Aspr1.23rc4
Shell
Advanced IM Password Recovery
simple
MD5
[Observation]: Advanced Im Password Recovery V2.31
[Tu]: Olydbg1.1 (DIY Version), Lordpe, ImportRec1.6f asprdbgr1.0, IDA
[Renuction]: Delambon first, then HEHE ...
[Operation Platform]: WinXP Pro SP1
[Author]: loveboom [dfcg] [fcg]
【Related Links】:
Www.elcomsoft.com
[Brief Description]: It is also a period of time without a break. Because of the problem of level dishes, time, etc., it is difficult to do, and there are many friends who have been written. This article is also a point, and then Then, I haven't seen my post for a long time, so I want this article to see if I can mix it again, and the other has not studied value.
[Detailed Procedure]:
Check it with PEID to find it is asprotect 1.23 rc4 - 1.3.08.24 -> alexey solodovnikov, I thought it was aspr1.3xxx at the beginning, so I want to fight back to the government, but I think, since it is coming, no matter how Putting, anyway, no one knows, the most "waste" time. It is also very surprising, I have followed it, I found that it was a soft mortal, which made me a cheap. Ok, leave some mouth water to the back.
Open OD setting to cancel ignore memory exception, remove Ring3 detection, all the way Shift F9 fly to the last abnormality (I am the 25th to last until the last abnormally):
009c39ec 3100 xor DWORD PTR DS: [EAX], EAX
009c39ee 64: 8F05 0000000> POP DWORD PTR FS: [0]
009c39f5 58 POP EAX
009c39f6 833d B07E9C00 0> CMP DWORD PTR DS: [9C7EB0], 0
009c39fd 74 14 Je Short 009c3A13
009c39ff 6a 0c Push 0C
009c3A01 B9 B07E9C00 MOV ECX, 9C7EB0
009c3a06 8D45 F8 Lea Eax, DWORD PTR SS: [EBP-8]
009C3A09 BA 04000000 MOV EDX, 4
009c3a0e e8 2dd1ffff Call 009c0B40
009c3a13 FF75 FC Push DWORD PTR SS: [EBP-4]
009c3a16 FF75 F8 Push DWORD PTR SS: [EBP-8]
009C3A19 8B45 F4 MOV EAX, DWORD PTR SS: [EBP-C]
009c3a1c 8338 00 CMP DWORD PTR DS: [EAX], 0
009c3a1f 74 02 Je Short 009C3A23
009c3a21 ff30 push dword PTR DS: [EAX]
009c3a23 ff75 f0 Push DWORD PTR SS: [EBP-10]
009c3a26 ff75 EC Push DWORD PTR SS: [EBP-14]
009C3A29 C3 RETN; here will see C3, the pair is broken, at 009C3A29 F2 breakpoint, then Shift F9 will be broken. After disconnection, cancel the breakpoint (how to cancel, fain, for friends who don't have a basic knowledge, please go to the relevant documentation, don't ask me, because I don't have to answer so much, here is just answered, I have a friend asked me, how to dump fixdump after using my phantom shell script, I don't say this question, I can only say that you can see the most basic thing first)
Oh, open a small difference, open it here, canceling the breakpoint, the hardware access breakpoint HR [ESP C] (here is equivalent to HR 12FFA4), it will be F9 running, the following things have a foundation If you don't look at those code, you will feel a little flying.
After running, disconnect, disconnect the hardware access breakpoint:
009d5ca3 f3: prefix rep:;
009D5CA4 EB 02 JMP Short 009D5CA8
Here, be careful to press F8 to find Stolen Code.
009d5cf5 be C55C9D00 MOV ESI, 9D5CC5
009d5cfa ff56 3f call dword PTR DS: [ESI 3F] Here F7 followed, or if you really fly, press F8 to follow the Stolen Code after entering
009D5D67 896C24 00 MOV DWORD PTR SS: [ESP], EBP; *****; here is Push EBP
009d5d6b 8bec MOV EBP, ESP; *****
009D5D6D 6A FF PUSH -1; *****
009D5D6F 68 48A44200 PUSH 42A448; *****
009D5D74 68 F4514200 Push 4251F4; *****
009D5D79 64: A1 00000000 MOV EAX, DWORD PTR FS: [0]; *****
009D5D7F 66: 8105 895D9D0> Add Word PTR DS: [9D5D89], 4916
......
