Распаковка Securom на примере Warcraft III
Автор: Cigan <>
Инструменты:
Hiew 6.85 OllyDBG & Plugins PeTools Masm 8.2 IDA 4.7Системные требования:
Game and original CD is a little brains, direct hands, and the main thing:))) :))) We load a program in OllyDBG and have gone. In Securom there is a virtual machine, so in Time of unpacking, it writes the deciphered sites of a code to memory. For this purpose it uses WriteProcessMemory transferring 5-?? parameters, but we are interested only by three: 1) Where it writes = ESP+8 2) Where the code comes from = ESP+0С 3) Size of code = ESP+10 - количество в байтах So we put on WriteProcessMemory breakpoint in kernel32.dll we press F9 and we wait ????????????. As soon as has stopped we look that that interests us namely, ESP 08, ESP 0C, ESP 10. After It it is started PeTools and it is removed partial dump memories. In Dump Start at: we write the address which to be in ESP 0c, and Dump Length is: we write quantity of byte taking place in ESP 0C and we press ok. After it is repeated this procedure while WriteProcessMemory it will not cease to be caused, namely up to Start of the game. After we have kept all dump(s) to us it is necessary to write down them in ours war3.exe To addresses which have been specified in ESP 08 before each removal dump. For this purpose we use hiew. Yes do not overlook to keep an original file it to us still to be necessary. Actually to us Two are necessary only ?????, namely those which enter the name in the very first section of a file. Now It is necessary to find OEP. There is she simply, after last operation WriteProcessMemory it is necessary Is sensitive to take a walk on a code. After a presence correct our file. After that we push it in IDA and We pass on OEP hardly the first is below seen CALL the leader in not where. ???, and on ideas there should be a call API. That it is necessary ??????? all CALL. Well it is started original war3.exe we reach up to OEP and Come into this most CALL, in it we search what function will be caused. Going on it we shall get in The virtual machine securom, then again in war3.exe. We reach up to OEP and Come into this most CALL, in it we search what function will be caused. Going on it we shall get in The virtual machine securom, then again in war3.exe, ??????? us slightly ??????????, while we not Let's reach such place: 0046BF55 5A POP EDX 0046BF56 59 POP ECX 0046BF57 8B45 C8 MOV EAX, DWORD PTR [EBP-38] ; war3.0044B2A4 0046BF5A 8BF0 MOV ESI, EAX 0046BF5C 8B06 MOV EAX, DWORD PTR [ESI] ; msvcrt.__set_app_type 0046BF5E 5F POP EDI 0046BF5F 5E POP ESI 0046BF60 5B POP EBX 0046BF61 8BE5 MOV ESP, EBP 0046BF63 5D POP EBP 0046BF64 FFE0 JMP EAX To the address: 0046BF57 we see, that in EAX the address of a cell of memory from section .idata enters the name, and on To 0046BF5C address we see that in EAX name API is located and then to the address 0046BF64 goes Jump on it. Hence, we CALL DWORD PTR [4ECF34] to the address 00401C61 should look like CALL DWORD PTR [44B2A4]. ?? ?? it is necessary to write dll which will correct ours not correct CALL, on Correct calls API. But it yet all problems, ?????? are farther on our code, and ????? up to here Such 00401D5C address, we shall see such code: 00401D5C 90 NOP 00401D5D E82EA60D00 CALL war3.004DC390 00401D62 50 PUSH EAX 00401D63 E8 48F3FFFF CALL war3.004010B0 ; war3.004010B0 Let's go in CALL to the address: 00401D5D here actually there should be a call GetModuleHandleA, only after a protector became so: 00401D5C 90 NOP 00401D5D E82EA60D00 CALL war3.004DC390 And should be so: 00401D5C FF15A4B04400 CALL DWORD PTR:[0044B0A4] That is in it CALL as well as ??????? there is a calculation to the address of return, what function should be It is caused. Well we reach yes that place and it is seen: 004DC415 8B75 EC MOV ESI, DWORD PTR [EBP-14] ; war3.0044B0A4 004DC418 8B06 MOV EAX, DWORD PTR [ESI] ; GetModuleHandleA 004DC41A 8945 04 MOV DWORD PTR [EBP+4], EAX ; GetModuleHandleA 004DC41D 58 POP EAX 004DC41E 9D POPFD 004DC41F 5F POP EDI 004DC420 5E POP ESI 004DC421 5A POP EDX 004DC422 59 POP ECX 004DC423 5B POP EBX 004DC424 5F POP EDI 004DC425 5E POP ESI 004DC426 5B POP EBX 004DC427 8BE5 MOV ESP, EBP 004DC429 5D POP EBP 004DC42A C3 RETN Still there are some such procedures of processing API to the address of return. Now for what it. We should find all these addresses which contain nop, call and to correct them on Normal CALL [address API]. Writing DLL, or that in it should be done. 1) Search of all CALL which address in the VM (the Virtual machine) and to correct at once in Ours war3_dump.exe on correct XXXXXXXX: CALL DWORD PTR [Address API] 2) Search of all CALL which look like:: XXXXXXXX: 90 NOP XXXXXXXX: E8XXXXXXXX CALL war3.XXXXXXXX It to correct at once in war3_dump.exe on: XXXXXXXX: FF15XXXXXXX CALL DWORD PTR [Address API] 3) Found CALL to execute and as a result to receive all worker NOCD. After all these manipulations it is necessary to adjust the table of import. Use ImpRec and Revergin not It is necessary as she(it) lays the whole in a file it is necessary to specify correctly only " Import Directory " and " Import Address Table ". P.s. Addresses of all functions of processing of import can be found in IDA. P.s.s Legs(Foots) to not beat it my the first ?????
