ARM without a KEY. The following is an available KEY for this program. I shelled it on another machine using ARM.


Hardware fingerprint: 5F48-DD41

Name: RegKiller

Key: Role

I. Preparations

Shell Detection: Armadillo 1.xx-2.xx-> Silicon Realms Toolworks with PEiD

The old rule sets Ollydbg to ignore all exceptions. Use the IsDebug 1.4 plug-in to remove the Ollydbg debugger flag.

OD Loading

Shift + F9 run until the program prompts: This program requires a security key. If you have one, select OK to enter it. After entering a valid key, you will not be prompted again.

Press the OK button to bring up the KEY input dialog box. Write down your Hardware fingerprint (I will use the value Hardware fingerprint: 0073-3907 for a moment) then return to the OD he GetDlgItem breakpoint, return to the program, enter a name and a KEY, and then press OK. View the stack prompt after disconnected

00128088 00C244FC/CALL to GetDlgItem from 00C244FA
0012808C 000607F0 | hWnd = 000607F0 (Enter Key, class = #32770)
00128090 00000407 ControlID = 407 (1031 .)

ALT + F9 return program airspace

00C244FC 85C0 test eax, EAX; returned here
00C244FE 74 33 je short 00C24533

At this point, you can find the hardware execution breakpoint at the beginning of the code, and then press Ctrl + F2 to reload the program and analyze it.

I will not do this here. Delete the hardware breakpoint and find the code below.

00C2467D/0F84 B7000000 JE 00C2473A
00C24683 | 53 PUSH EBX
00C24684 | B9 98FAC300 mov ecx, 0C3FA98
00C24689 | E8 253 cfeff call 00C082B3; right-click to follow
00C2468E | 53 PUSH EBX
00C2468F | B9 98FAC300 mov ecx, 0C3FA98
00C24694 | 8945 08 mov dword ptr ss: [EBP + 8], EAX
00C24697 | E8 353 cfeff call 00C082D1
00C2469C | 837D 14 01 cmp dword ptr ss: [EBP + 14], 1
00C246A0 | 75 27 jnz short 00C246C9
00C246A2 | 8B45 08 mov eax, dword ptr ss: [EBP + 8]
00C246A5 | 8BC8 mov ecx, EAX
00C246A7 | 81E1 FFFF0000 and ecx, 0 FFFF
00C246AD | C1E8 10 shr eax, 10
00C246B0 | 51 PUSH ECX
00C246B1 | 50 PUSH EAX
00C246B2 | 8D85 00 ffffff lea eax, dword ptr ss: [EBP-100]
00C246B8 | 68 C496C300 PUSH 0c0000c4; ASCII "% 04X-% 04X"
00C246BD | 50 PUSH EAX
00C246BE | FF15 1063C300 call dword ptr ds: [C36310]; msvcrt. sprintf

ASCII "% 04X-% 04X" who is this? Who is it. Let's look up. Right-click the CALL at 00C24689 and follow (that is, enter this CALL) to the following code.

00C082B3 56 push esi; here
00C082B4 8BF1 mov esi, ECX
00C082B6 FF7424 08 push dword ptr ss: [ESP + 8]
00C082BA 8B8E 5C060000 mov ecx, dword ptr ds: [ESI + 65C]
00C082C0 6A 00 PUSH 0
00C082C2 E8 24D70000 CALL 00C159EB; right-click to follow
00C082C7 3386 5C200000 xor eax, dword ptr ds: [ESI + 205C]; Question 1 answers below
00C082CD 5E POP ESI
00C082CE C2 0400 RETN 4

There are two methods (I tested two ARM shells with keys, so I only met two methods. I will explain it later)

Right-click the CALL at 00C082C2 and follow it to the following code.

00C159EB 8B4424 04 mov eax, dword ptr ss: [ESP + 4]
00C159EF C1E0 06 shl eax, 6
00C159F2 034424 08 add eax, dword ptr ss: [ESP + 8]
00C159F6 8B4481 18 mov eax, dword ptr ds: [ECX + EAX * 4 + 18]
00C159FA 35 8AC0E665 xor eax, 65E6C08A
00C159FF C2 0800 RETN 8; set a breakpoint here

Now, set a hardware execution breakpoint on 00C159FF, press Ctrl + F2 to reload the program, and SHIFT + F9 to execute. Check the EAX value after the program is disconnected. Here is 00733907. What is this? Isn't it just the 0073-3907 Machine Fingerprint? Now you should know how to do it? Find a blank area and write a patch code. I use the dynamic memory allocation plug-in of OD to allocate a space to write a patch. the address I get is 30000000. after the patch code is entered, you can directly find a place to write code without the memory allocated by the plug-in.

Original code:
00C159FA 35 8AC0E665 xor eax, 65E6C08A

Patch code:

00C159FA-E9 01A63E2F JMP 30000000

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.