XCyber
2004-09-07
軟件名稱:PRTG v3.26
加殼方式:Armadillo 1.xx - 2.xx
破解工具:Ollydbg,Hiew,ImportREC
軟件介紹:PRTG v3.26是windows平臺下的MRTG,它利用SNMP協議對網絡流量,CPU負載,內存利用率等數據的進行監控,並且生成各種統計圖形,Web頁面和報表。MRTG使用起來複雜,操作都是命令行格式,需要perl支持,而PRTG提供圖形化的嚮導,方便簡單。
軟件下載:http://www.paessler.com/products/prtg
PRTG v3.26是一個標準殼,沒有雙進程,沒有到解密一定頁以後就加密原來頁。
[1]找oep和Dump方法:
1.Olldby加載prtg3.exe,設bp VirtualProtect,一直按F9或shift + F9,直到堆棧第一次出現如下
0012BAEC 010562F9 /CALL 到 VirtualProtect 來自 010562F7
0012BAF0 00400000 |Address = prtg3.00400000
0012BAF4 00000040 |Size = 40 (64.)
0012BAF8 00000004 |NewProtect = PAGE_READWRITE
0012BAFC 0012BB18 /pOldProtect = 0012BB18
繼續按Shift + F9,直到第二次出現與上面一模一樣的情況,停下來。一直按Ctrl + F9回到主線程,並不是prtg3.exe領空
0105634F 50 push eax ;<<<<<<返回到這
01056350 F7D0 not eax
01056352 0FC8 bswap eax
01056354 58 pop eax
01056355 73 00 jnb short 01056357
01056357 9C pushfd
01056358 60 pushad
繼續按F8,慢,直到到達下面
0105638B 0FC8 bswap eax
0105638D F7D1 not ecx
0105638F 0FC8 bswap eax
01056391 F7D1 not ecx
01056393 8B45 F4 mov eax,dword ptr ss:[ebp-C]
01056396 2BDF sub ebx,edi
01056398 0158 3C add dword ptr ds:[eax+3C],ebx ;這句是修改PE的0x3c,把ebx設爲0,防止修改PE頭
繼續F8,到達下面
0105640F E8 ECABFDFF call 01031000
01056414 83E0 03 and eax,3
01056417 8D4D F8 lea ecx,dword ptr ss:[ebp-8]
0105641A 40 inc eax
0105641B 66:0147 06 add word ptr ds:[edi+6],ax ;這裏修改塊數,改ax爲0
0105641F E8 DCABFDFF call 01031000
這樣就去掉Armadillo對PE頭的修改,繼續按Ctrl + F9回到prtg3.exe領空,繼續F8,直到返回到這
006670E4 . 8945 E4 mov dword ptr ss:[ebp-1C],eax ;<<<<<返回到這!
006670E7 . 60 pushad
006670E8 . 33C0 xor eax,eax
006670EA . 75 02 jnz short prtg3.006670EE
006670EC . EB 15 jmp short prtg3.00667103
006670EE > EB 33 jmp short prtg3.00667123
006670F0 C0 db C0
006670F1 . 75 18 jnz short prtg3.0066710B
006670F3 . 7A 0C jpe short prtg3.00667101
006670F5 > 70 0E jo short prtg3.00667105
006670F7 . EB 0D jmp short prtg3.00667106
006670F9 E8 db E8
006670FA 72 db 72 ; CHAR 'r'
006670FB 0E db 0E
006670FC 79 db 79 ; CHAR 'y'
006670FD F1 db F1
006670FE FF db FF
006670FF 15 db 15
00667100 00 db 00
繼續按F8,這裏要小心,好多亂碼,不用管他,直到出現第一個call dword ptr ds:[xxxxxxxx],F7進入
006671C9 . 8BC0 mov eax,eax
006671CB . 6A 00 push 0 ; /Arg1 = 00000000
006671CD . E8 6E000000 call prtg3.00667240 ; /prtg3.00667240
006671D2 . 83C4 04 add esp,4
006671D5 . 6A 00 push 0
006671D7 . E8 DF2C0100 call prtg3.00679EBB
006671DC . 83C4 04 add esp,4
006671DF . 837D E4 01 cmp dword ptr ss:[ebp-1C],1
006671E3 . 75 11 jnz short prtg3.006671F6
006671E5 . 68 C8726900 push prtg3.006972C8
006671EA . FF15 EC726900 call dword ptr ds:[6972EC] ;F7進入
一直F8,直到出現call edi
01057661 E8 1305FFFF call 01047B79
01057666 50 push eax
01057667 A1 88900601 mov eax,dword ptr ds:[1069088]
0105766C 8B48 44 mov ecx,dword ptr ds:[eax+44]
0105766F 3348 20 xor ecx,dword ptr ds:[eax+20]
01057672 3348 10 xor ecx,dword ptr ds:[eax+10]
