-
-
OD手脱Vbox 4.03,以及去除VBOX保护之后的NAG窗口(书上不曾提及的)
-
发表于: 2007-3-10 15:19 4166
-
【软件名称】Vbox 4.03实例 Ulead COOL 3D 2(《加密与解密》书13.2.1)
【应用平台】Win2000 SP4
【作者邮箱】chubing6143@sina.com
【使用工具】OllyDbg1.10
【软件限制】Vbox 4.03,以及去除VBOX保护之后的NAG窗口(书上不曾提及的)
【破解工具】OllyDbg v1.10
【破解过程】
利用OD加载程序,程序在下面代码处:
004F1000 > FF7424 0C PUSH DWORD PTR SS:[ESP+C]
004F1004 FF7424 0C PUSH DWORD PTR SS:[ESP+C]
004F1008 FF7424 0C PUSH DWORD PTR SS:[ESP+C]
004F100C 68 F539E255 PUSH 55E239F5
004F1011 68 762DAD55 PUSH 55AD2D76
004F1016 68 A93DE255 PUSH 55E23DA9
004F101B 68 533DE255 PUSH 55E23D53
004F1020 FF15 F0114F00 CALL DWORD PTR DS:[<&vboxp403.#1>] ; vboxp403.PreviewExecGate_By_WeijunLi
004F1026 68 FFFFFFFF PUSH -1
004F102B FFD0 CALL EAX ; F7进去
004F102D C2 0C00 RETN 0C
004F0000 . FF7424 0C PUSH DWORD PTR SS:[ESP+C] ; U3dedit2.005516A8
004F0004 . FF7424 0C PUSH DWORD PTR SS:[ESP+C]
004F0008 . FF7424 0C PUSH DWORD PTR SS:[ESP+C]
004F000C . 68 7FDDA4B6 PUSH B6A4DD7F
004F0011 . 68 1F0EC6BB PUSH BBC60E1F
004F0016 . 68 8C1A176D PUSH 6D171A8C
004F001B . 68 5A4B5F41 PUSH 415F4B5A
004F0020 . FF15 D4014F00 CALL DWORD PTR DS:[4F01D4] ; 进入VBOXB403.DLL,F8之后,出现VBOX保护界面点击TRY按钮
004F0026 . 68 FFFFFFFF PUSH -1
004F002B . FFD0 CALL EAX ; F7进去,这就是程序的入口点,解压完全结束
004F002D . C2 0C00 RETN 0C
在下面脱壳即可,然后用ImportRec修复即可.
程序每次运行仍然有一个烦人对话框,下面来去除它。
利用OD加载脱壳后的程序,一路F8 和 F7 配合运行:
0046CF20 > $ 55 PUSH EBP
0046CF21 . 8BEC MOV EBP,ESP
0046CF23 . 6A FF PUSH -1
0046CF25 . 68 785C4C00 PUSH U3dedit2.004C5C78
0046CF2A . 68 980F4700 PUSH U3dedit2.00470F98 ; SE handler installation
0046CF2F . 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
0046CF35 . 50 PUSH EAX
0046CF36 . 64:8925 00000>MOV DWORD PTR FS:[0],ESP
0046CF3D . 83C4 A8 ADD ESP,-58
0046CF40 . 53 PUSH EBX
0046CF41 . 56 PUSH ESI
0046CF42 . 57 PUSH EDI
0046CF43 . 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
0046CF46 . FF15 DC6D4E00 CALL DWORD PTR DS:[<&kernel32.GetVersion>; KERNEL32.GetVersion
0046CF4C . 33D2 XOR EDX,EDX
0046CF4E . 8AD4 MOV DL,AH
0046CF50 . 8915 3C304E00 MOV DWORD PTR DS:[4E303C],EDX
0046CF56 . 8BC8 MOV ECX,EAX
0046CF58 . 81E1 FF000000 AND ECX,0FF
0046CF5E . 890D 38304E00 MOV DWORD PTR DS:[4E3038],ECX
0046CF64 . C1E1 08 SHL ECX,8
0046CF67 . 03CA ADD ECX,EDX
0046CF69 . 890D 34304E00 MOV DWORD PTR DS:[4E3034],ECX
0046CF6F . C1E8 10 SHR EAX,10
0046CF72 . A3 30304E00 MOV DWORD PTR DS:[4E3030],EAX
0046CF77 . E8 B41D0000 CALL U3dedit2.0046ED30
0046CF7C . 85C0 TEST EAX,EAX
0046CF7E . 75 0A JNZ SHORT U3dedit2.0046CF8A
0046CF80 . 6A 1C PUSH 1C
0046CF82 . E8 49010000 CALL U3dedit2.0046D0D0
0046CF87 . 83C4 04 ADD ESP,4
0046CF8A > E8 E13D0000 CALL U3dedit2.00470D70
0046CF8F . 85C0 TEST EAX,EAX
0046CF91 . 75 0A JNZ SHORT U3dedit2.0046CF9D
0046CF93 . 6A 10 PUSH 10
0046CF95 . E8 36010000 CALL U3dedit2.0046D0D0
0046CF9A . 83C4 04 ADD ESP,4
0046CF9D > C745 FC 00000>MOV DWORD PTR SS:[EBP-4],0
0046CFA4 . E8 A75C0000 CALL U3dedit2.00472C50
0046CFA9 . E8 620B0000 CALL U3dedit2.0046DB10
0046CFAE . FF15 406C4E00 CALL DWORD PTR DS:[<&kernel32.GetCommand>; [GetCommandLineA
0046CFB4 . A3 68364E00 MOV DWORD PTR DS:[4E3668],EAX
0046CFB9 . E8 32840000 CALL U3dedit2.004753F0
0046CFBE . A3 B0304E00 MOV DWORD PTR DS:[4E30B0],EAX
0046CFC3 . 85C0 TEST EAX,EAX
0046CFC5 . 74 09 JE SHORT U3dedit2.0046CFD0
0046CFC7 . A1 68364E00 MOV EAX,DWORD PTR DS:[4E3668]
0046CFCC . 85C0 TEST EAX,EAX
0046CFCE . 75 0A JNZ SHORT U3dedit2.0046CFDA
0046CFD0 > 6A FF PUSH -1
0046CFD2 . E8 E9E9FFFF CALL U3dedit2.0046B9C0
0046CFD7 . 83C4 04 ADD ESP,4
0046CFDA > E8 61810000 CALL U3dedit2.00475140
0046CFDF . E8 6C800000 CALL U3dedit2.00475050
0046CFE4 . E8 A7E9FFFF CALL U3dedit2.0046B990
0046CFE9 . 8B35 68364E00 MOV ESI,DWORD PTR DS:[4E3668]
0046CFEF . 8975 9C MOV DWORD PTR SS:[EBP-64],ESI
0046CFF2 . 803E 22 CMP BYTE PTR DS:[ESI],22
0046CFF5 . 0F85 BE000000 JNZ U3dedit2.0046D0B9
0046CFFB > 46 INC ESI
0046CFFC . 8975 9C MOV DWORD PTR SS:[EBP-64],ESI
0046CFFF . 8A06 MOV AL,BYTE PTR DS:[ESI]
0046D001 . 3C 22 CMP AL,22
0046D003 . 74 1C JE SHORT U3dedit2.0046D021
0046D005 . 84C0 TEST AL,AL
0046D007 . 74 18 JE SHORT U3dedit2.0046D021
0046D009 . 25 FF000000 AND EAX,0FF
0046D00E . 50 PUSH EAX
0046D00F . E8 DC7F0000 CALL U3dedit2.00474FF0
0046D014 . 83C4 04 ADD ESP,4
0046D017 . 85C0 TEST EAX,EAX
0046D019 .^ 74 E0 JE SHORT U3dedit2.0046CFFB
0046D01B . 46 INC ESI
0046D01C . 8975 9C MOV DWORD PTR SS:[EBP-64],ESI
0046D01F .^ EB DA JMP SHORT U3dedit2.0046CFFB
0046D021 > 803E 22 CMP BYTE PTR DS:[ESI],22
0046D024 . 75 04 JNZ SHORT U3dedit2.0046D02A
0046D026 . 46 INC ESI
0046D027 . 8975 9C MOV DWORD PTR SS:[EBP-64],ESI
0046D02A > 8A06 MOV AL,BYTE PTR DS:[ESI]
0046D02C . 84C0 TEST AL,AL
0046D02E . 74 0A JE SHORT U3dedit2.0046D03A
0046D030 . 3C 20 CMP AL,20
0046D032 . 77 06 JA SHORT U3dedit2.0046D03A
0046D034 . 46 INC ESI
0046D035 . 8975 9C MOV DWORD PTR SS:[EBP-64],ESI
0046D038 .^ EB F0 JMP SHORT U3dedit2.0046D02A
0046D03A > C745 D0 00000>MOV DWORD PTR SS:[EBP-30],0
0046D041 . 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C]
0046D044 . 50 PUSH EAX ; /pStartupinfo
0046D045 . FF15 B06C4E00 CALL DWORD PTR DS:[<&kernel32.GetStartup>; \GetStartupInfoA
0046D04B . F645 D0 01 TEST BYTE PTR SS:[EBP-30],1
0046D04F . 74 0A JE SHORT U3dedit2.0046D05B
0046D051 . 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]
0046D054 . 25 FFFF0000 AND EAX,0FFFF
0046D059 . EB 05 JMP SHORT U3dedit2.0046D060
0046D05B > B8 0A000000 MOV EAX,0A
0046D060 > 50 PUSH EAX
0046D061 . 56 PUSH ESI
0046D062 . 6A 00 PUSH 0
0046D064 . 6A 00 PUSH 0 ; /pModule = NULL
0046D066 . FF15 B46C4E00 CALL DWORD PTR DS:[<&kernel32.GetModuleH>; \GetModuleHandleA
