编程语言

img loleeve

PRTG v3.26 破解手记

发表于2004/9/24 9:23:00  3225人阅读

分类: Programming

XCyber
2004-09-07

软件名称:PRTG v3.26
加壳方式:Armadillo 1.xx - 2.xx
破解工具:Ollydbg,Hiew,ImportREC
软件介绍:PRTG v3.26是windows平台下的MRTG,它利用SNMP协议对网络流量,CPU负载,内存利用率等数据的进行监控,并且生成各种统计图形,Web页面和报表。MRTG使用起来复杂,操作都是命令行格式,需要perl支持,而PRTG提供图形化的向导,方便简单。
软件下载:
http://www.paessler.com/products/prtg

PRTG v3.26是一个标准壳,没有双进程,没有到解密一定页以后就加密原来页。

[1]找oep和Dump方法:
1.Olldby加载prtg3.exe,设bp VirtualProtect,一直按F9或shift + F9,直到堆栈第一次出现如下
0012BAEC    010562F9  /CALL 到 VirtualProtect 来自 010562F7
0012BAF0    00400000  |Address = prtg3.00400000
0012BAF4    00000040  |Size = 40 (64.)
0012BAF8    00000004  |NewProtect = PAGE_READWRITE
0012BAFC    0012BB18  /pOldProtect = 0012BB18
继续按Shift + F9,直到第二次出现与上面一模一样的情况,停下来。一直按Ctrl + F9回到主线程,并不是prtg3.exe领空
0105634F     50                  push eax                        ;<<<<<<返回到这
01056350     F7D0                not eax
01056352     0FC8                bswap eax
01056354     58                  pop eax
01056355     73 00               jnb short 01056357
01056357     9C                  pushfd
01056358     60                  pushad
继续按F8,慢,直到到达下面
0105638B     0FC8                bswap eax
0105638D     F7D1                not ecx
0105638F     0FC8                bswap eax
01056391     F7D1                not ecx
01056393     8B45 F4             mov eax,dword ptr ss:[ebp-C]
01056396     2BDF                sub ebx,edi
01056398     0158 3C             add dword ptr ds:[eax+3C],ebx     ;这句是修改PE的0x3c,把ebx设为0,防止修改PE头
继续F8,到达下面
0105640F     E8 ECABFDFF         call 01031000
01056414     83E0 03             and eax,3
01056417     8D4D F8             lea ecx,dword ptr ss:[ebp-8]
0105641A     40                  inc eax
0105641B     66:0147 06          add word ptr ds:[edi+6],ax        ;这里修改块数,改ax为0
0105641F     E8 DCABFDFF         call 01031000
这样就去掉Armadillo对PE头的修改,继续按Ctrl + F9回到prtg3.exe领空,继续F8,直到返回到这
006670E4    .  8945 E4           mov dword ptr ss:[ebp-1C],eax     ;<<<<<返回到这!
006670E7    .  60                pushad
006670E8    .  33C0              xor eax,eax
006670EA    .  75 02             jnz short prtg3.006670EE
006670EC    .  EB 15             jmp short prtg3.00667103
006670EE    >  EB 33             jmp short prtg3.00667123
006670F0       C0                db C0
006670F1    .  75 18             jnz short prtg3.0066710B
006670F3    .  7A 0C             jpe short prtg3.00667101
006670F5    >  70 0E             jo short prtg3.00667105
006670F7    .  EB 0D             jmp short prtg3.00667106
006670F9       E8                db E8
006670FA       72                db 72                             ;  CHAR 'r'
006670FB       0E                db 0E
006670FC       79                db 79                             ;  CHAR 'y'
006670FD       F1                db F1
006670FE       FF                db FF
006670FF       15                db 15
00667100       00                db 00
继续按F8,这里要小心,好多乱码,不用管他,直到出现第一个call dword ptr ds:[xxxxxxxx],F7进入
006671C9    .  8BC0              mov eax,eax
006671CB    .  6A 00             push 0                            ; /Arg1 = 00000000
006671CD    .  E8 6E000000       call prtg3.00667240               ; /prtg3.00667240
006671D2    .  83C4 04           add esp,4
006671D5    .  6A 00             push 0
006671D7    .  E8 DF2C0100       call prtg3.00679EBB
006671DC    .  83C4 04           add esp,4
006671DF    .  837D E4 01        cmp dword ptr ss:[ebp-1C],1
006671E3    .  75 11             jnz short prtg3.006671F6
006671E5    .  68 C8726900       push prtg3.006972C8
006671EA    .  FF15 EC726900     call dword ptr ds:[6972EC]       ;F7进入
一直F8,直到出现call edi
01057661     E8 1305FFFF         call 01047B79
01057666     50                  push eax
01057667     A1 88900601         mov eax,dword ptr ds:[1069088]
0105766C     8B48 44             mov ecx,dword ptr ds:[eax+44]
0105766F     3348 20             xor ecx,dword ptr ds:[eax+20]
01057672     3348 10             xor ecx,dword ptr ds:[eax+10]
01057675     2BF9                sub edi,ecx
01057677     FFD7                call edi                          ; prtg3.0061A7EC <<<<<<这就是eop!!!
F7进入,在这就可Dump了!