009D5DBB 894424 00 MOV DWORD PTR SS: [ESP], EAX; *****
009D5DBF 64: 8925 0000000> MOV DWORD PTR FS: [0], ESP; *****
009d5dc6 83ec 58 SUB ESP, 58; *****
......
009D5E05 895C24 00 MOV DWORD PTR SS: [ESP], EBX; *****
......
009D5E45 897424 00 MOV DWORD PTR SS: [ESP], ESI; *****
......
009D5E85 897C24 00 MOV DWORD PTR SS: [ESP], EDI; *****; NTDLL.77F944A8
009D5E89 8965 E8 MOV DWORD PTR SS: [EBP-18], ESP; *****
009d5e8c f3: prefix rep:
009d5E95 68 F8FF4100 Push 41FFF8; See here, as long as the friends who have followed Aspr, we know that the following is the clearance code, we don't have to follow. 009D5E9A 68 015C9D00 Push 9D5C01
009D5E9F C3 RETN
Now we do G 41FFF8 directly, so that it will stop here.
0041FFF8 FF15 C4914200 CALL DWORD PTR DS: [4291C4]; get off here
0041ffe 33d2 XOR EDX, EDX
00420000 8AD4 MOV DL, AH
00420002 8915 84Be4300 MOV DWORD PTR DS: [43be84], EDX
00420008 8BC8 MOV ECX, EAX
Ok, now I will summarize Stolen Code:
0041ffd2 55 Push EBP
0041ffd3 8bec MOV EBP, ESP
0041ffd5 6A FF PUSH -1
0041ffd7 68 48A44200 Push AIMPR.0042A448
0041ffdc 68 F4514200 Push AIMPR.004251F4
0041ffe1 64: A1 00000000 MOV EAX, DWORD PTR FS: [0]
0041ffe7 50 Push EAX
0041ffe8 64: 8925 0000000> MOV DWORD PTR FS: [0], ESP
0041ffef 83ec 58 SUB ESP, 58
0041FFF2 53 PUSH EBX
0041FFF3 56 Push ESI
0041FFF4 57 Push EDI
0041FFF5 8965 E8 MOV DWORD PTR SS: [EBP-18], ESP
After completing these code, open the AsprdBGR 1.0 and load the target. After loading, you will have a bit yes until the target program is running:
Asprdbgr v1.0beta (: p) Made by me ... manko.
IEP = 401000 (C: / Program Files / AIMPR / AIMPR.EXE)
Gst returns to: 9b2667
Trick aspr gst ... (eax = 12121212h)
GV Returns to: 9C1A61
IAT START: 429000
End: 42938c
Length: 38C
Iatentry 4290E4 = 9c1cf0 resolved as freeeresource
Iatentry 4290E8 = 9c1c64 resolved as getModuleHandlea
Iatentry 4290F4 = 9c1cc8 resolved as lockresource
Iatentry 42913c = 9C17A4 Resolved as getProcaddress
Iatentry 4291a4 = 9c1cb8 resolved as getcurrentprocess
Iatentry 4291C4 = 9C1C8C Resolved as getVersion
Iatentry 4291cc = 9c1cd8 resolved as getcommandlineaiatentry 4292c8 = 9c1d14 resolved as dialogboxparama
0 invalid entries eRSED.
Dip-Table Atress: 9C7AB4
0 0 0 0 0 0 0 0 0 0 41DA10 41DA00 41D9F0 0
Last SEH PASSED. SINGLESTEPPING TO OEP!
Call OEP-JUMP-SETUP AT: 9D5E3F (Code: E8000000 5D81ED)
Mutated, Stolen Bytes at: 9D5E8A (Code: 61f3eb02 CD20F3eb)
ERASE of Stolen Bytes At: 9D5DEE (Code: 9cfcbf2d 5e9d00b9)
REPZ ... FOUND. Skipping Erase of Stoltes.;)
DIP from pre-oep: 41fff8 (reached from: 9D5DFF)
Now open the IMP setting OEP is 1FFF8, then you can get all IAT, it's really good, give me a lazy man with the best. After you get all the input table, turn the OEP back to 1FFD2, of course, if you like it, you can Set OEP to 1FFD2 at the beginning.
Now Dump fixdump after the program is running, it will be completed in this shell.