01057675 2BF9 sub edi,ecx
01057677 FFD7 call edi ; prtg3.0061A7EC <<<<<<這就是eop!!!
F7進入,在這就可Dump了!
[2]尋找magin jump,還原iat:
1.找到oep後,或者確定iat已經處理完後,啓動ImportREC,填入正確的oep,點IAT AutoSearch,看看IAT的第一個地址,這裏是22c230
2.重新啓動,設bp VirtualProtect,在數據窗口看22c230 + 400000 = 62c230,開始時全是0,然後不斷按Ctrl+F9,第一次看到62c230開始變化,這些並不是輸入函數地址(應該是索引這類的),這時一直往下拖,看看iat的尾部在哪,當你看到又全是0時(準確是在Kernel32.dll字符串前,假設kernel32.dll的地址是0xaaaaaaaa),那個iat的長度是0xaaaaaaaa - 62c230
3.接着可以在62c230和後面的幾個DWORD作硬件寫入斷點,Ctrl+F9,直到硬件中斷到如下
010547D3 /73 1D jnb short 010547F2
010547D5 |8B85 1CE8FFFF mov eax,dword ptr ss:[ebp-17E4]
010547DB |8B8D 80E2FFFF mov ecx,dword ptr ss:[ebp-1D80]
010547E1 |8908 mov dword ptr ds:[eax],ecx
010547E3 |8B85 1CE8FFFF mov eax,dword ptr ss:[ebp-17E4] ; prtg3.0062C230 在這裏硬件寫入中斷
010547E9 |83C0 04 add eax,4
010547EC |8985 1CE8FFFF mov dword ptr ss:[ebp-17E4],eax
010547F2 ^/E9 36FDFFFF jmp 0105452D
然後就細心找Magin jump,一直按F8(記住一定要F8),當看到
010546A6 E8 F434FEFF call 01037B9F
010546AB 83C4 0C add esp,0C
010546AE 8D85 74E1FFFF lea eax,dword ptr ss:[ebp-1E8C]
010546B4 50 push eax
010546B5 FFB5 7CE2FFFF push dword ptr ss:[ebp-1D84]
010546BB FF15 30B30501 call dword ptr ds:[105B330] ; MSVCRT._stricmp
010546C1 59 pop ecx
010546C2 59 pop ecx
010546C3 85C0 test eax,eax
010546C5 75 11 jnz short 010546D8 ;改jnz爲jmp,這樣特殊函數就不會加密
010546C7 8B85 74E2FFFF mov eax,dword ptr ss:[ebp-1D8C]
010546CD 8B40 08 mov eax,dword ptr ds:[eax+8]
010546D0 8985 80E2FFFF mov dword ptr ss:[ebp-1D80],eax
010546D6 EB 02 jmp short 010546DA
010546D8 ^ EB 9D jmp short 01054677
010546DA 83BD 80E2FFFF 00 cmp dword ptr ss:[ebp-1D80],0
010546E1 75 3F jnz short 01054722
010546E3 0FB785 84E2FFFF movzx eax,word ptr ss:[ebp-1D7C]
010546EA 85C0 test eax,eax
010546EC 74 0F je short 010546FD
由於當找到magin jump時已有部分iat解碼了,所以重來,重複到第3步,發現iat第一次由0變成有數據時,設bp 1039bf6斷點,然後把jnz改爲jmp,一直到最後一個iat地址被解碼(爲了準確,可以在最後一個iat地址0xaaaaaaaa - 4設置硬件寫入斷點),這是就可以啓動ImportREC設好oep和iat等,然後Get Imports,接着點Show Invalid,把所有invalid cut掉,就大功告成。
[3]脫完殼,然後破解prtg v3.26
0.prtg是用Delphi寫的,破解Delphi方法可以看<<加密與解密>>
1.把ArmAccess.dll考到同一目錄,ArmAccess.dll是欺騙註冊碼校驗的
2.OllyDbg加在脫殼的prtg3.exe,設bp LoadLibraryA,一直按F9,注意堆棧,當堆棧到這裏停下來
=============================================================================
0012FD34 00612C51 /CALL 到 LoadLibraryA 來自 prtg3.00612C4C
0012FD38 00612CB4 /FileName = "ArmAccess.DLL" ;注意!
