用Ollydbg手脱HASP Protection V1X加壳的EXE和DLL.docx
- 文档编号:23761362
- 上传时间:2023-05-20
- 格式:DOCX
- 页数:23
- 大小:22.38KB
用Ollydbg手脱HASP Protection V1X加壳的EXE和DLL.docx
《用Ollydbg手脱HASP Protection V1X加壳的EXE和DLL.docx》由会员分享,可在线阅读,更多相关《用Ollydbg手脱HASP Protection V1X加壳的EXE和DLL.docx(23页珍藏版)》请在冰豆网上搜索。
用Ollydbg手脱HASPProtectionV1X加壳的EXE和DLL
用Ollydbg手脱HASPProtectionV1.X加壳的EXE和DLL
UnPacKedBy:
fly
软件下载:
软件下载:
ftp:
//
驱动下载:
ftp:
//
软件简介:
HASPHLprotectionandlicensingsoftwaretoolsmakeuptheVendorCenterprogramsuite.HASPHLEnvelopeisoneofthethreeprogramsincludedintheVendorCenter.TheHASPHLEnvelopeisatoolthatwrapsyourapplicationswithinaprotectiveshield.Thetooloffersadvancedprotectionfeaturestoenhancetheoveralllevelofsecurityofyoursoftware.ImplementingHASPHLEnvelopeprotectionisthefastestwaytosecureyoursoftware,anddoesnotrequireyoutoalteranysourcecode.YousimplyusetheHASPHLEnvelopegraphicalinterfacetoapplyprotectionparameterstoanexecutablefile.Inaddition,youcanmodifyallprotectionparametersandcustomizemessagesdisplayedtoend-usersrunningtheprotectedapplications.
【作者声明】:
只是感兴趣,没有其他目的。
失误之处敬请诸位大侠赐教
【调试环境】:
WinXP、OllyDBG、PEiD、LordPE、WinHex
―――――――――――――――――――――――――――――――――
【脱壳过程】:
目前而言,通常狗壳带狗或者无狗可运行的脱壳都不算太难,以后狗壳应该会增加强度的。
数年前看过HASP,现在整理一下。
当然,必须有狗才能运行的HASP我是无能为力了。
以Minitab作为EXE的脱壳例子。
从Aladdin公司主页下载的是HASP_HL_EnvelopeV1.30,其中的EXE需要软件狗才可运行,那就用haspenv.dll作为DLL的例子吧。
还需要下载、安装HASP驱动文件,可以开工了。
HASPProtection加壳的程序默认区段名为.protect,PEiD的Sign可以为:
[HASPHLProtectionV1.X->Aladdin]
signature=558BEC535657608BC4A3?
?
?
?
?
?
?
?
B8?
?
?
?
?
?
?
?
2B05?
?
?
?
?
?
?
?
A3?
?
?
?
?
?
?
?
833D?
?
?
?
?
?
?
?
0074158B0D?
?
?
?
?
?
?
?
51FF15?
?
?
?
?
?
?
?
83C404E9A500000068?
?
?
?
?
?
?
?
FF15?
?
?
?
?
?
?
?
A3?
?
?
?
?
?
?
?
68?
?
?
?
?
?
?
?
FF15?
?
?
?
?
?
?
?
A3?
?
?
?
?
?
?
?
8B15
ep_only=true
设置OllyDBG忽略所有异常选项,用IsDebug插件去掉OllyDBG的调试器标志。
―――――――――――――――――――――――――――――――――
一、用OllyDBG手脱HASPProtectionV1.X加壳的EXE
下载的MinitabV14.20.0.0可以试用一个月,无狗可以运行。
Potassium写过一篇《Manually_Unpacking_HASP_SL》教程,为何我还写这个?