The clothes have been taken off. Now we have to play rape (strong breakthrough, don't you want to be broken, I don't want to take off the clothes, but I don't think it is, if I am directly violent, I don't have too little words. Just become an article),
Enter the released file, run it, open the Registration dialog to enter your name, then start BPX GetdlgiteMtexta
This is here:
LBL_GETSN:; Code Xref: seg000: 0041de61j
SEG000: 0041DE70 MOV EAX, DS: DWORD_43BE3C
SEG000: 0041DE75 XOR ECX, ECX
SEG000: 0041DE77 MOV CX, [EAX 300H]
SEG000: 0041DE7E Add Eax, 200h
SEG000: 0041DE83 PUSH ECX; Count
SEG000: 0041DE84 PUSH EAX; Buffer, etc. will return the length of the registration code
SEG000: 0041DE85 Push 0FFAH; here is ID
SEG000: 0041DE8A PUSH EDI; this is the handle
SEG000: 0041DE8B Call DS: getdlgitemtexta
SEG000: 0041DE91 MOV EDX, DS: DWORD_43BE3C
SEG000: 0041DE97 Add EDX, 200H
SEG000: 0041DE9D PUSH EDX; EDX saved the registration code we entered seg000: 0041de9e call lbl_checksn; follow up, or not Over
SEG000: 0041DEA3 Add ESP, 4
SEG000: 0041DEA6 TEST EAX, EAX
SEG000: 0041DEA8 JNZ Short Loc_41deb3; Here you should pay attention, don't think that it is changed to JMP is OK.
SEG000: 0041DEA8;, this is changed here, because the back will also enter
SEG000: 0041DEA8; That CALL checks if it is correct
SEG000: 0041DEAA PUSH EDI
SEG000: 0041DEAB CALL SUB_41DD80
SEG000: 0041DEB0 Add ESP, 4
Enter the above CALL here
LBL_CHECKSN Proc Near; Code Xref: seg000: 0041de9EP
SEG000: 0041DB90; SUB_41E030 12P ...
SEG000: 0041DB90
SEG000: 0041DB90 VAR_6C = DWORD PTR-6CH
SEG000: 0041DB90 VAR_5C = DWORD PTR-5CH
SEG000: 0041DB90 ARG_0 = DWORD PTR 4
SEG000: 0041DB90
SEG000: 0041DB90 SUB ESP, 6CH
SEG000: 0041DB93 or ECX, 0FFFFFFFH
SEG000: 0041DB96 XOR EAX, EAX
SEG000: 0041DB98 PUSH EBX
SEG000: 0041DB99 PUSH EBP
SEG000: 0041DB9A MOV EBP, [ESP 74H ARG_0]
SEG000: 0041DB9E PUSH EDI
SEG000: 0041DB9F MOV EDI, EBP
Seg000: 0041dba1 repne scaSB; here is the length of the registration code
SEG000: 0041DBA3 NOT ECX
SEG000: 0041DBA5 DEC ECX
SEG000: 0041DBA6 CMP ECX, 6; Compare if the registration length is greater than six, not OVER
SEG000: 0041DBA9 JGE Short LBL_Next1; If there is no problem, jump to the next step seg000: 0041dbab Pop Edi
SEG000: 0041DBAC POP EBP
SEG000: 0041DBAD POP EBX
SEG000: 0041DBAE Add ESP, 6CH
Seg000: 0041dbb1 Retn; If it comes to RET, it is necessary to come back.
SEG000: 0041DBB2; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
SEG000: 0041DBB2
SEG000: 0041DBB2 LBL_NEXT1:; Code Xref: LBL_CHECKSN 19J
SEG000: 0041DBB2 and ECX, 80000001H
SEG000: 0041DBB8 JNS Short Loc_41dBBF; Jumping here,
SEG000: 0041DBBA DEC ECX
SEG000: 0041DBBB OR ECX, 0FFFFFFEH
SEG000: 0041DBBE INC ECX
SEG000: 0041DBBF
SEG000: 0041DBBF LOC_41DBBF:; Code Xref: lbl_checksn 28j
SEG000: 0041DBBF JZ Short LBL_Next2; here also jumped, these two places we generally don't need to manage it
SEG000: 0041DBC1 POP EDI
SEG000: 0041DBC2 POP EBP
SEG000: 0041DBC3 XOR EAX, EAX
SEG000: 0041DBC5 POP EBX
SEG000: 0041DBC6 Add ESP, 6ch
SEG000: 0041DBC9 RETN; if it is here, it is OVER.