0012FD3C 0012FD68 指針到下一個 SEH 記錄
0012FD40 00612CA3 SE 句柄
0012FD44 0012FD60
0012FD48 00607ADC prtg3.00607ADC
0012FD4C 016D17B8
0012FD50 016DD238
0012FD54 016DD238
0012FD58 016DD9BC ASCII "TEAM iNFECTED"
0012FD5C 016DEEA0 ASCII "TEAM iNFECTED"
=============================================================================
3.返回prtg3.exe領空:
00612C47 68 B42C6100 push prtg3.00612CB4 ; ASCII "ArmAccess.DLL"
00612C4C E8 D74DDFFF call <jmp.&kernel32.LoadLibraryA>
00612C51 8BF0 mov esi,eax
00612C53 85F6 test esi,esi
00612C55 74 31 je short prtg3.00612C88
00612C57 68 C42C6100 push prtg3.00612CC4 ; ASCII "CheckCode"
00612C5C 56 push esi
00612C5D E8 EE4CDFFF call <jmp.&kernel32.GetProcAddress>
00612C62 8BF8 mov edi,eax
00612C64 897D F4 mov dword ptr ss:[ebp-C],edi
00612C67 85FF test edi,edi
00612C69 74 17 je short prtg3.00612C82
00612C6B 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00612C6E E8 B528DFFF call prtg3.00405528
00612C73 50 push eax
00612C74 8B45 FC mov eax,dword ptr ss:[ebp-4]
00612C77 E8 AC28DFFF call prtg3.00405528
00612C7C 50 push eax
00612C7D FF55 F4 call dword ptr ss:[ebp-C]
00612C80 8BD8 mov ebx,eax
00612C82 56 push esi
00612C83 E8 104CDFFF call <jmp.&kernel32.FreeLibrary>
00612C88 33C0 xor eax,eax
00612C8A 5A pop edx
00612C8B 59 pop ecx
00612C8C 59 pop ecx
00612C8D 64:8910 mov dword ptr fs:[eax],edx
00612C90 68 AA2C6100 push prtg3.00612CAA
00612C95 8D45 F8 lea eax,dword ptr ss:[ebp-8]
00612C98 BA 02000000 mov edx,2
00612C9D E8 EA23DFFF call prtg3.0040508C
00612CA2 C3 retn
4.一直按F8,直到返回到如下代碼:注意!看到"PRTG V3.26 - Pro Edition"沒,所以很快就找到關鍵地方了!!!