0046D06C . 50 PUSH EAX
0046D06D . E8 E5300100 CALL U3dedit2.00480157 ; F8就出现NAG窗口了,F7进去
F7来到下面
00480157 /$ FF7424 10 PUSH DWORD PTR SS:[ESP+10]
0048015B |. FF7424 10 PUSH DWORD PTR SS:[ESP+10]
0048015F |. FF7424 10 PUSH DWORD PTR SS:[ESP+10]
00480163 |. FF7424 10 PUSH DWORD PTR SS:[ESP+10]
00480167 |. E8 989E0000 CALL U3dedit2.0048A004 ; F7进去
0048016C \. C2 1000 RETN 10
F7来到下面
0048A004 /$ 53 PUSH EBX
0048A005 |. 56 PUSH ESI
0048A006 |. 57 PUSH EDI
0048A007 |. 83CB FF OR EBX,FFFFFFFF
0048A00A |. E8 753F0100 CALL U3dedit2.0049DF84
0048A00F |. FF7424 1C PUSH DWORD PTR SS:[ESP+1C]
0048A013 |. 8B78 04 MOV EDI,DWORD PTR DS:[EAX+4]
0048A016 |. FF7424 1C PUSH DWORD PTR SS:[ESP+1C]
0048A01A |. FF7424 1C PUSH DWORD PTR SS:[ESP+1C]
0048A01E |. FF7424 1C PUSH DWORD PTR SS:[ESP+1C]
0048A022 |. E8 BC660100 CALL U3dedit2.004A06E3
0048A027 |. 85C0 TEST EAX,EAX
0048A029 |. 74 31 JE SHORT U3dedit2.0048A05C
0048A02B |. 8B37 MOV ESI,DWORD PTR DS:[EDI]
0048A02D |. 8BCF MOV ECX,EDI
0048A02F |. FF96 8C000000 CALL DWORD PTR DS:[ESI+8C]
0048A035 |. 85C0 TEST EAX,EAX
0048A037 |. 74 23 JE SHORT U3dedit2.0048A05C
0048A039 |. 8BCF MOV ECX,EDI
0048A03B |. FF56 58 CALL DWORD PTR DS:[ESI+58] ; F8就出现NAG窗口了,F7进去
F7来到下面
00455369 . B8 AA364B00 MOV EAX,U3dedit2.004B36AA
0045536E . E8 AD550100 CALL U3dedit2.0046A920
00455373 . 81EC 40010000 SUB ESP,140
00455379 . 53 PUSH EBX
0045537A . 56 PUSH ESI
0045537B . 57 PUSH EDI
0045537C . 8BF1 MOV ESI,ECX
0045537E . 68 E0B64D00 PUSH U3dedit2.004DB6E0 ; /FileName = "U3drc2.DLL"
00455383 . FF15 FC6D4E00 CALL DWORD PTR DS:[<&kernel32.LoadLibrar>; \LoadLibraryA
00455389 . 8BF8 MOV EDI,EAX
0045538B . 33DB XOR EBX,EBX
0045538D . 3BFB CMP EDI,EBX
0045538F . 89BE 6C030000 MOV DWORD PTR DS:[ESI+36C],EDI
00455395 . 0F84 D7060000 JE U3dedit2.00455A72
0045539B . E8 E48B0400 CALL U3dedit2.0049DF84
004553A0 . 8978 0C MOV DWORD PTR DS:[EAX+C],EDI
004553A3 . 6A 02 PUSH 2
004553A5 . BF D0B44D00 MOV EDI,U3dedit2.004DB4D0 ; ASCII "RenderSetting"
004553AA . 68 F0B44D00 PUSH U3dedit2.004DB4F0 ; ASCII "AAScale"
004553AF . 57 PUSH EDI
004553B0 . 8BCE MOV ECX,ESI
004553B2 . E8 42990400 CALL U3dedit2.0049ECF9
004553B7 . 6A 01 PUSH 1
004553B9 . 8986 FC020000 MOV DWORD PTR DS:[ESI+2FC],EAX
004553BF . 59 POP ECX
004553C0 . 3BC1 CMP EAX,ECX
004553C2 . 7C 07 JL SHORT U3dedit2.004553CB
004553C4 . 6A 03 PUSH 3
004553C6 . 59 POP ECX
004553C7 . 3BC1 CMP EAX,ECX
004553C9 . 7E 06 JLE SHORT U3dedit2.004553D1
004553CB > 898E FC020000 MOV DWORD PTR DS:[ESI+2FC],ECX
004553D1 > 53 PUSH EBX
004553D2 . 68 F8B44D00 PUSH U3dedit2.004DB4F8 ; ASCII "AAMulti"
004553D7 . 57 PUSH EDI
004553D8 . 8BCE MOV ECX,ESI
004553DA . E8 1A990400 CALL U3dedit2.0049ECF9
004553DF . 3BC3 CMP EAX,EBX
004553E1 . 8986 00030000 MOV DWORD PTR DS:[ESI+300],EAX
004553E7 . 7D 08 JGE SHORT U3dedit2.004553F1
004553E9 . 899E 00030000 MOV DWORD PTR DS:[ESI+300],EBX
004553EF . EB 0D JMP SHORT U3dedit2.004553FE
004553F1 > 6A 07 PUSH 7
004553F3 . 59 POP ECX
004553F4 . 3BC1 CMP EAX,ECX
004553F6 . 7E 06 JLE SHORT U3dedit2.004553FE
004553F8 . 898E 00030000 MOV DWORD PTR DS:[ESI+300],ECX
004553FE > 8B86 FC020000 MOV EAX,DWORD PTR DS:[ESI+2FC]
00455404 . 8B8E 00030000 MOV ECX,DWORD PTR DS:[ESI+300]
0045540A . 899E 70030000 MOV DWORD PTR DS:[ESI+370],EBX
00455410 . 8D0480 LEA EAX,DWORD PTR DS:[EAX+EAX*4]
00455413 . 8D1441 LEA EDX,DWORD PTR DS:[ECX+EAX*2]
00455416 > 8B8E 70030000 MOV ECX,DWORD PTR DS:[ESI+370]
0045541C . 8B048D 40B64D>MOV EAX,DWORD PTR DS:[ECX*4+4DB640]
00455423 . 8B1C8D 28B64D>MOV EBX,DWORD PTR DS:[ECX*4+4DB628]
0045542A . 8D0480 LEA EAX,DWORD PTR DS:[EAX+EAX*4]
0045542D . 8D0443 LEA EAX,DWORD PTR DS:[EBX+EAX*2]
00455430 . 3BD0 CMP EDX,EAX
00455432 . 7E 0C JLE SHORT U3dedit2.00455440
00455434 . 41 INC ECX
00455435 . 83F9 05 CMP ECX,5
00455438 . 898E 70030000 MOV DWORD PTR DS:[ESI+370],ECX
0045543E .^ 7C D6 JL SHORT U3dedit2.00455416
00455440 > 6A 02 PUSH 2
00455442 . 8BCE MOV ECX,ESI
00455444 . 5B POP EBX
00455445 . 53 PUSH EBX
00455446 . 68 00B54D00 PUSH U3dedit2.004DB500 ; ASCII "OutputQuality"
0045544B . 57 PUSH EDI
0045544C . E8 A8980400 CALL U3dedit2.0049ECF9
00455451 . 8D8E 74030000 LEA ECX,DWORD PTR DS:[ESI+374]
00455457 . 8901 MOV DWORD PTR DS:[ECX],EAX
00455459 . 8B96 70030000 MOV EDX,DWORD PTR DS:[ESI+370]
0045545F . 3BC2 CMP EAX,EDX
00455461 . 7C 07 JL SHORT U3dedit2.0045546A
00455463 . 6A 05 PUSH 5
00455465 . 5A POP EDX
00455466 . 3BC2 CMP EAX,EDX
00455468 . 7E 02 JLE SHORT U3dedit2.0045546C
0045546A > 8911 MOV DWORD PTR DS:[ECX],EDX
0045546C > 6A 00 PUSH 0
0045546E . 68 10B54D00 PUSH U3dedit2.004DB510 ; ASCII "Unit"
00455473 . 57 PUSH EDI
00455474 . 8BCE MOV ECX,ESI
00455476 . E8 7E980400 CALL U3dedit2.0049ECF9
0045547B . 8D8E 04030000 LEA ECX,DWORD PTR DS:[ESI+304]
00455481 . 85C0 TEST EAX,EAX
00455483 . 8901 MOV DWORD PTR DS:[ECX],EAX
00455485 . 7D 05 JGE SHORT U3dedit2.0045548C
00455487 . 8321 00 AND DWORD PTR DS:[ECX],0
0045548A . EB 06 JMP SHORT U3dedit2.00455492
0045548C > 3BC3 CMP EAX,EBX
0045548E . 7E 02 JLE SHORT U3dedit2.00455492
00455490 . 8919 MOV DWORD PTR DS:[ECX],EBX
00455492 > 68 751A0000 PUSH 1A75
00455497 . 68 18B54D00 PUSH U3dedit2.004DB518 ; ASCII "DefaultWidth"
0045549C . 57 PUSH EDI
0045549D . 8BCE MOV ECX,ESI
0045549F . E8 55980400 CALL U3dedit2.0049ECF9
004554A4 . 6A 01 PUSH 1
004554A6 . 8D8E 08030000 LEA ECX,DWORD PTR DS:[ESI+308]
004554AC . 5A POP EDX
004554AD . BB FF7F0000 MOV EBX,7FFF
004554B2 . 3BC2 CMP EAX,EDX
004554B4 . 8901 MOV DWORD PTR DS:[ECX],EAX
004554B6 . 7D 04 JGE SHORT U3dedit2.004554BC
