好友
阅读权限30
听众
最后登录1970-1-1
|
无闻无问
发表于 2020-7-5 19:17
本帖最后由 无闻无问 于 2020-7-5 20:17 编辑
看到大神发了个成品:
https://www.52pojie.cn/thread-1213158-1-1.html
我也把手中以前分析的记录笔记晒出来......希望能给需要的朋友一些参考。以前分析时的笔记,因为时间久远,故思路这些已经模糊了,故不提供细节解释,望谅解!
如果有违规,请删帖,或联系我删帖…………
〓〓〓〓〓〓〓〓〓〓〓〓 一、x86分析 〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓
在win7使用OD,2.0跟踪,很长时间近20分钟左右,命令达26161395行汇编,记录后的文件达2.37GB……
载入有异常断点,下断,将int3 nop
0054C0D4 cc int3
0054C0D5 > e80d050000 call 0x54c5e7
vmp区段:
Memory map, 条目 25
地址=005FA000
大小=000BE000 (778240.)
属主=EverEdit 00400000
区段=.vmp0
类型=Imag 01001002
访问=R
初始访问=RWE
暂停法,堆栈回溯:
004D00F0 e83bebf4ff call 0x41ec30 ; 注册按钮事件
004D00F5 837d1000 cmp dword ptr [ebp + 0x10], 0
可疑地址:
00674C5C 主 not eax ; EAX=00000040
00674C5E 主 clc
00674C5F 主 cmp si, 0x6502 ; FL=CS
00674C64 主 not ecx ; ECX=FFFFFDB9
00674C66 主 jmp 0x668add
00668ADD 主 and eax, ecx ; FL=PZ, EAX=00000000
------------------
006ADD80 主 not eax ; EAX=00000040
006ADD82 主 clc ; FL=P
006ADD83 主 not ecx ; ECX=00000202
006ADD85 主 stc ; FL=CP
006ADD86 主 jmp 0x64a723
0064A723 主 and eax, ecx ; FL=PZ, EAX=00000000 计算长度
0067EFAE 8dad04000000 lea ebp, dword ptr [ebp + 4] ; 保存假码长度
0067EFB4 85e8 test ebp, eax ; 长度是否是1C,即28位
打开跟踪文件,因为大于2GB,需要用everEdit64位才能打开,搜索全部:eax=00000040,从下往上<20万为关键,最接近最后一个跳转的Handle……
从搜索结果中,从下入上,找not xx 的语句, eax=00000040,第2个就是
=====================================temp=====================================================
eax==0x00000040 && ecx==0x00000246
主要 006776C4 NOT EAX EAX=00000040
主要 006776C6 NOT ECX ECX=00000246
主要 006776C8 CLC
主要 006776C9 TEST SP,DX
主要 006776CC AND EAX,ECX
===========================================================================★★★菜单中注册关键判断--20200123成功★★★====================================
===========================================================================================================================================================
下条件断点:eax==0x00000040 && ecx==0xFFFFFDB9
0065553C 8B4425 00 mov eax,dword ptr ss:[ebp]
00655540 8B4C25 04 mov ecx,dword ptr ss:[ebp+0x4]
00655544 F7D0 not eax
00655546 F5 cmc
00655547 F9 stc
00655548 F7D1 not ecx
0065554A F9 stc
0065554B 81FE 0C07AE74 cmp esi,0x74AE070C ; 00655551断下:eax=0x40,ecx=0xFFFFFDB9,edx=0xA9可变,ebx=FF904621,esi=0064B75D,edi=0065553C
00655551 > 23C1 and eax,ecx ; //(原值eax==0x40,ecx=0xFFFFFDB9)将ecx改为0xFFFFFDE9,或单步执行本条命名后,将eax=0修改为0x40
00655553 ^ E9 D1DEFDFF jmp EverEdit.00633429
===========================================================================================================================================================
===========================================================================================================================================================
===========================================================================★★★ 重启验证---20200124成功 ★★★=====================================
===========================================================================================================================================================
重载程序,单步跟踪几下,找到进入VM地方:
*****进VM*****
00420DE3 . 53 push ebx
00420DE4 . 57 push edi
00420DE5 . 68 D8CC5700 push EverEdit.0057CCD8
00420DEA . 898D D8FBFFFF mov dword ptr ss:[ebp-0x428],ecx
00420DF0 . C785 DCFBFFFF 00000000 mov dword ptr ss:[ebp-0x424],0x0
00420DFA . C785 E0FBFFFF 00000000 mov dword ptr ss:[ebp-0x420],0x0
00420E04 . C785 E4FBFFFF 00000000 mov dword ptr ss:[ebp-0x41C],0x0
00420E0E .- E9 D2082100 jmp EverEdit.006316E5 ; 进入VM
*****出VM*****
0042129B . 8B8D D8FBFFFF mov ecx,dword ptr ss:[ebp-0x428] ; 出VM
004212A1 . 6A 01 push 0x1
004212A3 . C641 0D 00 mov byte ptr ds:[ecx+0xD],0x0
004212A7 . 8B01 mov eax,dword ptr ds:[ecx] ; EverEdit.00589498
004212A9 . FF10 call dword ptr ds:[eax]
004212AB . 8D8D DCFBFFFF lea ecx,dword ptr ss:[ebp-0x424]
004212B1 . E8 6A46FEFF call EverEdit.00405920
004212B6 . 8B4D FC mov ecx,dword ptr ss:[ebp-0x4] ; EverEdit.004EFA5B
004212B9 . 33C0 xor eax,eax
004212BB . 5F pop edi ; EverEdit.004EFA5B
004212BC . 33CD xor ecx,ebp
004212BE . 5B pop ebx ; EverEdit.004EFA5B
004212BF . E8 C7A31200 call EverEdit.0054B68B
004212C4 . 8BE5 mov esp,ebp
004212C6 . 5D pop ebp ; EverEdit.004EFA5B
004212C7 . C3 retn
分别进出VM的地方下断点,方便跟踪记录:
在进入VM入口的地方,断下后,使用OD2进入跟踪,设置只跟踪记录主程序,记录修改的寄存器。
跟踪共计40026行代码,查找全部:00000040,筛选,可疑处有:
7. (0 006A66D0 NOT EAX EAX=00000040
7. (0 006A66D2 NOT ECX ECX=00000000
7. (0 006A66D4 AND EAX,ECX EAX=00000000
7. (0 0060BBA1 NOT EAX EAX=00000040
7. (0 0060BBA3 JMP 0063172F
7. (0 0063172F NOT ECX ECX=FFFFFFBB
7. (0 00631731 TEST BX,693A
7. (0 00631736 AND EAX,ECX EAX=00000000
7. (0 00651EDA NOT EAX EAX=00000040
7. (0 00651EDC TEST BX,0BDC
7. (0 00651EE1 STC
7. (0 00651EE2 NOT ECX ECX=00000206
7. (0 00651EE4 JMP 00608443
7. (0 00608443 AND EAX,ECX EAX=00000000
7. (0 006870E6 NOT EAX EAX=00000040
7. (0 006870E8 NOT ECX ECX=00000246
7. (0 006870EA CMP EBX,ESP
7. (0 006870EC CMC
7. (0 006870ED JMP 006508FE
7. (0 006508FE AND EAX,ECX
有些是点帮助中,关于时,会断下……,或以下1、2处验证未通过才会断下……
分别下条件断点,就两处断下,其实只有一处,另一处就是菜单中的注册判断的验证:
eax==0x40
1--->
006508F4 /E9 B62A0300 jmp EverEdit.006833AF
006508F9 ^|E9 D612FEFF jmp EverEdit.00631BD4 ; 006508FE断下:eax=0x40,ecx=0x246,edx=0x2,ebx=005FC885,esi=005FC83E,edi=006870D2
006508FE > |23C1 and eax,ecx ; //(原值eax==0x40,ecx=0x246)将eax改为0,或单步执行本条命名后,将eax=40修改为0
00650900 |E9 A92D0000 jmp EverEdit.006536AE
00650905 |03F8 add edi,eax
00650907 ^|E9 354BFBFF jmp EverEdit.00605441
2--->
00655544 F7D0 not eax
00655546 F5 cmc
00655547 F9 stc
00655548 F7D1 not ecx
0065554A F9 stc
0065554B 81FE 0C07AE74 cmp esi,0x74AE070C ; 00655551断下:eax=0x40,ecx=0xFFFFFD68,edx=0x2,ebx=FF98A5E3,esi=006252C7,edi=0065553C
00655551 > 23C1 and eax,ecx ; //(原值eax==0x40,ecx=0xFFFFFD68)将eax改为0,或单步执行本条命名后,将eax=40修改为0
00655553 ^ E9 D1DEFDFF jmp EverEdit.00633429
1:
eax==0x00000040 && ecx==0x00000246
2.
eax==0x00000040 && ecx==0xFFFFFD68
条件断下后,均修改eax=0即可
===========◆◆◆◆◆参考修改代码◆◆◆◆◆=======================================================================================================
没有处理,菜单帮助--关于--输入注册码的验证,如果要处理需要加入处理的代码。
hook 1
原:
006508FE 23C1 and eax,ecx
00650900 E9 A92D0000 jmp EverEdit.006536AE
修改:
006508FE 90 nop
006508FF 90 nop
00650900 - E9 BC90F2FF jmp EverEdit.005799C1
hook 2
原:
00655551 23C1 and eax,ecx
00655553 ^ E9 D1DEFDFF jmp EverEdit.00633429
修改:
00655551 90 nop
00655552 90 nop
00655553 - E9 8344F2FF jmp EverEdit.005799DB
hook补丁代码
005799C1 83F8 40 cmp eax,0x40 ; hook 1
005799C4 75 0D jnz short EverEdit.005799D3
005799C6 81F9 46020000 cmp ecx,0x246
005799CC 75 05 jnz short EverEdit.005799D3
005799CE B8 00000000 mov eax,0x0
005799D3 21C8 and eax,ecx
005799D5 - E9 D49C0D00 jmp EverEdit.006536AE
005799DA 90 nop
005799DB 83F8 40 cmp eax,0x40 ; hook 2
005799DE 75 0D jnz short EverEdit.005799ED
005799E0 81F9 68FDFFFF cmp ecx,-0x298
005799E6 75 05 jnz short EverEdit.005799ED
005799E8 B8 00000000 mov eax,0x0
005799ED 21C8 and eax,ecx
005799EF - E9 359A0B00 jmp EverEdit.00633429
解决点击“帮助-关于”时,(大约1个月试用期)提示使用已经过期,点确定后自动退出程序……
eax=0x40,ecx=0x202修改202为246即可
hook 补丁代码更改如下:
hook 1和hook2 ,jmp语句修正到下面的,jmp 005799BD 和 jmp 005799D6
005799BD . 83F8 40 cmp eax,0x40 ; hook 1
005799C0 . 75 0D jnz short EverEdit.005799CF
005799C2 . 81F9 46020000 cmp ecx,0x246
005799C8 . 75 05 jnz short EverEdit.005799CF
005799CA . B8 00000000 mov eax,0x0
005799CF > 21C8 and eax,ecx
005799D1 .- E9 D89C0D00 jmp EverEdit.006536AE
005799D6 . 83F8 40 cmp eax,0x40 ; hook 2
005799D9 . 75 1C jnz short EverEdit.005799F7
005799DB . 81F9 68FDFFFF cmp ecx,-0x298
005799E1 . 75 07 jnz short EverEdit.005799EA
005799E3 . B8 00000000 mov eax,0x0
005799E8 . EB 0D jmp short EverEdit.005799F7
005799EA > 81F9 02020000 cmp ecx,0x202
005799F0 . 75 05 jnz short EverEdit.005799F7
005799F2 . B9 46020000 mov ecx,0x246
005799F7 > 21C8 and eax,ecx
005799F9 .- E9 2B9A0B00 jmp EverEdit.00633429
〓〓〓〓〓〓〓〓〓〓〓〓 二、x64分析 〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓
x64dbg分析:
1.跟踪重启验证的VM入口、出口。
查看vmp区段大小,加自动步过条件:
rip >= 000000014028F000 && rip <= 000000014043000
最好的方法是,在vmp区段下访问断点,运行,断下后(可能会多次),堆栈回溯即可定位大致位置……
0000000140027BBB | 4C:897424 38 | mov qword ptr ss:[rsp+0x38],r14 |
0000000140027BC0 | 4C:897424 40 | mov qword ptr ss:[rsp+0x40],r14 |
0000000140027BC5 | E9 9DC33A00 | jmp everedit.1403D3F67 | vm入口
...............................
0000000140028082 | 44:8876 19 | mov byte ptr ds:[rsi+0x19],r14b | vm出口
0000000140028086 | BA 01000000 | mov edx,0x1 |
000000014002808B | 48:8B06 | mov rax,qword ptr ds:[rsi] |
000000014002808E | 48:8BCE | mov rcx,rsi |
0000000140028091 | FF10 | call qword ptr ds:[rax] |
0000000140028093 | 48:8B5C24 38 | mov rbx,qword ptr ss:[rsp+0x38] |
0000000140028098 | 48:85DB | test rbx,rbx |
000000014002809B | 74 46 | je everedit.1400280E3 |
000000014002809D | 8B4424 40 | mov eax,dword ptr ss:[rsp+0x40] |
00000001400280A1 | 85C0 | test eax,eax |
00000001400280A3 | 7E 34 | jle everedit.1400280D9 |
00000001400280A5 | 8BF8 | mov edi,eax |
00000001400280A7 | 66:0F1F8400 00000000 | nop word ptr ds:[rax+rax],ax |
00000001400280B0 | 48:8B13 | mov rdx,qword ptr ds:[rbx] | rdx:L"License"
00000001400280B3 | B8 FFFFFFFF | mov eax,0xFFFFFFFF |
00000001400280B8 | 48:83EA 18 | sub rdx,0x18 | rdx:L"License"
00000001400280BC | F0:0FC142 10 | lock xadd dword ptr ds:[rdx+0x10],eax |
00000001400280C1 | 83E8 01 | sub eax,0x1 |
00000001400280C4 | 7F 09 | jg everedit.1400280CF |
00000001400280C6 | 48:8B0A | mov rcx,qword ptr ds:[rdx] | rdx:L"License"
跟踪--步进直到条件满足
1:
rax==0x0000000000000040 && rcx==0x0000000000000246
2.
rax==0x0000000000000040 && rcx==0x00000000FFFFFD68
条件断下后,均修改eax=0即可
综合条件:
(rax==0x0000000000000040 && rcx==0x0000000000000246) || (rax==0x0000000000000040 && rcx==0xFFFFFFFFFFFFFD68)
大致得到以下结果:
1.
0000000140300032 | 48:8B4C25 00 | mov rcx,qword ptr ss:[rbp] |
0000000140300037 | 48:81C5 08000000 | add rbp,0x8 |
2.
00000001402FB9C7 | 48:F7D0 | not rax |
00000001402FB9CA | F9 | stc |
00000001402FB9CB | 6644:3BF3 | cmp r14w,bx |
00000001402FB9CF | E9 00000000 | jmp everedit.1402FB9D4 |
00000001402FB9D4 | 48:F7D1 | not rcx |
00000001402FB9D7 | F8 | clc |
00000001402FB9D8 | 48:23C1 | and rax,rcx |
3.