SEG000: 0041DBCA; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
SEG000: 0041DBCA
SEG000: 0041DBCA LBL_NEXT2:; Code Xref: LBL_CHECKSN 2FJ
SEG000: 0041DBCA MOV EDI, EBP; Registration Code into EDI
SEG000: 0041DBCC or ECX, 0FFFFFFFH
SEG000: 0041DBCF XOR EAX, EAX
SEG000: 0041DBD1 PUSH ESI
SEG000: 0041DBD2 Repne ScaSB; here again calculate the length of the registration code
SEG000: 0041DBD4 NOT ECXSEG000: 0041DBD6 DEC ECX
SEG000: 0041DBD7 Lea Eax, [ESP 7CH VAR_5C]
SEG000: 0041DBDB MOV EBX, ECX; Registration Code Length into EBX
SEG000: 0041DBDD PUSH EAX
SEG000: 0041DBDE ADD EBX, 4
SEG000: 0041DBE1 SHR EBX, 1; if there is no accident, come here
SEG000: 0041DBE3 CALL LBL_INITMD5; you can see the MD5 algorithm after following up
Come in and see it:
SEG000: 0041C7F0; 〓〓〓〓〓〓 S u B R o U t I n e 〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓
SEG000: 0041C7F0
SEG000: 0041C7F0
SEG000: 0041C7F0 LBL_INITMD5 Proc Near; Code Xref: Sub_409E20 128P
SEG000: 0041C7F0; SUB_414D80 8P ...
SEG000: 0041C7F0
SEG000: 0041C7F0 ARG_0 = DWORD PTR 4
SEG000: 0041C7F0
SEG000: 0041C7F0 MOV EAX, [ESP ARG_0]
SEG000: 0041C7F4 XOR ECX, ECX
SEG000: 0041C7F6 MOV DWORD PTR [EAX], 67452301H; Don't say it again if you see these things.
SEG000: 0041C7FC MOV DWORD PTR [EAX 4], 0efcdab89h
SEG000: 0041C803 MOV DWORD PTR [EAX 8], 98Badcfeh
SEG000: 0041C80A MOV DWORD PTR [EAX 0CH], 10325476H
SEG000: 0041C811 MOV [EAX 10H], ECX
SEG000: 0041C814 MOV [EAX 14H], ECX
SEG000: 0041C817 MOV [EAX 58H], ECX
SEG000: 0041C81A RETN
SEG000: 0041C81A LBL_INITMD5 ENDP
SEG000: 0041C81A
SEG000: 0041C81A; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
After reading, go back to the old place:
SEG000: 0041DBE9 LEA ECX, [ESP 84H VAR_5C]
SEG000: 0041DBED PUSH EBP; Registration Code Fact SEG000: 0041DBEE PUSH ECX
SEG000: 0041DBEF CALL SUB_41C820
SEG000: 0041DBF4 LEA EDX, [ESP 8CH VAR_5C]
SEG000: 0041DBF8 LEA EAX, [ESP 8CH VAR_6C]
SEG000: 0041DBFC PUSH EDX
SEG000: 0041DBFD PUSH EAX
SEG000: 0041DBFE CALL SUB_41D8B0
SEG000: 0041DC03 Add ESP, 18h
SEG000: 0041DC06 MOV ECX, 4
SEG000: 0041DC0B MOV EDI, OFFSET UNK_43714C
SEG000: 0041DC10 LEA ESI, [ESP 7CH VAR_6C]
SEG000: 0041DC14 XOR EDX, EDX
SEG000: 0041DC16 REPE CMPSD
SEG000: 0041DC18 POP ESI
SEG000: 0041DC19 JZ Short LBL_Next3; **** I will take a headache when I see MD5, and I have been pressing F8 to run here.