[2]寻找magin jump,还原iat:
1.找到oep后,或者确定iat已经处理完后,启动ImportREC,填入正确的oep,点IAT AutoSearch,看看IAT的第一个地址,这里是22c230
2.重新启动,设bp VirtualProtect,在数据窗口看22c230 + 400000 = 62c230,开始时全是0,然后不断按Ctrl+F9,第一次看到62c230开始变化,这些并不是输入函数地址(应该是索引这类的),这时一直往下拖,看看iat的尾部在哪,当你看到又全是0时(准确是在Kernel32.dll字符串前,假设kernel32.dll的地址是0xaaaaaaaa),那个iat的长度是0xaaaaaaaa - 62c230
3.接着可以在62c230和后面的几个DWORD作硬件写入断点,Ctrl+F9,直到硬件中断到如下
010547D3    /73 1D               jnb short 010547F2
010547D5    |8B85 1CE8FFFF       mov eax,dword ptr ss:[ebp-17E4]
010547DB    |8B8D 80E2FFFF       mov ecx,dword ptr ss:[ebp-1D80]
010547E1    |8908                mov dword ptr ds:[eax],ecx
010547E3    |8B85 1CE8FFFF       mov eax,dword ptr ss:[ebp-17E4]           ; prtg3.0062C230 在这里硬件写入中断
010547E9    |83C0 04             add eax,4
010547EC    |8985 1CE8FFFF       mov dword ptr ss:[ebp-17E4],eax
010547F2   ^/E9 36FDFFFF         jmp 0105452D
然后就细心找Magin jump,一直按F8(记住一定要F8),当看到
010546A6     E8 F434FEFF         call 01037B9F
010546AB     83C4 0C             add esp,0C
010546AE     8D85 74E1FFFF       lea eax,dword ptr ss:[ebp-1E8C]
010546B4     50                  push eax
010546B5     FFB5 7CE2FFFF       push dword ptr ss:[ebp-1D84]
010546BB     FF15 30B30501       call dword ptr ds:[105B330]               ; MSVCRT._stricmp
010546C1     59                  pop ecx
010546C2     59                  pop ecx
010546C3     85C0                test eax,eax
010546C5     75 11               jnz short 010546D8                        ;改jnz为jmp,这样特殊函数就不会加密
010546C7     8B85 74E2FFFF       mov eax,dword ptr ss:[ebp-1D8C]
010546CD     8B40 08             mov eax,dword ptr ds:[eax+8]
010546D0     8985 80E2FFFF       mov dword ptr ss:[ebp-1D80],eax
010546D6     EB 02               jmp short 010546DA
010546D8   ^ EB 9D               jmp short 01054677
010546DA     83BD 80E2FFFF 00    cmp dword ptr ss:[ebp-1D80],0
010546E1     75 3F               jnz short 01054722
010546E3     0FB785 84E2FFFF     movzx eax,word ptr ss:[ebp-1D7C]
010546EA     85C0                test eax,eax
010546EC     74 0F               je short 010546FD

由于当找到magin jump时已有部分iat解码了,所以重来,重复到第3步,发现iat第一次由0变成有数据时,设bp 1039bf6断点,然后把jnz改为jmp,一直到最后一个iat地址被解码(为了准确,可以在最后一个iat地址0xaaaaaaaa - 4设置硬件写入断点),这是就可以启动ImportREC设好oep和iat等,然后Get Imports,接着点Show Invalid,把所有invalid cut掉,就大功告成。