对比看看就明白了。
――――――――――――――――――――――――
1、EP
00B9F28055pushebp
//进入OllyDBG后暂停在这
00B9F2818BECmovebp,esp
00B9F28353pushebx
00B9F28456pushesi
00B9F28557pushedi
00B9F28660pushad
00B9F2878BC4moveax,esp
00B9F289A3F4FEB900movdwordptrds:
[B9FEF4],eax
00B9F28EB818F5B900moveax,Mtb14.00B9F518
00B9F2932B053CF5B900subeax,dwordptrds:
[B9F53C]
00B9F299A33CF5B900movdwordptrds:
[B9F53C],eax
00B9F29E833DF0FEB90000cmpdwordptrds:
[B9FEF0],0
00B9F2A57415jeshortMtb14.00B9F2BC
00B9F2A78B0DF4FEB900movecx,dwordptrds:
[B9FEF4]
00B9F2AD51pushecx
00B9F2AEFF15F0FEB900callneardwordptrds:
[B9FEF0]
00B9F2B483C404addesp,4
00B9F2B7E9A5000000jmpMtb14.00B9F361
00B9F2BC68DCFEB900pushMtb14.00B9FEDC;ASCII"kernel32""
00B9F2C1FF1540FFB900callneardwordptrds:
[<&KERNEL32.GetModuleHandleA>]
00B9F2C7A3F8F4B900movdwordptrds:
[B9F4F8],eax
00B9F2CC68E8FEB900pushMtb14.00B9FEE8;ASCII"user32"
00B9F2D1FF1540FFB900callneardwordptrds:
[<&KERNEL32.GetModuleHandleA>]
――――――――――――――――――――――――
2、Anti
看看这个HASPSL有什么反跟踪。
BPIsDebuggerPresent
Shift+F9,中断后取消断点,返回
00BAA4AC55pushebp
00BAA4AD8BECmovebp,esp
00BAA4AF81EC9C000000subesp,9C
00BAA4B553pushebx
00BAA4B6FF156CF8BA00callneardwordptrds:
[<&KERNEL32.IsDebuggerPresent>]
//IsDebuggerPresent检测
00BAA4BC8BD8movebx,eax
//EAX当然要为00000000了
00BAA4BE85DBtestebx,ebx
00BAA4C00F85AC000000jnzMtb14.00BAA572
00BAA4C657pushedi
00BAA4C790nop
00BAA4C890nop
00BAA4C96A24push24
00BAA4CB90nop
00BAA4CC59popecx
00BAA4CD8DBD68FFFFFFleaedi,dwordptrss:
[ebp-98]
00BAA4D3F3:
ABrepstosdwordptres:
[edi]
00BAA4D590nop
00BAA4D68D8564FFFFFFleaeax,dwordptrss:
[ebp-9C]
00BAA4DC50pusheax
00BAA4DD90nop
00BAA4DEC78564FFFFFF9400000>movdwordptrss:
[ebp-9C],94
00BAA4E8FF154CF8BA00callneardwordptrds:
[<&KERNEL32.GetVersionExA>]
00BAA4EE85C0testeax,eax
00BAA4F0747FjeshortMtb14.00BAA571
00BAA4F283BD74FFFFFF02cmpdwordptrss:
[ebp-8C],2
00BAA4F97576jnzshortMtb14.00BAA571
00BAA4FBFF1548F8BA00callneardwordptrds:
[<&KERNEL32.GetCurrentProcessId>]
00BAA50150pusheax
00BAA50253pushebx
00BAA5036800040000push400
00BAA50890nop
00BAA50990nop
00BAA50A90nop
00BAA50BFF1544F8BA00callneardwordptrds:
[<&KERNEL32.OpenProcess>]
00BAA5118BF8movedi,eax
00BAA51390nop