004554B8 . 8911 MOV DWORD PTR DS:[ECX],EDX
004554BA . EB 06 JMP SHORT U3dedit2.004554C2
004554BC > 3BC3 CMP EAX,EBX
004554BE . 7E 02 JLE SHORT U3dedit2.004554C2
004554C0 . 8919 MOV DWORD PTR DS:[ECX],EBX
004554C2 > 68 D8130000 PUSH 13D8
004554C7 . 68 28B54D00 PUSH U3dedit2.004DB528 ; ASCII "DefaultHeight"
004554CC . 57 PUSH EDI
004554CD . 8BCE MOV ECX,ESI
004554CF . E8 25980400 CALL U3dedit2.0049ECF9
004554D4 . 6A 01 PUSH 1
004554D6 . 8D8E 0C030000 LEA ECX,DWORD PTR DS:[ESI+30C]
004554DC . 5A POP EDX
004554DD . 3BC2 CMP EAX,EDX
004554DF . 8901 MOV DWORD PTR DS:[ECX],EAX
004554E1 . 7D 04 JGE SHORT U3dedit2.004554E7
004554E3 . 8911 MOV DWORD PTR DS:[ECX],EDX
004554E5 . EB 06 JMP SHORT U3dedit2.004554ED
004554E7 > 3BC3 CMP EAX,EBX
004554E9 . 7E 02 JLE SHORT U3dedit2.004554ED
004554EB . 8919 MOV DWORD PTR DS:[ECX],EBX
004554ED > 68 D4B64D00 PUSH U3dedit2.004DB6D4 ; ASCII "0x1FFFFFFF"
004554F2 . 68 38B54D00 PUSH U3dedit2.004DB538 ; ASCII "PasteProperties"
004554F7 . 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
004554FA . 57 PUSH EDI
004554FB . 50 PUSH EAX
004554FC . 8BCE MOV ECX,ESI
004554FE . E8 62980400 CALL U3dedit2.0049ED65
00455503 . 8365 FC 00 AND DWORD PTR SS:[EBP-4],0
00455507 . 8D86 3C030000 LEA EAX,DWORD PTR DS:[ESI+33C]
0045550D . 50 PUSH EAX
0045550E . 68 D0B64D00 PUSH U3dedit2.004DB6D0 ; ASCII "%x"
00455513 . FF75 EC PUSH DWORD PTR SS:[EBP-14]
00455516 . E8 756B0100 CALL U3dedit2.0046C090
0045551B . 83C4 0C ADD ESP,0C
0045551E . 8BCE MOV ECX,ESI
00455520 . 6A 01 PUSH 1
00455522 . 68 48B54D00 PUSH U3dedit2.004DB548 ; ASCII "GifInterlace"
00455527 . 57 PUSH EDI
00455528 . E8 CC970400 CALL U3dedit2.0049ECF9
0045552D . 6A 01 PUSH 1
0045552F . 68 58B54D00 PUSH U3dedit2.004DB558 ; ASCII "GifDither"
00455534 . 57 PUSH EDI
00455535 . 8BCE MOV ECX,ESI
00455537 . 8986 10030000 MOV DWORD PTR DS:[ESI+310],EAX
0045553D . E8 B7970400 CALL U3dedit2.0049ECF9
00455542 . 68 EC000000 PUSH 0EC
00455547 . 68 68B54D00 PUSH U3dedit2.004DB568 ; ASCII "GifColors"
0045554C . 57 PUSH EDI
0045554D . 8BCE MOV ECX,ESI
0045554F . 8986 14030000 MOV DWORD PTR DS:[ESI+314],EAX
00455555 . E8 9F970400 CALL U3dedit2.0049ECF9
0045555A . 6A 10 PUSH 10
0045555C . 8D8E 18030000 LEA ECX,DWORD PTR DS:[ESI+318]
00455562 . 5A POP EDX
00455563 . 3BC2 CMP EAX,EDX
00455565 . 8901 MOV DWORD PTR DS:[ECX],EAX
00455567 . 7C 09 JL SHORT U3dedit2.00455572
00455569 . BA 00010000 MOV EDX,100
0045556E . 3BC2 CMP EAX,EDX
00455570 . 7E 02 JLE SHORT U3dedit2.00455574
00455572 > 8911 MOV DWORD PTR DS:[ECX],EDX
00455574 > 6A 0A PUSH 0A
00455576 . 68 78B54D00 PUSH U3dedit2.004DB578 ; ASCII "GifDelay"
0045557B . 57 PUSH EDI
0045557C . 8BCE MOV ECX,ESI
0045557E . E8 76970400 CALL U3dedit2.0049ECF9
00455583 . 8D8E 1C030000 LEA ECX,DWORD PTR DS:[ESI+31C]
00455589 . 85C0 TEST EAX,EAX
0045558B . 8901 MOV DWORD PTR DS:[ECX],EAX
0045558D . 7D 03 JGE SHORT U3dedit2.00455592
0045558F . 8321 00 AND DWORD PTR DS:[ECX],0
00455592 > 6A 01 PUSH 1
00455594 . 68 88B54D00 PUSH U3dedit2.004DB588 ; ASCII "JpgProgressive"
00455599 . 57 PUSH EDI
0045559A . 8BCE MOV ECX,ESI
0045559C . E8 58970400 CALL U3dedit2.0049ECF9
004555A1 . 6A 02 PUSH 2
004555A3 . 8BCE MOV ECX,ESI
004555A5 . 5B POP EBX
004555A6 . 8986 20030000 MOV DWORD PTR DS:[ESI+320],EAX
004555AC . 53 PUSH EBX
004555AD . 68 98B54D00 PUSH U3dedit2.004DB598 ; ASCII "JpgSubsampling"
004555B2 . 57 PUSH EDI
004555B3 . E8 41970400 CALL U3dedit2.0049ECF9
004555B8 . 8D8E 24030000 LEA ECX,DWORD PTR DS:[ESI+324]
004555BE . 85C0 TEST EAX,EAX
004555C0 . 8901 MOV DWORD PTR DS:[ECX],EAX
004555C2 . 7D 05 JGE SHORT U3dedit2.004555C9
004555C4 . 8321 00 AND DWORD PTR DS:[ECX],0
004555C7 . EB 06 JMP SHORT U3dedit2.004555CF
004555C9 > 3BC3 CMP EAX,EBX
004555CB . 7E 02 JLE SHORT U3dedit2.004555CF
004555CD . 8919 MOV DWORD PTR DS:[ECX],EBX
004555CF > 6A 50 PUSH 50
004555D1 . 68 A8B54D00 PUSH U3dedit2.004DB5A8 ; ASCII "JpgQality"
004555D6 . 57 PUSH EDI
004555D7 . 8BCE MOV ECX,ESI
004555D9 . E8 1B970400 CALL U3dedit2.0049ECF9
004555DE . 8D8E 28030000 LEA ECX,DWORD PTR DS:[ESI+328]
004555E4 . 33DB XOR EBX,EBX
004555E6 . 3BC3 CMP EAX,EBX
004555E8 . 8901 MOV DWORD PTR DS:[ECX],EAX
004555EA . 7D 04 JGE SHORT U3dedit2.004555F0
004555EC . 8919 MOV DWORD PTR DS:[ECX],EBX
004555EE . EB 09 JMP SHORT U3dedit2.004555F9
004555F0 > 6A 64 PUSH 64
004555F2 . 5A POP EDX
004555F3 . 3BC2 CMP EAX,EDX
004555F5 . 7E 02 JLE SHORT U3dedit2.004555F9
004555F7 . 8911 MOV DWORD PTR DS:[ECX],EDX
004555F9 > 6A 0F PUSH 0F
004555FB . 68 E0B54D00 PUSH U3dedit2.004DB5E0 ; ASCII "AviRate"
00455600 . 57 PUSH EDI
00455601 . 8BCE MOV ECX,ESI
00455603 . E8 F1960400 CALL U3dedit2.0049ECF9
00455608 . 6A 01 PUSH 1
0045560A . 68 E8B54D00 PUSH U3dedit2.004DB5E8 ; ASCII "AviScale"
0045560F . 57 PUSH EDI
00455610 . 8BCE MOV ECX,ESI
00455612 . 8986 2C030000 MOV DWORD PTR DS:[ESI+32C],EAX
00455618 . E8 DC960400 CALL U3dedit2.0049ECF9
0045561D . 6A 01 PUSH 1
0045561F . 68 B8B54D00 PUSH U3dedit2.004DB5B8 ; ASCII "ImageTransparent"
00455624 . 57 PUSH EDI
00455625 . 8BCE MOV ECX,ESI
00455627 . 8986 30030000 MOV DWORD PTR DS:[ESI+330],EAX
0045562D . E8 C7960400 CALL U3dedit2.0049ECF9
00455632 . 53 PUSH EBX
00455633 . 68 D0B54D00 PUSH U3dedit2.004DB5D0 ; ASCII "ImageSequence"
00455638 . 57 PUSH EDI
00455639 . 8BCE MOV ECX,ESI
0045563B . 8986 34030000 MOV DWORD PTR DS:[ESI+334],EAX
00455641 . E8 B3960400 CALL U3dedit2.0049ECF9
00455646 . 8986 38030000 MOV DWORD PTR DS:[ESI+338],EAX
0045564C . E8 17B70200 CALL U3dedit2.00480D68
00455651 . 895D F0 MOV DWORD PTR SS:[EBP-10],EBX
00455654 . 8BD8 MOV EBX,EAX