006097AB E8 502EFFFF call prtg3.005FC600
006097B0 8BC3 mov eax,ebx
006097B2 E8 79FBFFFF call prtg3.00609330
006097B7 E8 3CF4FFFF call prtg3.00608BF8 ;<<<<<返回到這,我們看到eax==0時就破解了
006097BC 48 dec eax
006097BD 75 0E jnz short prtg3.006097CD
006097BF BA 30996000 mov edx,prtg3.00609930 ; ASCII "PRTG V3.26 - Pro Edition"
006097C4 8BC3 mov eax,ebx
006097C6 E8 A10CE6FF call prtg3.0046A46C
006097CB EB 0C jmp short prtg3.006097D9
006097CD BA 54996000 mov edx,prtg3.00609954 ; ASCII "PRTG V3.26 - Free Edition"
006097D2 8BC3 mov eax,ebx
006097D4 E8 930CE6FF call prtg3.0046A46C
006097D9 E8 1AF4FFFF call prtg3.00608BF8
006097DE 48 dec eax
006097DF 75 1D jnz short prtg3.006097FE
006097E1 8B83 4C030000 mov eax,dword ptr ds:[ebx+34C]
006097E7 33D2 xor edx,edx
006097E9 E8 162FE7FF call prtg3.0047C704
5.重新來一次,到第3步設bp 006097B7斷點,觸發後F7進入:
00608BFD 51 push ecx
00608BFE 51 push ecx
00608BFF 51 push ecx
00608C00 51 push ecx
00608C01 53 push ebx
00608C02 33C0 xor eax,eax
00608C04 55 push ebp
00608C05 68 A78C6000 push prtg3.00608CA7
00608C0A 64:FF30 push dword ptr fs:[eax]
00608C0D 64:8920 mov dword ptr fs:[eax],esp
00608C10 B8 C08C6000 mov eax,prtg3.00608CC0 ; ASCII "edition"
00608C15 E8 E639FFFF call prtg3.005FC600
00608C1A 33DB xor ebx,ebx
00608C1C 8D55 FC lea edx,dword ptr ss:[ebp-4]
00608C1F B8 C88C6000 mov eax,prtg3.00608CC8 ; ASCII "TYPE"
00608C24 E8 E3FCFFFF call prtg3.0060890C
00608C29 8D45 F8 lea eax,dword ptr ss:[ebp-8]
00608C2C 8B4D FC mov ecx,dword ptr ss:[ebp-4]
00608C2F BA D88C6000 mov edx,prtg3.00608CD8 ; ASCII "type="
00608C34 E8 3BC7DFFF call prtg3.00405374
00608C39 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00608C3C E8 BF39FFFF call prtg3.005FC600
00608C41 8B45 FC mov eax,dword ptr ss:[ebp-4]
00608C44 BA E88C6000 mov edx,prtg3.00608CE8
00608C49 E8 26C8DFFF call prtg3.00405474
00608C4E 75 05 jnz short prtg3.00608C55 ;nop it ,crack successfully!
00608C50 BB 01000000 mov ebx,1
00608C55 8D55 FC lea edx,dword ptr ss:[ebp-4]
00608C58 B8 EC8C6000 mov eax,prtg3.00608CEC ; ASCII "EXPIRED"
00608C5D E8 AAFCFFFF call prtg3.0060890C
00608C62 837D FC 00 cmp dword ptr ss:[ebp-4],0
00608C66 74 02 je short prtg3.00608C6A
00608C68 33DB xor ebx,ebx
00608C6A 8D55 F0 lea edx,dword ptr ss:[ebp-10]
00608C6D 8BC3 mov eax,ebx
00608C6F E8 6814E0FF call prtg3.0040A0DC
00608C74 8B4D F0 mov ecx,dword ptr ss:[ebp-10]
00608C77 8D45 F4 lea eax,dword ptr ss:[ebp-C]
00608C7A BA FC8C6000 mov edx,prtg3.00608CFC ; ASCII "edition "
00608C7F E8 F0C6DFFF call prtg3.00405374
00608C84 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00608C87 E8 7439FFFF call prtg3.005FC600
00608C8C 33C0 xor eax,eax
00608C8E 5A pop edx
00608C8F 59 pop ecx
00608C90 59 pop ecx
00608C91 64:8910 mov dword ptr fs:[eax],edx
00608C94 68 AE8C6000 push prtg3.00608CAE
00608C99 8D45 F0 lea eax,dword ptr ss:[ebp-10]
00608C9C BA 04000000 mov edx,4
00608CA1 E8 E6C3DFFF call prtg3.0040508C
00608CA6 C3 retn
00608CA7 ^ E9 F8BCDFFF jmp prtg3.004049A4
00608CAC ^ EB EB jmp short prtg3.00608C99
00608CAE 8BC3 mov eax,ebx
00608CB0 5B pop ebx
00608CB1 8BE5 mov esp,ebp
00608CB3 5D pop ebp
00608CB4 C3 retn
記住00608C4E,先用Peditor查查00608C4E的文件偏移是00208C4E,用Hiew去把它改爲nop nop,搞定!!!