00BAA51490nop
00BAA51590nop
00BAA51690nop
00BAA51785FFtestedi,edi
00BAA5197456jeshortMtb14.00BAA571
00BAA51B6888FEBA00pushMtb14.00BAFE88
00BAA52090nop
00BAA521FF1550F8BA00callneardwordptrds:
[<&KERNEL32.GetModuleHandleA>]
00BAA52785C0testeax,eax
00BAA529743FjeshortMtb14.00BAA56A
00BAA52B90nop
00BAA52C90nop
00BAA52D686CFEBA00pushMtb14.00BAFE6C
00BAA53290nop
00BAA53390nop
00BAA53450pusheax
00BAA53590nop
00BAA53690nop
00BAA53790nop
00BAA538FF153CF8BA00callneardwordptrds:
[<&KERNEL32.GetProcAddress>]
00BAA53E85C0testeax,eax
00BAA5407428jeshortMtb14.00BAA56A
00BAA542215DF8anddwordptrss:
[ebp-8],ebx
00BAA54590nop
00BAA546215DFCanddwordptrss:
[ebp-4],ebx
00BAA5498D4DF8leaecx,dwordptrss:
[ebp-8]
00BAA54C90nop
00BAA54D90nop
00BAA54E90nop
00BAA54F51pushecx
00BAA5506A04push4
00BAA5528D4DFCleaecx,dwordptrss:
[ebp-4]
00BAA55551pushecx
00BAA5566A07push7
00BAA55890nop
00BAA55990nop
00BAA55A57pushedi
00BAA55BFFD0callneareax;ntdll.ZwQueryInformationProcess
//ZwQueryInformationProcess检测
00BAA55D85C0testeax,eax
00BAA55F7509jnzshortMtb14.00BAA56A
00BAA56190nop
00BAA5623945FCcmpdwordptrss:
[ebp-4],eax
//[ebp-4]应为00000000
00BAA5657403jeshortMtb14.00BAA56A
//此处应跳转
00BAA56790nop
00BAA56890nop
00BAA56943incebx
00BAA56A57pushedi
00BAA56BFF15F4F7BA00callneardwordptrds:
[<&KERNEL32.CloseHandle>]
00BAA5715Fpopedi
00BAA5728BC3moveax,ebx
00BAA5745Bpopebx
00BAA57590nop
00BAA576C9leave
00BAA577C3retn
由于这段检测有很多次,所以我们直接在OpenProcess里Patch
7C81E07933C0xoreax,eax
7C81E07BC20C00retn0C
――――――――――――――――――――――――
3、ImportTable
BPVirtualProtect[ESP]<10000000
Shift+F9,弹出试用信息,点击“IwanttotryMINITABRelease14”
中断后取消断点。
继续下断:
BPGetModuleHandleA
Shift+F9,中断后取消断点。
看堆栈和寄存器:
0012FBAC00BA3145/CALLtoGetModuleHandleAfromMtb14.00BA3142
0012FBB000B0508C\pModule="IMM32.dll"
EAX00B0508CASCII"IMM32.dll"
ECX00B0508CASCII"IMM32.dll"
EDX00AFDF08Mtb14.00AFDF08★
EBX00000000
ESP0012FBAC
EBP0012FC00
ESI00BA5C08Mtb14.00BA5C08
EDI00BA3FC0Mtb14.00BA3FC0
EIP7C80B529kernel32.GetModuleHandleA
注意EDX值就是ImportTableVA,在EDX寄存器上点击右键,FollowinDump,可以看到IID数组
下面就是HASP对输入表的处理。
如果我们跟踪到OEP再dump的话,HASP则会加密部分函数。
而此时HASP对程序完全解码,还没有加密,现在dump都不需要用ImportREC修复输入表,正是dump的最佳时机!