00455656 > FF75 F0 PUSH DWORD PTR SS:[EBP-10] ; /<%02d>
00455659 . 8D45 B8 LEA EAX,DWORD PTR SS:[EBP-48] ; |
0045565C . 68 18B64D00 PUSH U3dedit2.004DB618 ; |Format = "Color%02d"
00455661 . 50 PUSH EAX ; |s
00455662 . FF15 D4704E00 CALL DWORD PTR DS:[<&user32.wsprintfA>] ; \wsprintfA
00455668 . 83C4 0C ADD ESP,0C
0045566B . 8D45 B8 LEA EAX,DWORD PTR SS:[EBP-48]
0045566E . 8BCE MOV ECX,ESI
00455670 . 68 FFFFFF00 PUSH 0FFFFFF
00455675 . 50 PUSH EAX
00455676 . 68 08B64D00 PUSH U3dedit2.004DB608 ; ASCII "UserColor"
0045567B . E8 79960400 CALL U3dedit2.0049ECF9
00455680 . FF45 F0 INC DWORD PTR SS:[EBP-10]
00455683 . 8903 MOV DWORD PTR DS:[EBX],EAX
00455685 . 83C3 04 ADD EBX,4
00455688 . 837D F0 10 CMP DWORD PTR SS:[EBP-10],10
0045568C .^ 7C C8 JL SHORT U3dedit2.00455656
0045568E . 6A 01 PUSH 1
00455690 . 68 E0B44D00 PUSH U3dedit2.004DB4E0 ; ASCII "FirstRun001"
00455695 . 57 PUSH EDI
00455696 . 8BCE MOV ECX,ESI
00455698 . E8 5C960400 CALL U3dedit2.0049ECF9
0045569D . 85C0 TEST EAX,EAX
0045569F . 0F84 A4000000 JE U3dedit2.00455749
004556A5 . 8D85 B4FEFFFF LEA EAX,DWORD PTR SS:[EBP-14C]
004556AB . 68 04010000 PUSH 104 ; /BufSize = 104 (260.)
004556B0 . 50 PUSH EAX ; |Buffer
004556B1 . FF15 606C4E00 CALL DWORD PTR DS:[<&kernel32.GetSystemD>; \GetSystemDirectoryA
004556B7 . 85C0 TEST EAX,EAX
004556B9 . 74 7C JE SHORT U3dedit2.00455737
004556BB . 8D85 B4FEFFFF LEA EAX,DWORD PTR SS:[EBP-14C]
004556C1 . 50 PUSH EAX
004556C2 . E8 896F0100 CALL U3dedit2.0046C650
004556C7 . 80BC05 B3FEFF>CMP BYTE PTR SS:[EBP+EAX-14D],5C
004556CF . 59 POP ECX
004556D0 . 74 10 JE SHORT U3dedit2.004556E2
004556D2 . C68405 B4FEFF>MOV BYTE PTR SS:[EBP+EAX-14C],5C
004556DA . 80A405 B5FEFF>AND BYTE PTR SS:[EBP+EAX-14B],0
004556E2 > 8D85 B4FEFFFF LEA EAX,DWORD PTR SS:[EBP-14C]
004556E8 . 68 C4B64D00 PUSH U3dedit2.004DB6C4 ; ASCII "DKRNL.JAX"
004556ED . 50 PUSH EAX
004556EE . E8 ED560100 CALL U3dedit2.0046ADE0
004556F3 . 59 POP ECX
004556F4 . 33DB XOR EBX,EBX
004556F6 . 59 POP ECX
004556F7 . 8D85 B4FEFFFF LEA EAX,DWORD PTR SS:[EBP-14C]
004556FD . 53 PUSH EBX ; /hTemplateFile => NULL
004556FE . 53 PUSH EBX ; |Attributes => 0
004556FF . 6A 03 PUSH 3 ; |Mode = OPEN_EXISTING
00455701 . 53 PUSH EBX ; |pSecurity => NULL
00455702 . 53 PUSH EBX ; |ShareMode => 0
00455703 . 53 PUSH EBX ; |Access => 0
00455704 . 50 PUSH EAX ; |FileName
00455705 . FF15 4C6C4E00 CALL DWORD PTR DS:[<&kernel32.CreateFile>; \CreateFileA
0045570B . 83F8 FF CMP EAX,-1
0045570E . 75 1E JNZ SHORT U3dedit2.0045572E
00455710 . 8D85 B4FEFFFF LEA EAX,DWORD PTR SS:[EBP-14C]
00455716 . 50 PUSH EAX ; /FileName
00455717 . 68 C0B64D00 PUSH U3dedit2.004DB6C0 ; |String = "1"
0045571C . 68 B4B64D00 PUSH U3dedit2.004DB6B4 ; |Key = "RUNFIRST"
00455721 . 68 A8B64D00 PUSH U3dedit2.004DB6A8 ; |Section = "CHECKRUN"
00455726 . FF15 506C4E00 CALL DWORD PTR DS:[<&kernel32.WritePriva>; \WritePrivateProfileStringA
0045572C . EB 0B JMP SHORT U3dedit2.00455739
0045572E > 50 PUSH EAX ; /hObject
0045572F . FF15 546C4E00 CALL DWORD PTR DS:[<&kernel32.CloseHandl>; \CloseHandle
00455735 . EB 02 JMP SHORT U3dedit2.00455739
00455737 > 33DB XOR EBX,EBX
00455739 > 53 PUSH EBX ; /Arg3
0045573A . 68 E0B44D00 PUSH U3dedit2.004DB4E0 ; |Arg2 = 004DB4E0 ASCII "FirstRun001"
0045573F . 57 PUSH EDI ; |Arg1
00455740 . 8BCE MOV ECX,ESI ; |
00455742 . E8 4FE90300 CALL U3dedit2.00494096 ; \U3dedit2.00494096
00455747 . EB 02 JMP SHORT U3dedit2.0045574B
00455749 > 33DB XOR EBX,EBX
0045574B > FF15 54714E00 CALL DWORD PTR DS:[<&about.InitAboutDll>>; about.InitAboutDll
00455751 . 85C0 TEST EAX,EAX
00455753 . 0F84 0D030000 JE U3dedit2.00455A66
00455759 . FF76 68 PUSH DWORD PTR DS:[ESI+68]
0045575C . FF15 48714E00 CALL DWORD PTR DS:[<&about.IsFullVersion>; about.IsFullVersion
00455762 . F7D8 NEG EAX
00455764 . 1BC0 SBB EAX,EAX
00455766 . 59 POP ECX
00455767 . 40 INC EAX
00455768 . 8986 C0000000 MOV DWORD PTR DS:[ESI+C0],EAX ; 程序退出时也需要检查该内存标志,因此爆破好的办法是将此处标志改正确
0045576E . 74 0E JE SHORT U3dedit2.0045577E ; 此处强制跳转即可。
00455770 . FF15 4C714E00 CALL DWORD PTR DS:[<&about.CheckTimeLimi>; about.CheckTimeLimit
00455776 . 85C0 TEST EAX,EAX
00455778 . 0F84 E8020000 JE U3dedit2.00455A66
0045577E > 8DBE E8000000 LEA EDI,DWORD PTR DS:[ESI+E8]
在0045576E处直接改为强制跳转程序启动时没有了NAG窗口了,但是程序退出时仍然有NAG窗口,因此将
将上面代码修改为
00455762 90 NOP
00455763 90 NOP
00455764 1BC0 SBB EAX,EAX
00455766 59 POP ECX
00455767 90 NOP
00455768 . 8986 C0000000 MOV DWORD PTR DS:[ESI+C0],EAX
即实现完美爆破
【应用平台】Win2000 SP4
【作者邮箱】chubing6143@sina.com
【使用工具】OllyDbg1.10
【软件限制】Vbox 4.03,以及去除VBOX保护之后的NAG窗口(书上不曾提及的)
【破解工具】OllyDbg v1.10
【破解过程】
利用OD加载程序,程序在下面代码处:
004F1000 > FF7424 0C PUSH DWORD PTR SS:[ESP+C]
004F1004 FF7424 0C PUSH DWORD PTR SS:[ESP+C]
004F1008 FF7424 0C PUSH DWORD PTR SS:[ESP+C]
004F100C 68 F539E255 PUSH 55E239F5
004F1011 68 762DAD55 PUSH 55AD2D76
004F1016 68 A93DE255 PUSH 55E23DA9
004F101B 68 533DE255 PUSH 55E23D53
004F1020 FF15 F0114F00 CALL DWORD PTR DS:[<&vboxp403.#1>] ; vboxp403.PreviewExecGate_By_WeijunLi
004F1026 68 FFFFFFFF PUSH -1
004F102B FFD0 CALL EAX ; F7进去
004F102D C2 0C00 RETN 0C
004F0000 . FF7424 0C PUSH DWORD PTR SS:[ESP+C] ; U3dedit2.005516A8
004F0004 . FF7424 0C PUSH DWORD PTR SS:[ESP+C]
004F0008 . FF7424 0C PUSH DWORD PTR SS:[ESP+C]
004F000C . 68 7FDDA4B6 PUSH B6A4DD7F
004F0011 . 68 1F0EC6BB PUSH BBC60E1F
004F0016 . 68 8C1A176D PUSH 6D171A8C
004F001B . 68 5A4B5F41 PUSH 415F4B5A
004F0020 . FF15 D4014F00 CALL DWORD PTR DS:[4F01D4] ; 进入VBOXB403.DLL,F8之后,出现VBOX保护界面点击TRY按钮
004F0026 . 68 FFFFFFFF PUSH -1
004F002B . FFD0 CALL EAX ; F7进去,这就是程序的入口点,解压完全结束
004F002D . C2 0C00 RETN 0C
在下面脱壳即可,然后用ImportRec修复即可.