Код DLL
;----------------------------------------------------------------------------
; War3_Fixer.asm version 1.18
;----------------------------------------------------------------------------
.386
.model flat,stdcall
option casemap:none
include windows.inc
include kernel32.inc
includelib kernel32.lib
.data
War3_Dump db "War3_dump.exe",0
CorrectCall dd 000015FFh
SearchN1 db 0FFh,15h,48h,9dh,50h,00h
SearchN2 db 0FFh,15h,08h,0cFh,4Eh,00h
SearchN3 db 90h,0E8h
SearchN4 db 0Dh,00h
FindN1 dd SearchN1
FindN2 dd SearchN2
FindN3 dd SearchN3
FindN4 dd SearchN4
Start_File dd 00401000h
End_File dd 004E668Eh
End_File2 dd 00449000h
.data?
Addr_Call dd ?
Addr_Jump dd ?
IAT dd ? ;Api Adress
hWar dd ? ;Handle for War3_Dump.exe
LastErr dd ? ;Returning of last mistake by call API
lDistToMove dd ? ;CALL address in a file where calls on API will be corrected
API dd ? ;Adress of API Functions
BytesToWritten dd ? ;Quantity(Amount) of the written down bytes
.code
DllEntry proc hInstDLL:HINSTANCE, reason:DWORD, reserved1:DWORD
mov eax,TRUE
ret
DllEntry Endp
FindCALL PROC FindFirst:DWORD, FindSecond:DWORD
NewN3: MOV ESI, [Start_File]
NextN3: MOV EAX, [End_File]
CMP ESI, EAX
JZ NewByteN3
CLD
XOR ECX, ECX
MOV ECX, 2h
MOV EDI, FindFirst
REPE CMPSB
JNZ NextN3
INC ESI
INC ESI
MOV ECX, 2h
MOV EDI, FindSecond
REPE CMPSB
JNZ NextN3
MOV EAX, ESI
SUB EAX, 6h
CALL EAX
JMP NewN3
NewByteN3:
ret
FindCALL endp
Fix_exe_API proc
invoke FindCALL,FindN3,FindN4
NewN1: MOV ESI, [Start_File] ;Definition of the address of the beginning of program memory
NextN1: MOV EAX, [End_File] ;-//-//-//-//-//-// The end -//-//-//-//-//-
CMP ESI, EAX
JZ NewByteN1
CLD
XOR ECX, ECX
MOV ECX, 6h
MOV EDI, FindN1
REPE CMPSB
PUSHFD
.if ECX==4h
DEC ESI
.endif
POPFD
JNZ NextN1
MOV EAX, ESI
SUB EAX, 6h
CALL EAX
JMP NewN1
NewByteN1: MOV EAX, FindN1
MOV EBX, [EAX+2h]
ADD EBX, 4h
MOV [EAX+2h], EBX
CMP BL, 78h
JNZ NewN1
NewN2: MOV ESI, [Start_File]
NextN2: MOV EAX, [End_File]
CMP ESI, EAX
JZ NewByteN2
CLD
XOR ECX, ECX
MOV ECX, 6h
MOV EDI, FindN2
REPE CMPSB
PUSHFD
.if ECX==4h
DEC ESI
.endif
POPFD
JNZ NextN2
MOV EAX, ESI
SUB EAX, 6h
CALL EAX
JMP NewN2
NewByteN2: MOV EAX, FindN2
MOV EBX, [EAX+2h]
ADD EBX, 4h
MOV [EAX+2h], EBX
CMP BL, 38h
JNZ NewN2
ret
Fix_exe_API endp
Create proc
invoke CreateFile,addr War3_Dump,GENERIC_WRITE,FILE_SHARE_READ,NULL,OPEN_ALWAYS,\
FILE_ATTRIBUTE_NORMAL,NULL
ret
Create endp
Close proc
invoke CloseHandle,hWar
ret
Close endp
ApiCallRebuildN1 proc ;0046BF57
invoke GetLastError
MOV LastErr,EAX
CALL Create
.if EAX!=NULL
MOV hWar,EAX
MOV EAX, DWORD PTR [EBP-3Ch]
MOV EBX, 00400000h
SUB EAX, EBX
MOV lDistToMove,EAX
invoke SetFilePointer,hWar,lDistToMove,NULL,NULL
MOV EBX, EBP
SUB EBX, 38h
MOV API,EBX
invoke WriteFile,hWar,API,4h,addr BytesToWritten,NULL
CALL Close
MOV EAX, DWORD PTR [EBP-38h]
MOV EBX, DWORD PTR [EBP-3Ch]