6.到了第5步,prtg3.exe基本破了,但是點註冊頁面時,還是會說沒註冊。進入prtg,打開註冊頁面,設bp LoadLibraryA在註冊頁面點Check Key後,觸發斷點,回到prtg領空。如下:
00612C47 68 B42C6100 push prtg3.00612CB4 ; ASCII "ArmAccess.DLL"
00612C4C E8 D74DDFFF call <jmp.&kernel32.LoadLibraryA>
00612C51 8BF0 mov esi,eax ;<<<<<<返回到這!
00612C53 85F6 test esi,esi
00612C55 74 31 je short prtg3.00612C88
00612C57 68 C42C6100 push prtg3.00612CC4 ; ASCII "CheckCode"
00612C5C 56 push esi
00612C5D E8 EE4CDFFF call <jmp.&kernel32.GetProcAddress>
00612C62 8BF8 mov edi,eax
00612C64 897D F4 mov dword ptr ss:[ebp-C],edi
00612C67 85FF test edi,edi
00612C69 74 17 je short prtg3.00612C82
00612C6B 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00612C6E E8 B528DFFF call prtg3.00405528
00612C73 50 push eax
00612C74 8B45 FC mov eax,dword ptr ss:[ebp-4]
00612C77 E8 AC28DFFF call prtg3.00405528
00612C7C 50 push eax
00612C7D FF55 F4 call dword ptr ss:[ebp-C]
00612C80 8BD8 mov ebx,eax
00612C82 56 push esi
00612C83 E8 104CDFFF call <jmp.&kernel32.FreeLibrary>
00612C88 33C0 xor eax,eax
00612C8A 5A pop edx
00612C8B 59 pop ecx
00612C8C 59 pop ecx
00612C8D 64:8910 mov dword ptr fs:[eax],edx
00612C90 68 AA2C6100 push prtg3.00612CAA
00612C95 8D45 F8 lea eax,dword ptr ss:[ebp-8]
00612C98 BA 02000000 mov edx,2
00612C9D E8 EA23DFFF call prtg3.0040508C
00612CA2 C3 retn
00612CA3 ^ E9 FC1CDFFF jmp prtg3.004049A4
00612CA8 ^ EB EB jmp short prtg3.00612C95
00612CAA 8BC3 mov eax,ebx ;可以看到返回值eax是由ebx傳遞的!
00612CAC 5F pop edi
00612CAD 5E pop esi
00612CAE 5B pop ebx
00612CAF 8BE5 mov esp,ebp
00612CB1 5D pop ebp
00612CB2 C3 retn
一直按F8返回到上一級:
00612DE7 E8 2CFEFFFF call prtg3.00612C18
00612DEC 84C0 test al,al ;<<<<<<返回到這!這是關鍵,判斷返回值,如果al爲0,就是沒註冊
00612DEE 74 6B je short prtg3.00612E5B ; nop it,crack successfully!!!
00612DF0 B2 01 mov dl,1
00612DF2 A1 E8184400 mov eax,dword ptr ds:[4418E8]
00612DF7 E8 10EDE2FF call prtg3.00441B0C
記住00612DEE,文件offest是00212DEE,Hiew修改成nop這樣就可以不要ArmAccess.dll了!
[4]prtg3.exe是用Armadillo 1.xx - 2.xx殼,脫完殼後仍然需要調用ArmAccess.dll來判斷註冊碼。
有兩種方法繞過ArmAccess.dll的限制:
1.利用僞裝的ArmAccess.dll返回正確值
2.修改prtg3.exe繞過ArmAccess.dll的限制,這樣破解就不需要多帶一個ArmAccess.dll
第[3]提到的方法就是繞過ArmAccess.dll的限制
prtg3.exe的破解信息:
oep RVA:21a7ec
iat RVA:22c230
iat len:958
magin jump:1039bf6