运行LordPE,完全dump出此进程吧。
00BA311A8B45F4moveax,dwordptrss:
[ebp-C]
00BA311D83C014addeax,14
00BA31208945F4movdwordptrss:
[ebp-C],eax
00BA31238B4DF4movecx,dwordptrss:
[ebp-C]
00BA312683790C00cmpdwordptrds:
[ecx+C],0
00BA312A0F842C030000jeMtb14.00BA345C
00BA31308B55F4movedx,dwordptrss:
[ebp-C]
00BA3133A16452BA00moveax,dwordptrds:
[BA5264]
00BA313803420Caddeax,dwordptrds:
[edx+C]
00BA313B8945FCmovdwordptrss:
[ebp-4],eax
00BA313E8B4DFCmovecx,dwordptrss:
[ebp-4]
00BA314151pushecx
00BA3142FF55E4callneardwordptrss:
[ebp-1C]
00BA31458945E0movdwordptrss:
[ebp-20],eax
//GetModuleHandleA后返回这里
00BA3148837DE000cmpdwordptrss:
[ebp-20],0
00BA314C750AjnzshortMtb14.00BA3158
00BA314E8B55FCmovedx,dwordptrss:
[ebp-4]
00BA315152pushedx
00BA3152FF55DCcallneardwordptrss:
[ebp-24]
00BA31558945E0movdwordptrss:
[ebp-20],eax
00BA3158837DE000cmpdwordptrss:
[ebp-20],0
00BA315C7540jnzshortMtb14.00BA319E
00BA315E68B451BA00pushMtb14.00BA51B4
00BA3163680052BA00pushMtb14.00BA5200
00BA3168E8FC0C0000callMtb14.00BA3E69
00BA316D83C408addesp,8
00BA31706A2Dpush2D
00BA31728B45FCmoveax,dwordptrss:
[ebp-4]
00BA317550pusheax
00BA3176680052BA00pushMtb14.00BA5200
00BA317BE8510C0000callMtb14.00BA3DD1
00BA318083C40Caddesp,0C
00BA3183680052BA00pushMtb14.00BA5200
00BA31886A1Fpush1F
00BA318A6A00push0
00BA318C8B0DBC3FBA00movecx,dwordptrds:
[BA3FBC]
00BA3192FF11callneardwordptrds:
[ecx]
00BA3194B803000000moveax,3
00BA3199E9C0020000jmpMtb14.00BA345E
00BA319E682850BA00pushMtb14.00BA5028
00BA31A38B55FCmovedx,dwordptrss:
[ebp-4]
00BA31A652pushedx
00BA31A7E8ECFCFFFFcallMtb14.00BA2E98
00BA31AC83C408addesp,8
00BA31AFF7D8negeax
00BA31B11BC0sbbeax,eax
00BA31B340inceax
00BA31B48945D4movdwordptrss:
[ebp-2C],eax
00BA31B78B45FCmoveax,dwordptrss:
[ebp-4]
00BA31BA50pusheax
00BA31BBE8E50C0000callMtb14.00BA3EA5
00BA31C083C404addesp,4
00BA31C350pusheax
00BA31C4688C52BA00pushMtb14.00BA528C
00BA31C98B4DFCmovecx,dwordptrss:
[ebp-4]
00BA31CC51pushecx
00BA31CDE828070000callMtb14.00BA38FA
00BA31D283C40Caddesp,0C
00BA31D58B55F4movedx,dwordptrss:
[ebp-C]
00BA31D8A16452BA00moveax,dwordptrds:
[BA5264]
00BA31DD034210addeax,dwordptrds:
[edx+10]
00BA31E08945B8movdwordptrss:
[ebp-48],eax
00BA31E38B4DF4movecx,dwordptrss:
[ebp-C]
00BA31E6833900cmpdwordptrds:
[ecx],0
00BA31E97508jnzshortMtb14.00BA31F3
00BA31EB8B55B8movedx,dwordptrss:
[ebp-48]
00BA31EE8955F8movdwordptrss:
[ebp-8],edx
00BA31F1EB0EjmpshortMtb14.00BA3201
00BA31F38B45F4moveax,dwordptrss:
[ebp-C]
00BA31F68B0D6452BA00movecx,dwordptrds:
[BA5264]
00BA31FC0308addecx,dwordptrds:
[eax]
00BA31FE894DF8movdwordptrss:
[ebp-8],ecx
00BA3201EB1BjmpshortMtb14.00BA321E
00BA32038B55F8movedx,dwordptrss:
[ebp-8]
00BA320683C204addedx,4
00BA32098955F8movdwordp
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- 用Ollydbg手脱HASP Protection V1X加壳的EXE和DLL Ollydbg HASP V1X EXE DLL
![提示](https://static.bdocx.com/images/bang_tan.gif)