MOV DWORD PTR [EBX], EAX
MOV ESI, EAX
invoke SetLastError,LastErr
.endif
ret
ApiCallRebuildN1 endp
ApiCallRebuildN2 proc ;004DC415
invoke GetLastError
MOV LastErr,EAX
CALL Create
.if EAX!=NULL
MOV hWar,EAX
MOV EAX, DWORD PTR [EBP+8h]
SUB EAX, 4h
MOV EBX, 00400000h
SUB EAX, EBX
MOV lDistToMove,EAX
invoke SetFilePointer,hWar,lDistToMove,NULL,NULL
MOV EBX, EBP
SUB EBX, 14h
MOV API,EBX
invoke WriteFile,hWar,API,4h,addr BytesToWritten,NULL
MOV EBX, DWORD PTR [EBP+8h]
SUB EBX, 4h
MOV EAX, DWORD PTR [EBP-14h]
MOV DWORD PTR [EBX], EAX
SUB EBX, 2h
MOV EAX, CorrectCall
CMP AX, WORD PTR [EBX]
JNZ IncorrectCall
CallIsCorrect:
CALL Close
invoke SetLastError,LastErr
MOV ESI, DWORD PTR [EBP-14h]
MOV EAX, DWORD PTR [ESI]
ret
IncorrectCall:
MOV EAX, DWORD PTR [EBP+8h]
SUB EAX, 6h
MOV EBX, 00400000h
SUB EAX, EBX
MOV lDistToMove,EAX
invoke SetFilePointer,hWar,lDistToMove,NULL,NULL
invoke WriteFile,hWar,addr CorrectCall,2h,addr BytesToWritten,NULL
MOV EBX, DWORD PTR [EBP+8h]
SUB EBX, 6h
MOV AX, WORD PTR [CorrectCall]
MOV WORD PTR [EBX],AX
jmp CallIsCorrect
.endif
ret
ApiCallRebuildN2 endp
ApiCallRebuildN3 proc ;004DC1AE & 004DC36E
MOV DWORD PTR [EBP-14h],EAX
invoke GetLastError
MOV LastErr,EAX
CALL Create
.if EAX!=NULL
MOV hWar,EAX
MOV EAX, DWORD PTR [EBP+4h]
SUB EAX, 4h
MOV EBX, 00400000h
SUB EAX, EBX
MOV lDistToMove,EAX
invoke SetFilePointer,hWar,lDistToMove,NULL,NULL
MOV EBX, EBP
SUB EBX, 14h
MOV API,EBX
invoke WriteFile,hWar,API,4h,addr BytesToWritten,NULL
MOV EBX, DWORD PTR [EBP+4h]
SUB EBX, 4h
MOV EAX, DWORD PTR [EBP-14h]
MOV DWORD PTR [EBX], EAX
SUB EBX, 2h
MOV EAX, CorrectCall
CMP AX, WORD PTR [EBX]
JNZ IncorrectCall2
CallIsCorrect2:
CALL Close
invoke SetLastError,LastErr
MOV EAX, DWORD PTR [EBP-14h]
ret
IncorrectCall2:
MOV EAX, DWORD PTR [EBP+4h]
SUB EAX, 6h
MOV EBX, 00400000h
SUB EAX, EBX
MOV lDistToMove,EAX
invoke SetFilePointer,hWar,lDistToMove,NULL,NULL
invoke WriteFile,hWar,addr CorrectCall,2h,addr BytesToWritten,NULL
MOV EBX, DWORD PTR [EBP+4h]
SUB EBX, 6h
MOV AX, WORD PTR [CorrectCall]
MOV WORD PTR [EBX],AX
jmp CallIsCorrect2
.endif
ret
ApiCallRebuildN3 endp
End DllEntry
After loading dll it is caused Fix_exe_API, but before it is necessary to change to addresses a code of a protector on
Resulted below::
46BF57 ==> jmp ApiCallRebuildN1 - category to be in ours dll
4DC415 ==> jmp ApiCallRebuildN2
4DC1AE ==> jmp ApiCallRebuildN3
4DC36E ==> jmp ApiCallRebuildN3
Well and it is a little ????????????????? that after performance call which ???????????? in ???????? ?????????? not in the program, and in ours ???..
| Комментарии | |
|
Добавить |
Андрей ::: 06 May 2005 22:50:43 MSK Молодец, Цыган ---- Zazaka ::: 08 May 2005 22:59:22 MSK Бля как я ненавижу всякие так StarForce, Securom\’ы и т. п. ---- |
Материалы находятся на сайте http://cracklab.ru/art/