程序每次运行仍然有一个烦人对话框,下面来去除它。
利用OD加载脱壳后的程序,一路F8 和 F7 配合运行:
0046CF20 > $ 55 PUSH EBP
0046CF21 . 8BEC MOV EBP,ESP
0046CF23 . 6A FF PUSH -1
0046CF25 . 68 785C4C00 PUSH U3dedit2.004C5C78
0046CF2A . 68 980F4700 PUSH U3dedit2.00470F98 ; SE handler installation
0046CF2F . 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
0046CF35 . 50 PUSH EAX
0046CF36 . 64:8925 00000>MOV DWORD PTR FS:[0],ESP
0046CF3D . 83C4 A8 ADD ESP,-58
0046CF40 . 53 PUSH EBX
0046CF41 . 56 PUSH ESI
0046CF42 . 57 PUSH EDI
0046CF43 . 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
0046CF46 . FF15 DC6D4E00 CALL DWORD PTR DS:[<&kernel32.GetVersion>; KERNEL32.GetVersion
0046CF4C . 33D2 XOR EDX,EDX
0046CF4E . 8AD4 MOV DL,AH
0046CF50 . 8915 3C304E00 MOV DWORD PTR DS:[4E303C],EDX
0046CF56 . 8BC8 MOV ECX,EAX
0046CF58 . 81E1 FF000000 AND ECX,0FF
0046CF5E . 890D 38304E00 MOV DWORD PTR DS:[4E3038],ECX
0046CF64 . C1E1 08 SHL ECX,8
0046CF67 . 03CA ADD ECX,EDX
0046CF69 . 890D 34304E00 MOV DWORD PTR DS:[4E3034],ECX
0046CF6F . C1E8 10 SHR EAX,10
0046CF72 . A3 30304E00 MOV DWORD PTR DS:[4E3030],EAX
0046CF77 . E8 B41D0000 CALL U3dedit2.0046ED30
0046CF7C . 85C0 TEST EAX,EAX
0046CF7E . 75 0A JNZ SHORT U3dedit2.0046CF8A
0046CF80 . 6A 1C PUSH 1C
0046CF82 . E8 49010000 CALL U3dedit2.0046D0D0
0046CF87 . 83C4 04 ADD ESP,4
0046CF8A > E8 E13D0000 CALL U3dedit2.00470D70
0046CF8F . 85C0 TEST EAX,EAX
0046CF91 . 75 0A JNZ SHORT U3dedit2.0046CF9D
0046CF93 . 6A 10 PUSH 10
0046CF95 . E8 36010000 CALL U3dedit2.0046D0D0
0046CF9A . 83C4 04 ADD ESP,4
0046CF9D > C745 FC 00000>MOV DWORD PTR SS:[EBP-4],0
0046CFA4 . E8 A75C0000 CALL U3dedit2.00472C50
0046CFA9 . E8 620B0000 CALL U3dedit2.0046DB10
0046CFAE . FF15 406C4E00 CALL DWORD PTR DS:[<&kernel32.GetCommand>; [GetCommandLineA
0046CFB4 . A3 68364E00 MOV DWORD PTR DS:[4E3668],EAX
0046CFB9 . E8 32840000 CALL U3dedit2.004753F0
0046CFBE . A3 B0304E00 MOV DWORD PTR DS:[4E30B0],EAX
0046CFC3 . 85C0 TEST EAX,EAX
0046CFC5 . 74 09 JE SHORT U3dedit2.0046CFD0
0046CFC7 . A1 68364E00 MOV EAX,DWORD PTR DS:[4E3668]
0046CFCC . 85C0 TEST EAX,EAX
0046CFCE . 75 0A JNZ SHORT U3dedit2.0046CFDA
0046CFD0 > 6A FF PUSH -1
0046CFD2 . E8 E9E9FFFF CALL U3dedit2.0046B9C0
0046CFD7 . 83C4 04 ADD ESP,4
0046CFDA > E8 61810000 CALL U3dedit2.00475140
0046CFDF . E8 6C800000 CALL U3dedit2.00475050
0046CFE4 . E8 A7E9FFFF CALL U3dedit2.0046B990
0046CFE9 . 8B35 68364E00 MOV ESI,DWORD PTR DS:[4E3668]
0046CFEF . 8975 9C MOV DWORD PTR SS:[EBP-64],ESI
0046CFF2 . 803E 22 CMP BYTE PTR DS:[ESI],22
0046CFF5 . 0F85 BE000000 JNZ U3dedit2.0046D0B9
0046CFFB > 46 INC ESI
0046CFFC . 8975 9C MOV DWORD PTR SS:[EBP-64],ESI
0046CFFF . 8A06 MOV AL,BYTE PTR DS:[ESI]
0046D001 . 3C 22 CMP AL,22
0046D003 . 74 1C JE SHORT U3dedit2.0046D021
0046D005 . 84C0 TEST AL,AL
0046D007 . 74 18 JE SHORT U3dedit2.0046D021
0046D009 . 25 FF000000 AND EAX,0FF
0046D00E . 50 PUSH EAX
0046D00F . E8 DC7F0000 CALL U3dedit2.00474FF0
0046D014 . 83C4 04 ADD ESP,4
0046D017 . 85C0 TEST EAX,EAX
0046D019 .^ 74 E0 JE SHORT U3dedit2.0046CFFB
0046D01B . 46 INC ESI
0046D01C . 8975 9C MOV DWORD PTR SS:[EBP-64],ESI
0046D01F .^ EB DA JMP SHORT U3dedit2.0046CFFB
0046D021 > 803E 22 CMP BYTE PTR DS:[ESI],22
0046D024 . 75 04 JNZ SHORT U3dedit2.0046D02A
0046D026 . 46 INC ESI
0046D027 . 8975 9C MOV DWORD PTR SS:[EBP-64],ESI
0046D02A > 8A06 MOV AL,BYTE PTR DS:[ESI]
0046D02C . 84C0 TEST AL,AL
0046D02E . 74 0A JE SHORT U3dedit2.0046D03A
0046D030 . 3C 20 CMP AL,20
0046D032 . 77 06 JA SHORT U3dedit2.0046D03A
0046D034 . 46 INC ESI
0046D035 . 8975 9C MOV DWORD PTR SS:[EBP-64],ESI
0046D038 .^ EB F0 JMP SHORT U3dedit2.0046D02A
0046D03A > C745 D0 00000>MOV DWORD PTR SS:[EBP-30],0
0046D041 . 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C]
0046D044 . 50 PUSH EAX ; /pStartupinfo
0046D045 . FF15 B06C4E00 CALL DWORD PTR DS:[<&kernel32.GetStartup>; \GetStartupInfoA
0046D04B . F645 D0 01 TEST BYTE PTR SS:[EBP-30],1
0046D04F . 74 0A JE SHORT U3dedit2.0046D05B
0046D051 . 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]
0046D054 . 25 FFFF0000 AND EAX,0FFFF
0046D059 . EB 05 JMP SHORT U3dedit2.0046D060
0046D05B > B8 0A000000 MOV EAX,0A
0046D060 > 50 PUSH EAX
0046D061 . 56 PUSH ESI
0046D062 . 6A 00 PUSH 0
0046D064 . 6A 00 PUSH 0 ; /pModule = NULL
0046D066 . FF15 B46C4E00 CALL DWORD PTR DS:[<&kernel32.GetModuleH>; \GetModuleHandleA
0046D06C . 50 PUSH EAX
0046D06D . E8 E5300100 CALL U3dedit2.00480157 ; F8就出现NAG窗口了,F7进去
F7来到下面
00480157 /$ FF7424 10 PUSH DWORD PTR SS:[ESP+10]
0048015B |. FF7424 10 PUSH DWORD PTR SS:[ESP+10]
0048015F |. FF7424 10 PUSH DWORD PTR SS:[ESP+10]
00480163 |. FF7424 10 PUSH DWORD PTR SS:[ESP+10]
00480167 |. E8 989E0000 CALL U3dedit2.0048A004 ; F7进去
0048016C \. C2 1000 RETN 10
F7来到下面
0048A004 /$ 53 PUSH EBX
0048A005 |. 56 PUSH ESI
0048A006 |. 57 PUSH EDI
0048A007 |. 83CB FF OR EBX,FFFFFFFF
0048A00A |. E8 753F0100 CALL U3dedit2.0049DF84
0048A00F |. FF7424 1C PUSH DWORD PTR SS:[ESP+1C]
0048A013 |. 8B78 04 MOV EDI,DWORD PTR DS:[EAX+4]
0048A016 |. FF7424 1C PUSH DWORD PTR SS:[ESP+1C]