[3]脱完壳,然后破解prtg v3.26
0.prtg是用Delphi写的,破解Delphi方法可以看<<加密与解密>>
1.把ArmAccess.dll考到同一目录,ArmAccess.dll是欺骗注册码校验的
2.OllyDbg加在脱壳的prtg3.exe,设bp LoadLibraryA,一直按F9,注意堆栈,当堆栈到这里停下来
=============================================================================
0012FD34    00612C51  /CALL 到 LoadLibraryA 来自 prtg3.00612C4C
0012FD38    00612CB4  /FileName = "ArmAccess.DLL"                ;注意!
0012FD3C    0012FD68  指针到下一个 SEH 记录
0012FD40    00612CA3  SE 句柄
0012FD44    0012FD60
0012FD48    00607ADC  prtg3.00607ADC
0012FD4C    016D17B8
0012FD50    016DD238
0012FD54    016DD238
0012FD58    016DD9BC  ASCII "TEAM iNFECTED"
0012FD5C    016DEEA0  ASCII "TEAM iNFECTED"
=============================================================================
3.返回prtg3.exe领空:
00612C47     68 B42C6100         push prtg3.00612CB4                       ; ASCII "ArmAccess.DLL"
00612C4C     E8 D74DDFFF         call <jmp.&kernel32.LoadLibraryA>
00612C51     8BF0                mov esi,eax
00612C53     85F6                test esi,esi
00612C55     74 31               je short prtg3.00612C88
00612C57     68 C42C6100         push prtg3.00612CC4                       ; ASCII "CheckCode"
00612C5C     56                  push esi
00612C5D     E8 EE4CDFFF         call <jmp.&kernel32.GetProcAddress>
00612C62     8BF8                mov edi,eax
00612C64     897D F4             mov dword ptr ss:[ebp-C],edi
00612C67     85FF                test edi,edi
00612C69     74 17               je short prtg3.00612C82
00612C6B     8B45 F8             mov eax,dword ptr ss:[ebp-8]
00612C6E     E8 B528DFFF         call prtg3.00405528
00612C73     50                  push eax
00612C74     8B45 FC             mov eax,dword ptr ss:[ebp-4]
00612C77     E8 AC28DFFF         call prtg3.00405528
00612C7C     50                  push eax
00612C7D     FF55 F4             call dword ptr ss:[ebp-C]
00612C80     8BD8                mov ebx,eax
00612C82     56                  push esi
00612C83     E8 104CDFFF         call <jmp.&kernel32.FreeLibrary>
00612C88     33C0                xor eax,eax
00612C8A     5A                  pop edx
00612C8B     59                  pop ecx
00612C8C     59                  pop ecx
00612C8D     64:8910             mov dword ptr fs:[eax],edx
00612C90     68 AA2C6100         push prtg3.00612CAA
00612C95     8D45 F8             lea eax,dword ptr ss:[ebp-8]
00612C98     BA 02000000         mov edx,2
00612C9D     E8 EA23DFFF         call prtg3.0040508C
00612CA2     C3                  retn
                         
4.一直按F8,直到返回到如下代码:注意!看到"PRTG V3.26 - Pro Edition"没,所以很快就找到关键地方了!!!
006097AB     E8 502EFFFF         call prtg3.005FC600
006097B0     8BC3                mov eax,ebx
006097B2     E8 79FBFFFF         call prtg3.00609330
006097B7     E8 3CF4FFFF         call prtg3.00608BF8                      ;<<<<<返回到这,我们看到eax==0时就破解了
006097BC     48                  dec eax
006097BD     75 0E               jnz short prtg3.006097CD
006097BF     BA 30996000         mov edx,prtg3.00609930                    ; ASCII "PRTG V3.26 - Pro Edition"
006097C4     8BC3                mov eax,ebx
006097C6     E8 A10CE6FF         call prtg3.0046A46C
006097CB     EB 0C               jmp short prtg3.006097D9
006097CD     BA 54996000         mov edx,prtg3.00609954                    ; ASCII "PRTG V3.26 - Free Edition"
006097D2     8BC3                mov eax,ebx
006097D4     E8 930CE6FF         call prtg3.0046A46C
006097D9     E8 1AF4FFFF         call prtg3.00608BF8
006097DE     48                  dec eax
006097DF     75 1D               jnz short prtg3.006097FE
006097E1     8B83 4C030000       mov eax,dword ptr ds:[ebx+34C]
006097E7     33D2                xor edx,edx
006097E9     E8 162FE7FF         call prtg3.0047C704

5.重新来一次,到第3步设bp 006097B7断点,触发后F7进入:
00608BFD     51                  push ecx
00608BFE     51                  push ecx
00608BFF     51                  push ecx
00608C00     51                  push ecx
00608C01     53                  push ebx
00608C02     33C0                xor eax,eax
00608C04     55                  push ebp
00608C05     68 A78C6000         push prtg3.00608CA7
00608C0A     64:FF30             push dword ptr fs:[eax]
00608C0D     64:8920             mov dword ptr fs:[eax],esp
00608C10     B8 C08C6000         mov eax,prtg3.00608CC0                    ; ASCII "edition"
00608C15     E8 E639FFFF         call prtg3.005FC600
00608C1A     33DB                xor ebx,ebx
00608C1C     8D55 FC             lea edx,dword ptr ss:[ebp-4]
00608C1F     B8 C88C6000         mov eax,prtg3.00608CC8                    ; ASCII "TYPE"
00608C24     E8 E3FCFFFF         call prtg3.0060890C
00608C29     8D45 F8             lea eax,dword ptr ss:[ebp-8]
00608C2C     8B4D FC             mov ecx,dword ptr ss:[ebp-4]
00608C2F     BA D88C6000         mov edx,prtg3.00608CD8                    ; ASCII "type="
00608C34     E8 3BC7DFFF         call prtg3.00405374
00608C39     8B45 F8             mov eax,dword ptr ss:[ebp-8]
00608C3C     E8 BF39FFFF         call prtg3.005FC600
00608C41     8B45 FC             mov eax,dword ptr ss:[ebp-4]
00608C44     BA E88C6000         mov edx,prtg3.00608CE8
00608C49     E8 26C8DFFF         call prtg3.00405474
00608C4E     75 05               jnz short prtg3.00608C55                 ;nop it ,crack successfully!
00608C50     BB 01000000         mov ebx,1
00608C55     8D55 FC             lea edx,dword ptr ss:[ebp-4]
00608C58     B8 EC8C6000         mov eax,prtg3.00608CEC                    ; ASCII "EXPIRED"
00608C5D     E8 AAFCFFFF         call prtg3.0060890C
00608C62     837D FC 00          cmp dword ptr ss:[ebp-4],0
00608C66     74 02               je short prtg3.00608C6A
00608C68     33DB                xor ebx,ebx
00608C6A     8D55 F0             lea edx,dword ptr ss:[ebp-10]
00608C6D     8BC3                mov eax,ebx
00608C6F     E8 6814E0FF         call prtg3.0040A0DC
00608C74     8B4D F0             mov ecx,dword ptr ss:[ebp-10]
00608C77     8D45 F4             lea eax,dword ptr ss:[ebp-C]
00608C7A     BA FC8C6000         mov edx,prtg3.00608CFC                    ; ASCII "edition "
00608C7F     E8 F0C6DFFF         call prtg3.00405374
00608C84     8B45 F4             mov eax,dword ptr ss:[ebp-C]
00608C87     E8 7439FFFF         call prtg3.005FC600
00608C8C     33C0                xor eax,eax
00608C8E     5A                  pop edx
00608C8F     59                  pop ecx
00608C90     59                  pop ecx
00608C91     64:8910             mov dword ptr fs:[eax],edx
00608C94     68 AE8C6000         push prtg3.00608CAE
00608C99     8D45 F0             lea eax,dword ptr ss:[ebp-10]
00608C9C     BA 04000000         mov edx,4
00608CA1     E8 E6C3DFFF         call prtg3.0040508C
00608CA6     C3                  retn
00608CA7   ^ E9 F8BCDFFF         jmp prtg3.004049A4
00608CAC   ^ EB EB               jmp short prtg3.00608C99
00608CAE     8BC3                mov eax,ebx
00608CB0     5B                  pop ebx
00608CB1     8BE5                mov esp,ebp
00608CB3     5D                  pop ebp
00608CB4     C3                  retn

记住00608C4E,先用Peditor查查00608C4E的文件偏移是00208C4E,用Hiew去把它改为nop nop,搞定!!!

6.到了第5步,prtg3.exe基本破了,但是点注册页面时,还是会说没注册。进入prtg,打开注册页面,设bp LoadLibraryA在注册页面点Check Key后,触发断点,回到prtg领空。如下:
00612C47     68 B42C6100         push prtg3.00612CB4                    ; ASCII "ArmAccess.DLL"
00612C4C     E8 D74DDFFF         call <jmp.&kernel32.LoadLibraryA>
00612C51     8BF0                mov esi,eax                            ;<<<<<<返回到这!
00612C53     85F6                test esi,esi
00612C55     74 31               je short prtg3.00612C88
00612C57     68 C42C6100         push prtg3.00612CC4                    ; ASCII "CheckCode"
00612C5C     56                  push esi
00612C5D     E8 EE4CDFFF         call <jmp.&kernel32.GetProcAddress>
00612C62     8BF8                mov edi,eax
00612C64     897D F4             mov dword ptr ss:[ebp-C],edi
00612C67     85FF                test edi,edi
00612C69     74 17               je short prtg3.00612C82
00612C6B     8B45 F8             mov eax,dword ptr ss:[ebp-8]
00612C6E     E8 B528DFFF         call prtg3.00405528
00612C73     50                  push eax
00612C74     8B45 FC             mov eax,dword ptr ss:[ebp-4]
00612C77     E8 AC28DFFF         call prtg3.00405528
00612C7C     50                  push eax
00612C7D     FF55 F4             call dword ptr ss:[ebp-C]
00612C80     8BD8                mov ebx,eax
00612C82     56                  push esi
00612C83     E8 104CDFFF         call <jmp.&kernel32.FreeLibrary>
00612C88     33C0                xor eax,eax
00612C8A     5A                  pop edx
00612C8B     59                  pop ecx
00612C8C     59                  pop ecx
00612C8D     64:8910             mov dword ptr fs:[eax],edx
00612C90     68 AA2C6100         push prtg3.00612CAA
00612C95     8D45 F8             lea eax,dword ptr ss:[ebp-8]
00612C98     BA 02000000         mov edx,2
00612C9D     E8 EA23DFFF         call prtg3.0040508C
00612CA2     C3                  retn
00612CA3   ^ E9 FC1CDFFF         jmp prtg3.004049A4
00612CA8   ^ EB EB               jmp short prtg3.00612C95
00612CAA     8BC3                mov eax,ebx                         ;可以看到返回值eax是由ebx传递的!
00612CAC     5F                  pop edi
00612CAD     5E                  pop esi
00612CAE     5B                  pop ebx
00612CAF     8BE5                mov esp,ebp
00612CB1     5D                  pop ebp
00612CB2     C3                  retn

一直按F8返回到上一级:
00612DE7     E8 2CFEFFFF         call prtg3.00612C18
00612DEC     84C0                test al,al                        ;<<<<<<返回到这!这是关键,判断返回值,如果al为0,就是没注册
00612DEE     74 6B               je short prtg3.00612E5B           ; nop it,crack successfully!!!
00612DF0     B2 01               mov dl,1
00612DF2     A1 E8184400         mov eax,dword ptr ds:[4418E8]
00612DF7     E8 10EDE2FF         call prtg3.00441B0C

记住00612DEE,文件offest是00212DEE,Hiew修改成nop这样就可以不要ArmAccess.dll了!


[4]prtg3.exe是用Armadillo 1.xx - 2.xx壳,脱完壳后仍然需要调用ArmAccess.dll来判断注册码。
有两种方法绕过ArmAccess.dll的限制:
1.利用伪装的ArmAccess.dll返回正确值
2.修改prtg3.exe绕过ArmAccess.dll的限制,这样破解就不需要多带一个ArmAccess.dll
第[3]提到的方法就是绕过ArmAccess.dll的限制

prtg3.exe的破解信息:
oep RVA:21a7ec
iat RVA:22c230 
iat len:958
magin jump:1039bf6


阅读全文
0 0

相关文章推荐

img
取 消
img