2024-10-15 11:12:41 +08:00

7.9 KiB
Raw Blame History

过检测修bug

先晒方法:

*文件偏移
8DD: 80->E3
8DE: 82->E3
8DF: 80->E3
8E0: 85->E3

细节:

EP进来先跳第一个检测

00401007 | E9 03010000          | jmp bugged.40110F                          |

这里会对401000~4010F8代码进行求和校验

0040110F | 60                   | pushad                                     |
00401110 | 33DB                 | xor ebx,ebx                                |
00401112 | B8 00104000          | mov eax,<bugged.OptionalHeader.AddressOfEn |
00401117 | 90                   | nop                                        |
00401118 | 90                   | nop                                        |
00401119 | 90                   | nop                                        |
0040111A | 90                   | nop                                        |
0040111B | 90                   | nop                                        |
0040111C | 90                   | nop                                        |
0040111D | 90                   | nop                                        |
0040111E | 0318                 | add ebx,dword ptr ds:[eax]                 |
00401120 | 83C3 04              | add ebx,4                                  |
00401123 | 83C0 04              | add eax,4                                  |
00401126 | 3D F8104000          | cmp eax,bugged.4010F8                      |
0040112B | 75 EA                | jne bugged.401117                          | 循环0x3E次对EP开头这段进行求和校验
0040112D | 3B1D FA304000        | cmp ebx,dword ptr ds:[4030FA]              | 004030FA:"煼愚"
00401133 | 0F84 D3FEFFFF        | je bugged.40100C                           |
00401139 | 6A 30                | push 30                                    |
0040113B | 68 1C214000          | push bugged.40211C                         | 40211C:"Bad checksum!!"
00401140 | 68 2B214000          | push bugged.40212B                         | 40212B:"A virus or a cracker ;-) has corrupted the program, please reinstall it."
00401145 | 6A 00                | push 0                                     |
00401147 | E8 DCFEFFFF          | call <JMP.&_MessageBoxA@16>                |
0040114C | E9 CEFEFFFF          | jmp bugged.40101F                          |

校验无误后会一路跳:

0040100D | EB 7E                | jmp bugged.40108D                          |

这段好像没啥用:

0040108D | 60                   | pushad                                     |
0040108E | 40                   | inc eax                                    |
0040108F | 48                   | dec eax                                    |
00401090 | 33C9                 | xor ecx,ecx                                | ecx:EntryPoint
00401092 | 83E9 02              | sub ecx,2                                  | ecx:EntryPoint
00401095 | 41                   | inc ecx                                    | ecx:EntryPoint
00401096 | 41                   | inc ecx                                    | ecx:EntryPoint
00401097 | 8BD9                 | mov ebx,ecx                                | ecx:EntryPoint
00401099 | 85DB                 | test ebx,ebx                               |
0040109B | 75 82                | jne bugged.40101F                          |
0040109D | 61                   | popad                                      |
0040109E | EB 37                | jmp bugged.4010D7                          |

接下来是释放最后的检查代码:

004010D7 | 60                   | pushad                                     |
004010D8 | B8 8D104000          | mov eax,bugged.40108D                      |
004010DD | BB C0304000          | mov ebx,4030C0                             |
004010E2 | 33C9                 | xor ecx,ecx                                | ecx:EntryPoint
004010E4 | 8A13                 | mov dl,byte ptr ds:[ebx]                   |
004010E6 | 80C2 02              | add dl,2                                   |
004010E9 | 80F2 75              | xor dl,75                                  |
004010EC | 8810                 | mov byte ptr ds:[eax],dl                   |
004010EE | 40                   | inc eax                                    |
004010EF | 43                   | inc ebx                                    |
004010F0 | 41                   | inc ecx                                    | ecx:EntryPoint
004010F1 | 83F9 3A              | cmp ecx,3A                                 | ecx:EntryPoint, 3A:':'
004010F4 | 75 EE                | jne bugged.4010E4                          | 循环0x3A次释放新的检查代码到上个检查
004010F6 | 61                   | popad                                      |
004010F7 | EB 94                | jmp bugged.40108D                          |

可以看出从4030C0位置开始3A大小内容是被加密的再后面好像是前面的校验值不过用不上

13 44 AC F4 B4 75 FC BC F4 9A 75 11 44 B3 33 FC
AB 3C FC B4 CC 21 73 73 73 80 84 80 83 80 82 80
85 12 1D 33 1B 73 43 33 73 1B 65 43 33 73 1D 73
9B 11 88 88 88 9A 3B 88 88 88

经过解密+0x2xor 0x75,可以得到:

60 33 DB 83 C3 02 8B CB 83 E9 02 66 33 C0 40 8B
D8 4B 8B C3 BB 56 00 00 00 F7 F3 F7 F0 [F7 F1 F7 ←
F2] 61 6A 40 68 00 30 40 00 68 12 30 40 00 6A 00
E8 66 FF FF FF E9 48 FF FF FF

文件先摆着,反正等会儿也要执行这块代码

这是解密的代码

0040108D | 60                   | pushad                                     |
0040108E | 33DB                 | xor ebx,ebx                                |
00401090 | 83C3 02              | add ebx,2                                  |
00401093 | 8BCB                 | mov ecx,ebx                                | ecx:EntryPoint
00401095 | 83E9 02              | sub ecx,2                                  | ecx:EntryPoint
00401098 | 66:33C0              | xor ax,ax                                  |
0040109B | 40                   | inc eax                                    |
0040109C | 8BD8                 | mov ebx,eax                                |
0040109E | 4B                   | dec ebx                                    |
0040109F | 8BC3                 | mov eax,ebx                                |
004010A1 | BB 56000000          | mov ebx,56                                 | 56:'V'
004010A6 | F7F3                 | div ebx                                    |
004010A8 | F7F0                 | div eax                                    |
004010AA | F7F1                 | div ecx                                    | <--
004010AC | F7F2                 | div edx                                    | <--
004010AE | 61                   | popad                                      |
004010AF | 6A 40                | push 40                                    |
004010B1 | 68 00304000          | push bugged.403000                         | 403000:"Congratulations!!"
004010B6 | 68 12304000          | push 403012                                | 403012:"Bug anihilated/destroyed/defated. :p. Coded a little in Masm32 and more in hex editor."
004010BB | 6A 00                | push 0                                     |
004010BD | E8 66FFFFFF          | call <JMP.&_MessageBoxA@16>                |
004010C2 | E9 48FFFFFF          | jmp bugged.40100F                          |

其中004010AA004010AC会出现问题(/0NOP掉

F7 F1 F7 F2这块换成90 90 90 90 (也就是上边解密的二进制内容[]指出部分)

更换后重新加密回去xor 0x75, -0x2,最后可得到

13 44 AC F4 B4 75 FC BC F4 9A 75 11 44 B3 33 FC
AB 3C FC B4 CC 21 73 73 73 80 84 80 83 [E3 E3 E3
E3] 12 1D 33 1B 73 43 33 73 1B 65 43 33 73 1D 73
9B 11 88 88 88 9A 3B 88 88 88

用你的hex编辑器打开exe文件转到文件偏移0x8C0

8DD: 80->E3
8DE: 82->E3
8DF: 80->E3
8E0: 85->E3

(可选) 有时候好像过不去这个文件校验直接Patch成jmp bugged.40100C

00401133 | 0F84 D3FEFFFF        | je bugged.40100C                           |