0048A01A |. FF7424 1C PUSH DWORD PTR SS:[ESP+1C]
0048A01E |. FF7424 1C PUSH DWORD PTR SS:[ESP+1C]
0048A022 |. E8 BC660100 CALL U3dedit2.004A06E3
0048A027 |. 85C0 TEST EAX,EAX
0048A029 |. 74 31 JE SHORT U3dedit2.0048A05C
0048A02B |. 8B37 MOV ESI,DWORD PTR DS:[EDI]
0048A02D |. 8BCF MOV ECX,EDI
0048A02F |. FF96 8C000000 CALL DWORD PTR DS:[ESI+8C]
0048A035 |. 85C0 TEST EAX,EAX
0048A037 |. 74 23 JE SHORT U3dedit2.0048A05C
0048A039 |. 8BCF MOV ECX,EDI
0048A03B |. FF56 58 CALL DWORD PTR DS:[ESI+58] ; F8就出现NAG窗口了,F7进去
F7来到下面
00455369 . B8 AA364B00 MOV EAX,U3dedit2.004B36AA
0045536E . E8 AD550100 CALL U3dedit2.0046A920
00455373 . 81EC 40010000 SUB ESP,140
00455379 . 53 PUSH EBX
0045537A . 56 PUSH ESI
0045537B . 57 PUSH EDI
0045537C . 8BF1 MOV ESI,ECX
0045537E . 68 E0B64D00 PUSH U3dedit2.004DB6E0 ; /FileName = "U3drc2.DLL"
00455383 . FF15 FC6D4E00 CALL DWORD PTR DS:[<&kernel32.LoadLibrar>; \LoadLibraryA
00455389 . 8BF8 MOV EDI,EAX
0045538B . 33DB XOR EBX,EBX
0045538D . 3BFB CMP EDI,EBX
0045538F . 89BE 6C030000 MOV DWORD PTR DS:[ESI+36C],EDI
00455395 . 0F84 D7060000 JE U3dedit2.00455A72
0045539B . E8 E48B0400 CALL U3dedit2.0049DF84
004553A0 . 8978 0C MOV DWORD PTR DS:[EAX+C],EDI
004553A3 . 6A 02 PUSH 2
004553A5 . BF D0B44D00 MOV EDI,U3dedit2.004DB4D0 ; ASCII "RenderSetting"
004553AA . 68 F0B44D00 PUSH U3dedit2.004DB4F0 ; ASCII "AAScale"
004553AF . 57 PUSH EDI
004553B0 . 8BCE MOV ECX,ESI
004553B2 . E8 42990400 CALL U3dedit2.0049ECF9
004553B7 . 6A 01 PUSH 1
004553B9 . 8986 FC020000 MOV DWORD PTR DS:[ESI+2FC],EAX
004553BF . 59 POP ECX
004553C0 . 3BC1 CMP EAX,ECX
004553C2 . 7C 07 JL SHORT U3dedit2.004553CB
004553C4 . 6A 03 PUSH 3
004553C6 . 59 POP ECX
004553C7 . 3BC1 CMP EAX,ECX
004553C9 . 7E 06 JLE SHORT U3dedit2.004553D1
004553CB > 898E FC020000 MOV DWORD PTR DS:[ESI+2FC],ECX
004553D1 > 53 PUSH EBX
004553D2 . 68 F8B44D00 PUSH U3dedit2.004DB4F8 ; ASCII "AAMulti"
004553D7 . 57 PUSH EDI
004553D8 . 8BCE MOV ECX,ESI
004553DA . E8 1A990400 CALL U3dedit2.0049ECF9
004553DF . 3BC3 CMP EAX,EBX
004553E1 . 8986 00030000 MOV DWORD PTR DS:[ESI+300],EAX
004553E7 . 7D 08 JGE SHORT U3dedit2.004553F1
004553E9 . 899E 00030000 MOV DWORD PTR DS:[ESI+300],EBX
004553EF . EB 0D JMP SHORT U3dedit2.004553FE
004553F1 > 6A 07 PUSH 7
004553F3 . 59 POP ECX
004553F4 . 3BC1 CMP EAX,ECX
004553F6 . 7E 06 JLE SHORT U3dedit2.004553FE
004553F8 . 898E 00030000 MOV DWORD PTR DS:[ESI+300],ECX
004553FE > 8B86 FC020000 MOV EAX,DWORD PTR DS:[ESI+2FC]
00455404 . 8B8E 00030000 MOV ECX,DWORD PTR DS:[ESI+300]
0045540A . 899E 70030000 MOV DWORD PTR DS:[ESI+370],EBX
00455410 . 8D0480 LEA EAX,DWORD PTR DS:[EAX+EAX*4]
00455413 . 8D1441 LEA EDX,DWORD PTR DS:[ECX+EAX*2]
00455416 > 8B8E 70030000 MOV ECX,DWORD PTR DS:[ESI+370]
0045541C . 8B048D 40B64D>MOV EAX,DWORD PTR DS:[ECX*4+4DB640]
00455423 . 8B1C8D 28B64D>MOV EBX,DWORD PTR DS:[ECX*4+4DB628]
0045542A . 8D0480 LEA EAX,DWORD PTR DS:[EAX+EAX*4]
0045542D . 8D0443 LEA EAX,DWORD PTR DS:[EBX+EAX*2]
00455430 . 3BD0 CMP EDX,EAX
00455432 . 7E 0C JLE SHORT U3dedit2.00455440
00455434 . 41 INC ECX
00455435 . 83F9 05 CMP ECX,5
00455438 . 898E 70030000 MOV DWORD PTR DS:[ESI+370],ECX
0045543E .^ 7C D6 JL SHORT U3dedit2.00455416
00455440 > 6A 02 PUSH 2
00455442 . 8BCE MOV ECX,ESI
00455444 . 5B POP EBX
00455445 . 53 PUSH EBX
00455446 . 68 00B54D00 PUSH U3dedit2.004DB500 ; ASCII "OutputQuality"
0045544B . 57 PUSH EDI
0045544C . E8 A8980400 CALL U3dedit2.0049ECF9
00455451 . 8D8E 74030000 LEA ECX,DWORD PTR DS:[ESI+374]
00455457 . 8901 MOV DWORD PTR DS:[ECX],EAX
00455459 . 8B96 70030000 MOV EDX,DWORD PTR DS:[ESI+370]
0045545F . 3BC2 CMP EAX,EDX
00455461 . 7C 07 JL SHORT U3dedit2.0045546A
00455463 . 6A 05 PUSH 5
00455465 . 5A POP EDX
00455466 . 3BC2 CMP EAX,EDX
00455468 . 7E 02 JLE SHORT U3dedit2.0045546C
0045546A > 8911 MOV DWORD PTR DS:[ECX],EDX
0045546C > 6A 00 PUSH 0
0045546E . 68 10B54D00 PUSH U3dedit2.004DB510 ; ASCII "Unit"
00455473 . 57 PUSH EDI
00455474 . 8BCE MOV ECX,ESI
00455476 . E8 7E980400 CALL U3dedit2.0049ECF9
0045547B . 8D8E 04030000 LEA ECX,DWORD PTR DS:[ESI+304]
00455481 . 85C0 TEST EAX,EAX
00455483 . 8901 MOV DWORD PTR DS:[ECX],EAX
00455485 . 7D 05 JGE SHORT U3dedit2.0045548C
00455487 . 8321 00 AND DWORD PTR DS:[ECX],0
0045548A . EB 06 JMP SHORT U3dedit2.00455492
0045548C > 3BC3 CMP EAX,EBX
0045548E . 7E 02 JLE SHORT U3dedit2.00455492
00455490 . 8919 MOV DWORD PTR DS:[ECX],EBX
00455492 > 68 751A0000 PUSH 1A75
00455497 . 68 18B54D00 PUSH U3dedit2.004DB518 ; ASCII "DefaultWidth"
0045549C . 57 PUSH EDI
0045549D . 8BCE MOV ECX,ESI
0045549F . E8 55980400 CALL U3dedit2.0049ECF9
004554A4 . 6A 01 PUSH 1
004554A6 . 8D8E 08030000 LEA ECX,DWORD PTR DS:[ESI+308]
004554AC . 5A POP EDX
004554AD . BB FF7F0000 MOV EBX,7FFF
004554B2 . 3BC2 CMP EAX,EDX
004554B4 . 8901 MOV DWORD PTR DS:[ECX],EAX
004554B6 . 7D 04 JGE SHORT U3dedit2.004554BC
004554B8 . 8911 MOV DWORD PTR DS:[ECX],EDX
004554BA . EB 06 JMP SHORT U3dedit2.004554C2
004554BC > 3BC3 CMP EAX,EBX
004554BE . 7E 02 JLE SHORT U3dedit2.004554C2
004554C0 . 8919 MOV DWORD PTR DS:[ECX],EBX