SEG000: 0041DC19; Here you must jump,
SEG000: 0041DC1B POP EDI
SEG000: 0041DC1C POP EBP
SEG000: 0041DC1D XOR EAX, EAX
SEG000: 0041DC1F POP EBX
SEG000: 0041DC20 Add ESP, 6CH
SEG000: 0041DC23 RETN
SEG000: 0041DC24; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
SEG000: 0041DC24
SEG000: 0041DC24 LBL_Next3:; Code Xref: LBL_CHECKSN 89J
SEG000: 0041DC24 Lea Eax, [ESP 78H VAR_5C]
SEG000: 0041DC28 PUSH EAX
SEG000: 0041DC29 CALL LBL_INITMD5
SEG000: 0041DC2E MOV EDI, EBP
SEG000: 0041DC30 or ECX, 0FFFFFFFH
SEG000: 0041DC33 XOR EAX, EAX
SEG000: 0041DC35 repne scasbseg000: 0041dc37 not ECX
SEG000: 0041DC39 DEC ECX
SEG000: 0041DC3A PUSH ECX
SEG000: 0041DC3B LEA ECX, [ESP 80H VAR_5C]
SEG000: 0041DC3F PUSH EBP; Registration Code Factory
SEG000: 0041DC40 PUSH ECX
SEG000: 0041DC41 CALL SUB_41C820
SEG000: 0041DC46 Lea EDX, [ESP 88H VAR_5C]
SEG000: 0041DC4A Lea Eax, [ESP 88H VAR_6C]
SEG000: 0041DC4E Push EDX
SEG000: 0041DC4F PUSH EAX
SEG000: 0041DC50 CALL SUB_41D8B0
SEG000: 0041DC55 Lea ECX, [ESP 90H VAR_6C]
SEG000: 0041DC59 PUSH ECX
SEG000: 0041DC5A CALL SUB_41DB20
SEG000: 0041DC5F ADD ESP, 1Ch
SEG000: 0041DC62 TEST EAX, EAX
SEG000: 0041DC64 JNZ Short LBL_Next4; ***** No one will press F8 to here, here is also jumping.
SEG000: 0041DC66 POP EDI
SEG000: 0041DC67 POP EBP
SEG000: 0041DC68 POP EBX
SEG000: 0041DC69 Add ESP, 6CH
SEG000: 0041DC6C RETN
SEG000: 0041DC6D; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
SEG000: 0041DC6D
SEG000: 0041DC6D LBL_NEXT4:; Code Xref: LBL_CHECKSN D4J
SEG000: 0041DC6D MOV EAX, DS: DWORD_43BE40
SEG000: 0041DC72 TEST EAX, EAX
SEG000: 0041DC74 JNZ Short LBL_REGOK; ***** Oh, I accidentally jumped to the light of the light, it also jumped here, not jumping.
SEG000: 0041DC76 PUSH EBX
SEG000: 0041DC77 PUSH EBP
SEG000: 0041DC78 CALL SUB_41DA80SEG000: 0041DC7D ADD ESP, 8
SEG000: 0041DC80 MOV DS: DWORD_43BE40, 1
SEG000: 0041DC8A
SEG000: 0041DC8A LBL_REGOK:; Code XREF: LBL_CHECKSN E4J
SEG000: 0041DC8A POP EDI
SEG000: 0041DC8B pop ebp; huh, see the registration code out of the stack.
SEG000: 0041DC8C MOV EAX, 1; here Eax is 1, if the registration is successful
SEG000: 0041DC91 POP EBX
SEG000: 0041DC92 Add ESP, 6CH
SEG000: 0041DC95 RETN
SEG000: 0041DC95 LBL_CHECKSN ENDP
I will know how to violent here, change those places used, change to JMP XXX:
0041DC19. EB 09 JMP Short Dumped1_.0041dc24
0041DC64. EB 07 JMP Short Dumped1_.0041dc6d
0041DC74. EB 14 JMP short dumped1_.0041dc8a
After you change, save it, then you will run, is it registered, this is honest? You don't think it is changed to three places, have you changed too much? Since it is raped, if you want to change it, you will change it.
My change:
SEG000: 0041DB90
SEG000: 0041DB90 SUB ESP, 6CH; change here
SEG000: 0041DB93 or ECX, 0FFFFFFFH
SEG000: 0041DB96 XOR EAX, EAX
SEG000: 0041DB98 PUSH EBX
Change to:
0041DB90 B8 01000000 MOV EAX, 1
0041dB95 C3 RETN
It's cool here. It is also completed here. Because this software is used to do teaching, I don't dare to guarantee that there is no dark pile. If you find a dark pile or have any other people's good way or get all Algorithm, please let me, thank you!
Special thanks to the old rookie to give me a good weapon IDA, no him, maybe I still use W32DASM to write articles today. It is also my IDA NO1 TUT!
Greetz:
Fly.jingulong, Yock, TDASM.David.ahao.vcasm.ufo (brother) .aran (Sister) .all of my friends and you!
By LoveBoom [DFCG] [FCG]
Email: bmd2chen@tom.com