00000001403B1332 | 48:F7D0 | not rax |
00000001403B1335 | 41:84FB | test r11b,dil |
00000001403B1338 | 80FA 66 | cmp dl,0x66 | 66:'f'
00000001403B133B | 48:F7D1 | not rcx |
00000001403B133E | E9 01000000 | jmp everedit.1403B1344 |
00000001403B1343 | F5 | cmc |
00000001403B1344 | 48:23C1 | and rax,rcx |
4.
0000000140355F54 | 48:F7D0 | not rax |
0000000140355F57 | 44:84D8 | test al,r11b |
0000000140355F5A | 41:80FD D5 | cmp r13b,0xD5 |
0000000140355F5E | 48:F7D1 | not rcx |
0000000140355F61 | 48:23C1 | and rax,rcx |
5.
0000000140356433 | 48:F7D0 | not rax |
0000000140356436 | 48:F7D1 | not rcx |
0000000140356439 | 41:3ADE | cmp bl,r14b |
000000014035643C | 48:23C1 | and rax,rcx |
================================确定关键位置====================================================
00000001403B1332 | 48:F7D0 | not rax |
00000001403B1335 | 41:84FB | test r11b,dil |
00000001403B1338 | 80FA 66 | cmp dl,0x66 | 66:'f'
00000001403B133B | 48:F7D1 | not rcx |
00000001403B133E | E9 01000000 | jmp everedit.1403B1344 |
00000001403B1343 | F5 | cmc |
00000001403B1344 | 48:23C1 | and rax,rcx | 此处断下后,将rax,清0即可
第一次断下:rax=0x0000000000000040 rcx=0x0000000000000246 将rax为0
第二次断下:rax=0x0000000000000040 rcx=0xFFFFFFFFFFFFFD68 将rax为0
需要补丁地方:
00000001403B133E | E9 01000000 | jmp everedit.1403B1344 |
00000001403B1343 | F5 | cmc |
00000001403B1344 | 48:23C1 | and rax,rcx | 此处断下后,将rax,清0即可
00000001403B1347 | 48:894425 08 | mov qword ptr ss:[rbp+0x8],rax |
00000001403B134C | 90 | nop |
补丁选用位置----代码区空白地方:
00000001403EA11F | 90 | nop |
.....
00000001403EA1BD | 0000 | add byte ptr ds:[rax],al |
开始打补丁:
*******需要补丁的第1处:
00000001403B133E | E9 DC8D0300 | jmp everedit.1403EA11F | *************jmp 到00000001403EA11F 补丁处
00000001403B1343 | F5 | cmc |
00000001403B1344 | 48:23C1 | and rax,rcx | 此处断下后,将rax,清0即可
00000001403B1347 | 48:894425 08 | mov qword ptr ss:[rbp+0x8],rax |
00000001403B134C | 90 | nop |
00000001403B134D | 48:98 | cdqe |
*******需要补丁的第2处:
00000001403EA11F | 48:83F8 40 | cmp rax,0x40 | 40:'@'
00000001403EA123 | 0F85 1B72FCFF | jne everedit.1403B1344 | rax是不是40
00000001403EA129 | 48:81F9 46020000 | cmp rcx,0x246 |
00000001403EA130 | 75 0A | jne everedit.1403EA13C | 是不是满足第一个判断条件,如果是rax清0,如果不是,再跳转判断是不是满足第二个判断条件。
00000001403EA132 | B8 00000000 | mov eax,0x0 |
00000001403EA137 | E9 0872FCFF | jmp everedit.1403B1344 |
00000001403EA13C | 48:81F9 68FDFFFF | cmp rcx,0xFFFFFFFFFFFFFD68 |
00000001403EA143 | 0F85 FB71FCFF | jne everedit.1403B1344 | 判断是不是满足第2个条件
00000001403EA149 | B8 00000000 | mov eax,0x0 |
00000001403EA14E | E9 F171FCFF | jmp everedit.1403B1344 |
|
|
|
发表于 2020-7-5 19:27