004554C2 > 68 D8130000 PUSH 13D8
004554C7 . 68 28B54D00 PUSH U3dedit2.004DB528 ; ASCII "DefaultHeight"
004554CC . 57 PUSH EDI
004554CD . 8BCE MOV ECX,ESI
004554CF . E8 25980400 CALL U3dedit2.0049ECF9
004554D4 . 6A 01 PUSH 1
004554D6 . 8D8E 0C030000 LEA ECX,DWORD PTR DS:[ESI+30C]
004554DC . 5A POP EDX
004554DD . 3BC2 CMP EAX,EDX
004554DF . 8901 MOV DWORD PTR DS:[ECX],EAX
004554E1 . 7D 04 JGE SHORT U3dedit2.004554E7
004554E3 . 8911 MOV DWORD PTR DS:[ECX],EDX
004554E5 . EB 06 JMP SHORT U3dedit2.004554ED
004554E7 > 3BC3 CMP EAX,EBX
004554E9 . 7E 02 JLE SHORT U3dedit2.004554ED
004554EB . 8919 MOV DWORD PTR DS:[ECX],EBX
004554ED > 68 D4B64D00 PUSH U3dedit2.004DB6D4 ; ASCII "0x1FFFFFFF"
004554F2 . 68 38B54D00 PUSH U3dedit2.004DB538 ; ASCII "PasteProperties"
004554F7 . 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
004554FA . 57 PUSH EDI
004554FB . 50 PUSH EAX
004554FC . 8BCE MOV ECX,ESI
004554FE . E8 62980400 CALL U3dedit2.0049ED65
00455503 . 8365 FC 00 AND DWORD PTR SS:[EBP-4],0
00455507 . 8D86 3C030000 LEA EAX,DWORD PTR DS:[ESI+33C]
0045550D . 50 PUSH EAX
0045550E . 68 D0B64D00 PUSH U3dedit2.004DB6D0 ; ASCII "%x"
00455513 . FF75 EC PUSH DWORD PTR SS:[EBP-14]
00455516 . E8 756B0100 CALL U3dedit2.0046C090
0045551B . 83C4 0C ADD ESP,0C
0045551E . 8BCE MOV ECX,ESI
00455520 . 6A 01 PUSH 1
00455522 . 68 48B54D00 PUSH U3dedit2.004DB548 ; ASCII "GifInterlace"
00455527 . 57 PUSH EDI
00455528 . E8 CC970400 CALL U3dedit2.0049ECF9
0045552D . 6A 01 PUSH 1
0045552F . 68 58B54D00 PUSH U3dedit2.004DB558 ; ASCII "GifDither"
00455534 . 57 PUSH EDI
00455535 . 8BCE MOV ECX,ESI
00455537 . 8986 10030000 MOV DWORD PTR DS:[ESI+310],EAX
0045553D . E8 B7970400 CALL U3dedit2.0049ECF9
00455542 . 68 EC000000 PUSH 0EC
00455547 . 68 68B54D00 PUSH U3dedit2.004DB568 ; ASCII "GifColors"
0045554C . 57 PUSH EDI
0045554D . 8BCE MOV ECX,ESI
0045554F . 8986 14030000 MOV DWORD PTR DS:[ESI+314],EAX
00455555 . E8 9F970400 CALL U3dedit2.0049ECF9
0045555A . 6A 10 PUSH 10
0045555C . 8D8E 18030000 LEA ECX,DWORD PTR DS:[ESI+318]
00455562 . 5A POP EDX
00455563 . 3BC2 CMP EAX,EDX
00455565 . 8901 MOV DWORD PTR DS:[ECX],EAX
00455567 . 7C 09 JL SHORT U3dedit2.00455572
00455569 . BA 00010000 MOV EDX,100
0045556E . 3BC2 CMP EAX,EDX
00455570 . 7E 02 JLE SHORT U3dedit2.00455574
00455572 > 8911 MOV DWORD PTR DS:[ECX],EDX
00455574 > 6A 0A PUSH 0A
00455576 . 68 78B54D00 PUSH U3dedit2.004DB578 ; ASCII "GifDelay"
0045557B . 57 PUSH EDI
0045557C . 8BCE MOV ECX,ESI
0045557E . E8 76970400 CALL U3dedit2.0049ECF9
00455583 . 8D8E 1C030000 LEA ECX,DWORD PTR DS:[ESI+31C]
00455589 . 85C0 TEST EAX,EAX
0045558B . 8901 MOV DWORD PTR DS:[ECX],EAX
0045558D . 7D 03 JGE SHORT U3dedit2.00455592
0045558F . 8321 00 AND DWORD PTR DS:[ECX],0
00455592 > 6A 01 PUSH 1
00455594 . 68 88B54D00 PUSH U3dedit2.004DB588 ; ASCII "JpgProgressive"
00455599 . 57 PUSH EDI
0045559A . 8BCE MOV ECX,ESI
0045559C . E8 58970400 CALL U3dedit2.0049ECF9
004555A1 . 6A 02 PUSH 2
004555A3 . 8BCE MOV ECX,ESI
004555A5 . 5B POP EBX
004555A6 . 8986 20030000 MOV DWORD PTR DS:[ESI+320],EAX
004555AC . 53 PUSH EBX
004555AD . 68 98B54D00 PUSH U3dedit2.004DB598 ; ASCII "JpgSubsampling"
004555B2 . 57 PUSH EDI
004555B3 . E8 41970400 CALL U3dedit2.0049ECF9
004555B8 . 8D8E 24030000 LEA ECX,DWORD PTR DS:[ESI+324]
004555BE . 85C0 TEST EAX,EAX
004555C0 . 8901 MOV DWORD PTR DS:[ECX],EAX
004555C2 . 7D 05 JGE SHORT U3dedit2.004555C9
004555C4 . 8321 00 AND DWORD PTR DS:[ECX],0
004555C7 . EB 06 JMP SHORT U3dedit2.004555CF
004555C9 > 3BC3 CMP EAX,EBX
004555CB . 7E 02 JLE SHORT U3dedit2.004555CF
004555CD . 8919 MOV DWORD PTR DS:[ECX],EBX
004555CF > 6A 50 PUSH 50
004555D1 . 68 A8B54D00 PUSH U3dedit2.004DB5A8 ; ASCII "JpgQality"
004555D6 . 57 PUSH EDI
004555D7 . 8BCE MOV ECX,ESI
004555D9 . E8 1B970400 CALL U3dedit2.0049ECF9
004555DE . 8D8E 28030000 LEA ECX,DWORD PTR DS:[ESI+328]
004555E4 . 33DB XOR EBX,EBX
004555E6 . 3BC3 CMP EAX,EBX
004555E8 . 8901 MOV DWORD PTR DS:[ECX],EAX
004555EA . 7D 04 JGE SHORT U3dedit2.004555F0
004555EC . 8919 MOV DWORD PTR DS:[ECX],EBX
004555EE . EB 09 JMP SHORT U3dedit2.004555F9
004555F0 > 6A 64 PUSH 64
004555F2 . 5A POP EDX
004555F3 . 3BC2 CMP EAX,EDX
004555F5 . 7E 02 JLE SHORT U3dedit2.004555F9
004555F7 . 8911 MOV DWORD PTR DS:[ECX],EDX
004555F9 > 6A 0F PUSH 0F
004555FB . 68 E0B54D00 PUSH U3dedit2.004DB5E0 ; ASCII "AviRate"
00455600 . 57 PUSH EDI
00455601 . 8BCE MOV ECX,ESI
00455603 . E8 F1960400 CALL U3dedit2.0049ECF9
00455608 . 6A 01 PUSH 1
0045560A . 68 E8B54D00 PUSH U3dedit2.004DB5E8 ; ASCII "AviScale"
0045560F . 57 PUSH EDI
00455610 . 8BCE MOV ECX,ESI
00455612 . 8986 2C030000 MOV DWORD PTR DS:[ESI+32C],EAX
00455618 . E8 DC960400 CALL U3dedit2.0049ECF9
0045561D . 6A 01 PUSH 1
0045561F . 68 B8B54D00 PUSH U3dedit2.004DB5B8 ; ASCII "ImageTransparent"
00455624 . 57 PUSH EDI
00455625 . 8BCE MOV ECX,ESI
00455627 . 8986 30030000 MOV DWORD PTR DS:[ESI+330],EAX
0045562D . E8 C7960400 CALL U3dedit2.0049ECF9
00455632 . 53 PUSH EBX
00455633 . 68 D0B54D00 PUSH U3dedit2.004DB5D0 ; ASCII "ImageSequence"
