【脱壳文件】EPSON打印机工具
【下载地址】http://www.ssclg.com/download/sscserve.exe
【加壳方式】ASProtect 2.1x SKE -> Alexey Solodovnikov
【作者声明】:只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教
【调试环境】:Win2003、OllyDBD、PEiD、LordPE、ImportREC
【脱壳过程】:近日论坛闲逛,遇此软件,学了N久ASPR了,正愁无软柿可捏,于是照猫画虎一番,算给我等菜鸟写个笔记吧。
一、避开加密,得到完整IAT
OD忽略除INT3外的所有异常(注意同时忽略以下所有异常前面不要选),过两次异常后在CODE段下内存断点,到这里:
代码:--------------------------------------------------------------------------------004B09F0 55 PUSH EBP
004B09F1 8BEC MOV EBP,ESP
004B09F3 83C4 F0 ADD ESP,-10
004B09F6 B8 40074B00 MOV EAX,ssc_serv.004B0740
004B09FB E8 7C5CF5FF CALL ssc_serv.0040667C
004B0A00 A1 70744B00 MOV EAX,DWORD PTR DS:[4B7470]
004B0A05 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B0A07 E8 D43FFBFF CALL ssc_serv.004649E0
004B0A0C A1 70744B00 MOV EAX,DWORD PTR DS:[4B7470]
004B0A11 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B0A13 BA 800A4B00 MOV EDX,ssc_serv.004B0A80 ; ASCII "SSC Service Utility"
004B0A18 E8 BB3BFBFF CALL ssc_serv.004645D8
004B0A1D 8B0D C0754B00 MOV ECX,DWORD PTR DS:[4B75C0] ; ssc_serv.004BC344
004B0A23 A1 70744B00 MOV EAX,DWORD PTR DS:[4B7470]
004B0A28 8B00 MOV EAX,DWORD PTR DS:[EAX]
--------------------------------------------------------------------------------
搜索一下FF 25
找到这里
0040121C - FF25 00D24B00 JMP DWORD PTR DS:[4BD200] ; kernel32.CloseHandle
数据窗口到4BD200看一下:
代码:--------------------------------------------------------------------------------
004BD154 7C96AE65 ntdll.RtlDeleteCriticalSection
004BD158 7C95F2FC ntdll.RtlLeaveCriticalSection
004BD15C 7C95F337 ntdll.RtlEnterCriticalSection
004BD160 7C8284E0 kernel32.InitializeCriticalSection
004BD164 7C828CFC kernel32.VirtualFree
004BD168 7C82BEC9 kernel32.VirtualAlloc
004BD16C 7C82BC09 kernel32.LocalFree
004BD170 7C82BB92 kernel32.LocalAlloc
004BD174 7C82BB6D kernel32.GetTickCount
004BD178 5358C7CE
004BD17C 7C82C07F kernel32.GetVersion
004BD180 44481099
004BD184 7C82B44F kernel32.InterlockedDecrement
004BD188 7C82B43B kernel32.InterlockedIncrement
004BD18C 7C818EA7 kernel32.VirtualQuery
004BD190 7C82DC10 kernel32.WideCharToMultiByte
004BD194 7C82BC7C kernel32.MultiByteToWideChar
004BD198 CDFA8D2A
004BD19C 7C817702 kernel32.lstrcpynA
004BD1A0 F92B6CBC
004BD1A4 21D669D5
004BD1A8 F915B282
--------------------------------------------------------------------------------
输入表被加密了,重新运行程序,不忽略非法访问内存异常,忽略其他异常后大约十四次后,搜索参考字符串,找到到达IAT处理的CALL。
代码:--------------------------------------------------------------------------------00E7EBF6 /EB 0A JMP SHORT 00E7EC02
00E7EBF8 |68 E8F4E700 PUSH 0E7F4E8 ; ASCII "85
00E7EBFD |E8 2A62FEFF CALL 00E64E2C
00E7EC02 A1 1C37E800 MOV EAX,DWORD PTR DS:[E8371C]
00E7EC07 8B00 MOV EAX,DWORD PTR DS:[EAX]
00E7EC09 E8 0A8CFFFF CALL 00E77818 //这里进去!
00E7EC0E 84C0 TEST AL,AL
00E7EC10 75 0A JNZ SHORT 00E7EC1C
00E7EC12 68 E8F4E700 PUSH 0E7F4E8 ; ASCII "85
--------------------------------------------------------------------------------
进去后,找到IAT处理的CALL
代码:--------------------------------------------------------------------------------
00E77916 50 PUSH EAX
00E77917 56 PUSH ESI
00E77918 E8 9BFCFFFF CALL 00E775B8 〈〈〈〈————这里进去
--------------------------------------------------------------------------------
再进来后开始了比较了,开始PATCH吧
代码:--------------------------------------------------------------------------------
00E775B8 55 PUSH EBP
00E775B9 8BEC MOV EBP,ESP
00E775BB 81C4 F8FEFFFF ADD ESP,-108
00E775C1 53 PUSH EBX
00E775C2 56 PUSH ESI
00E775C3 57 PUSH EDI
00E775C4 8B55 14 MOV EDX,DWORD PTR SS:[EBP+14]
00E775C7 8B5D 08 MOV EBX,DWORD PTR SS:[EBP+8]
00E775CA 8DBD FAFEFFFF LEA EDI,DWORD PTR SS:[EBP-106]
00E775D0 8BC2 MOV EAX,EDX
00E775D2 48 DEC EAX
00E775D3 83E8 02 SUB EAX,2
00E775D6 0FB630 MOVZX ESI,BYTE PTR DS:[EAX]
00E775D9