00455638 . 57 PUSH EDI
00455639 . 8BCE MOV ECX,ESI
0045563B . 8986 34030000 MOV DWORD PTR DS:[ESI+334],EAX
00455641 . E8 B3960400 CALL U3dedit2.0049ECF9
00455646 . 8986 38030000 MOV DWORD PTR DS:[ESI+338],EAX
0045564C . E8 17B70200 CALL U3dedit2.00480D68
00455651 . 895D F0 MOV DWORD PTR SS:[EBP-10],EBX
00455654 . 8BD8 MOV EBX,EAX
00455656 > FF75 F0 PUSH DWORD PTR SS:[EBP-10] ; /<%02d>
00455659 . 8D45 B8 LEA EAX,DWORD PTR SS:[EBP-48] ; |
0045565C . 68 18B64D00 PUSH U3dedit2.004DB618 ; |Format = "Color%02d"
00455661 . 50 PUSH EAX ; |s
00455662 . FF15 D4704E00 CALL DWORD PTR DS:[<&user32.wsprintfA>] ; \wsprintfA
00455668 . 83C4 0C ADD ESP,0C
0045566B . 8D45 B8 LEA EAX,DWORD PTR SS:[EBP-48]
0045566E . 8BCE MOV ECX,ESI
00455670 . 68 FFFFFF00 PUSH 0FFFFFF
00455675 . 50 PUSH EAX
00455676 . 68 08B64D00 PUSH U3dedit2.004DB608 ; ASCII "UserColor"
0045567B . E8 79960400 CALL U3dedit2.0049ECF9
00455680 . FF45 F0 INC DWORD PTR SS:[EBP-10]
00455683 . 8903 MOV DWORD PTR DS:[EBX],EAX
00455685 . 83C3 04 ADD EBX,4
00455688 . 837D F0 10 CMP DWORD PTR SS:[EBP-10],10
0045568C .^ 7C C8 JL SHORT U3dedit2.00455656
0045568E . 6A 01 PUSH 1
00455690 . 68 E0B44D00 PUSH U3dedit2.004DB4E0 ; ASCII "FirstRun001"
00455695 . 57 PUSH EDI
00455696 . 8BCE MOV ECX,ESI
00455698 . E8 5C960400 CALL U3dedit2.0049ECF9
0045569D . 85C0 TEST EAX,EAX
0045569F . 0F84 A4000000 JE U3dedit2.00455749
004556A5 . 8D85 B4FEFFFF LEA EAX,DWORD PTR SS:[EBP-14C]
004556AB . 68 04010000 PUSH 104 ; /BufSize = 104 (260.)
004556B0 . 50 PUSH EAX ; |Buffer
004556B1 . FF15 606C4E00 CALL DWORD PTR DS:[<&kernel32.GetSystemD>; \GetSystemDirectoryA
004556B7 . 85C0 TEST EAX,EAX
004556B9 . 74 7C JE SHORT U3dedit2.00455737
004556BB . 8D85 B4FEFFFF LEA EAX,DWORD PTR SS:[EBP-14C]
004556C1 . 50 PUSH EAX
004556C2 . E8 896F0100 CALL U3dedit2.0046C650
004556C7 . 80BC05 B3FEFF>CMP BYTE PTR SS:[EBP+EAX-14D],5C
004556CF . 59 POP ECX
004556D0 . 74 10 JE SHORT U3dedit2.004556E2
004556D2 . C68405 B4FEFF>MOV BYTE PTR SS:[EBP+EAX-14C],5C
004556DA . 80A405 B5FEFF>AND BYTE PTR SS:[EBP+EAX-14B],0
004556E2 > 8D85 B4FEFFFF LEA EAX,DWORD PTR SS:[EBP-14C]
004556E8 . 68 C4B64D00 PUSH U3dedit2.004DB6C4 ; ASCII "DKRNL.JAX"
004556ED . 50 PUSH EAX
004556EE . E8 ED560100 CALL U3dedit2.0046ADE0
004556F3 . 59 POP ECX
004556F4 . 33DB XOR EBX,EBX
004556F6 . 59 POP ECX
004556F7 . 8D85 B4FEFFFF LEA EAX,DWORD PTR SS:[EBP-14C]
004556FD . 53 PUSH EBX ; /hTemplateFile => NULL
004556FE . 53 PUSH EBX ; |Attributes => 0
004556FF . 6A 03 PUSH 3 ; |Mode = OPEN_EXISTING
00455701 . 53 PUSH EBX ; |pSecurity => NULL
00455702 . 53 PUSH EBX ; |ShareMode => 0
00455703 . 53 PUSH EBX ; |Access => 0
00455704 . 50 PUSH EAX ; |FileName
00455705 . FF15 4C6C4E00 CALL DWORD PTR DS:[<&kernel32.CreateFile>; \CreateFileA
0045570B . 83F8 FF CMP EAX,-1
0045570E . 75 1E JNZ SHORT U3dedit2.0045572E
00455710 . 8D85 B4FEFFFF LEA EAX,DWORD PTR SS:[EBP-14C]
00455716 . 50 PUSH EAX ; /FileName
00455717 . 68 C0B64D00 PUSH U3dedit2.004DB6C0 ; |String = "1"
0045571C . 68 B4B64D00 PUSH U3dedit2.004DB6B4 ; |Key = "RUNFIRST"
00455721 . 68 A8B64D00 PUSH U3dedit2.004DB6A8 ; |Section = "CHECKRUN"
00455726 . FF15 506C4E00 CALL DWORD PTR DS:[<&kernel32.WritePriva>; \WritePrivateProfileStringA
0045572C . EB 0B JMP SHORT U3dedit2.00455739
0045572E > 50 PUSH EAX ; /hObject
0045572F . FF15 546C4E00 CALL DWORD PTR DS:[<&kernel32.CloseHandl>; \CloseHandle
00455735 . EB 02 JMP SHORT U3dedit2.00455739
00455737 > 33DB XOR EBX,EBX
00455739 > 53 PUSH EBX ; /Arg3
0045573A . 68 E0B44D00 PUSH U3dedit2.004DB4E0 ; |Arg2 = 004DB4E0 ASCII "FirstRun001"
0045573F . 57 PUSH EDI ; |Arg1
00455740 . 8BCE MOV ECX,ESI ; |
00455742 . E8 4FE90300 CALL U3dedit2.00494096 ; \U3dedit2.00494096
00455747 . EB 02 JMP SHORT U3dedit2.0045574B
00455749 > 33DB XOR EBX,EBX
0045574B > FF15 54714E00 CALL DWORD PTR DS:[<&about.InitAboutDll>>; about.InitAboutDll
00455751 . 85C0 TEST EAX,EAX
00455753 . 0F84 0D030000 JE U3dedit2.00455A66
00455759 . FF76 68 PUSH DWORD PTR DS:[ESI+68]
0045575C . FF15 48714E00 CALL DWORD PTR DS:[<&about.IsFullVersion>; about.IsFullVersion
00455762 . F7D8 NEG EAX
00455764 . 1BC0 SBB EAX,EAX
00455766 . 59 POP ECX
00455767 . 40 INC EAX
00455768 . 8986 C0000000 MOV DWORD PTR DS:[ESI+C0],EAX ; 程序退出时也需要检查该内存标志,因此爆破好的办法是将此处标志改正确
0045576E . 74 0E JE SHORT U3dedit2.0045577E ; 此处强制跳转即可。
00455770 . FF15 4C714E00 CALL DWORD PTR DS:[<&about.CheckTimeLimi>; about.CheckTimeLimit
00455776 . 85C0 TEST EAX,EAX
00455778 . 0F84 E8020000 JE U3dedit2.00455A66
0045577E > 8DBE E8000000 LEA EDI,DWORD PTR DS:[ESI+E8]
在0045576E处直接改为强制跳转程序启动时没有了NAG窗口了,但是程序退出时仍然有NAG窗口,因此将
将上面代码修改为
00455762 90 NOP
00455763 90 NOP
00455764 1BC0 SBB EAX,EAX
00455766 59 POP ECX
00455767 90 NOP
00455768 . 8986 C0000000 MOV DWORD PTR DS:[ESI+C0],EAX
即实现完美爆破
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
他的文章
- [原创]VMP编译的完整笔记 17086
- [分享]利用Flex 10.1 SDK开发某软件注册机 18057
- [分享]菜鸟也学Armadillo 脱壳全保护加壳的记事本.doc 6434
- [分享]菜鸟也学Armadillo V4.40主程序脱壳 6706
- [分享]简单打狗文章一二 18919
谁下载
赞赏
雪币:
留言: