primero comenzamos desempacando
aproximadamente por aqui deberia ser el stolen OEP
<00401220>
PUSH EBP
MOV EBP,ESP
SUB ESP,8
MOV DWORD PTR SS:[ESP],1
CALL DWORD PTR DS:[4A102C]
CALL 00401100
para luego seguir con
00401233 CALL 00401100->aqui nos deja svpk
la rutina comenzaria en 004011E2 . E8 E9010000 CALL dumped_3.004013D0
004011E2 . E8 E9010000 CALL dumped_3.004013D0
004011E7 . 89C3 MOV EBX,EAX
004011E9 . E8 F20E0100 CALL <JMP.&msvcrt._cexit> ; [msvcrt._cexit
004011EE . 891C24 MOV DWORD PTR SS:[ESP],EBX
004011F1 . E8 CA110100 CALL dumped_3.004123C0
004011F6 > 894424 04 MOV DWORD PTR SS:[ESP+4],EAX ; |
004011FA . 8B15 4C104A00 MOV EDX,DWORD PTR DS:[<&msvcrt._iob>] ; |msvcrt._iob
00401200 . 8B42 10 MOV EAX,DWORD PTR DS:[EDX+10] ; |
la rutina esta bastante larga
00401598 |. C74424 04 6C20>MOV DWORD PTR SS:[ESP+4],dumped_3.004420>; ASCII "La cantidad de caracteres, es muy poca."
004015A0 |. C70424 F053440>MOV DWORD PTR SS:[ESP],dumped_3.004453F0
004015A7 |. E8 5CC60300 CALL dumped_3.0043DC08
004015AC |. C74424 04 D8C9>MOV DWORD PTR SS:[ESP+4],dumped_3.0043C9>
004015B4 |. 890424 MOV DWORD PTR SS:[ESP],EAX
004015B7 |. E8 A4A50200 CALL dumped_3.0042BB60
004015BC |. E8 3FE80000 CALL <JMP.&msvcrt._getch> ; [_getch
004015C1 |> C785 20FFFFFF >MOV DWORD PTR SS:[EBP-E0],0
004015CB |> 8B85 20FFFFFF /MOV EAX,DWORD PTR SS:[EBP-E0]
004015D1 |. 3B85 08FFFFFF |CMP EAX,DWORD PTR SS:[EBP-F8]
004015D7 |. 7D 37 |JGE SHORT dumped_3.00401610
004015D9 |. 8B8D 20FFFFFF |MOV ECX,DWORD PTR SS:[EBP-E0]
004015DF |. 8D45 F8 |LEA EAX,DWORD PTR SS:[EBP-8]
004015E2 |. 0385 20FFFFFF |ADD EAX,DWORD PTR SS:[EBP-E0]
004015E8 |. 83E8 40 |SUB EAX,40
004015EB |. 0FBE10 |MOVSX EDX,BYTE PTR DS:[EAX]
004015EE |. 8D45 F8 |LEA EAX,DWORD PTR SS:[EBP-8]
004015F1 |. 0385 20FFFFFF |ADD EAX,DWORD PTR SS:[EBP-E0]
004015F7 |. 83E8 3E |SUB EAX,3E
004015FA |. 0FBE00 |MOVSX EAX,BYTE PTR DS:[EAX]
004015FD |. 31D0 |XOR EAX,EDX
004015FF |. 89848D 28FFFFF>|MOV DWORD PTR SS:[EBP+ECX*4-D8],EAX
00401606 |. 8D85 20FFFFFF |LEA EAX,DWORD PTR SS:[EBP-E0]
0040160C |. FF00 |INC DWORD PTR DS:[EAX]
0040160E |.^EB BB \JMP SHORT dumped_3.004015CB
00401610 |> C785 20FFFFFF >MOV DWORD PTR SS:[EBP-E0],0
0040161A |> 8B85 20FFFFFF /MOV EAX,DWORD PTR SS:[EBP-E0]
00401620 |. 3B85 08FFFFFF |CMP EAX,DWORD PTR SS:[EBP-F8]
00401626 |. 7D 30 |JGE SHORT dumped_3.00401658
00401628 |. 8D45 F8 |LEA EAX,DWORD PTR SS:[EBP-8]
0040162B |. 0385 20FFFFFF |ADD EAX,DWORD PTR SS:[EBP-E0]
00401631 |. 83E8 40 |SUB EAX,40
00401634 |. 0FBE10 |MOVSX EDX,BYTE PTR DS:[EAX]
00401637 |. 89D0 |MOV EAX,EDX
00401639 |. C1E0 03 |SHL EAX,3
0040163C |. 01D0 |ADD EAX,EDX
0040163E |. C1E0 02 |SHL EAX,2
00401641 |. 29D0 |SUB EAX,EDX
00401643 |. 05 6F090000 |ADD EAX,96F
00401648 |. 8985 1CFFFFFF |MOV DWORD PTR SS:[EBP-E4],EAX
0040164E |. 8D85 20FFFFFF |LEA EAX,DWORD PTR SS:[EBP-E0]
00401654 |. FF00 |INC DWORD PTR DS:[EAX]
00401656 |.^EB C2 \JMP SHORT dumped_3.0040161A
00401658 |> C785 20FFFFFF >MOV DWORD PTR SS:[EBP-E0],0
00401662 |> 8B85 20FFFFFF /MOV EAX,DWORD PTR SS:[EBP-E0]
00401668 |. 3B85 08FFFFFF |CMP EAX,DWORD PTR SS:[EBP-F8]
0040166E |. 7D 33 |JGE SHORT dumped_3.004016A3
00401670 |. 8D45 F8 |LEA EAX,DWORD PTR SS:[EBP-8]
00401673 |. 0385 20FFFFFF |ADD EAX,DWORD PTR SS:[EBP-E0]
00401679 |. 83E8 40 |SUB EAX,40
0040167C |. 0FBE10 |MOVSX EDX,BYTE PTR DS:[EAX]
0040167F |. 8D45 F8 |LEA EAX,DWORD PTR SS:[EBP-8]
00401682 |. 0385 20FFFFFF |ADD EAX,DWORD PTR SS:[EBP-E0]
00401688 |. 83E8 3F |SUB EAX,3F
0040168B |. 0FBE00 |MOVSX EAX,BYTE PTR DS:[EAX]
0040168E |. 31D0 |XOR EAX,EDX
00401690 |. 83C0 05 |ADD EAX,5
00401693 |. 8985 18FFFFFF |MOV DWORD PTR SS:[EBP-E8],EAX
00401699 |. 8D85 20FFFFFF |LEA EAX,DWORD PTR SS:[EBP-E0]
0040169F |. FF00 |INC DWORD PTR DS:[EAX]
004016A1 |.^EB BF \JMP SHORT dumped_3.00401662
004016A3 |> C785 20FFFFFF >MOV DWORD PTR SS:[EBP-E0],0
004016AD |> 8B85 20FFFFFF /MOV EAX,DWORD PTR SS:[EBP-E0]
004016B3 |. 3B85 08FFFFFF |CMP EAX,DWORD PTR SS:[EBP-F8]
004016B9 |. 7D 25 |JGE SHORT dumped_3.004016E0
004016BB |. 8B85 18FFFFFF |MOV EAX,DWORD PTR SS:[EBP-E8]
004016C1 |. 8B95 1CFFFFFF |MOV EDX,DWORD PTR SS:[EBP-E4]
004016C7 |. 31C2 |XOR EDX,EAX
004016C9 |. 89D0 |MOV EAX,EDX
004016CB |. C1E0 04 |SHL EAX,4
004016CE |. 01D0 |ADD EAX,EDX
004016D0 |. 8985 14FFFFFF |MOV DWORD PTR SS:[EBP-EC],EAX
004016D6 |. 8D85 20FFFFFF |LEA EAX,DWORD PTR SS:[EBP-E0]
004016DC |. FF00 |INC DWORD PTR DS:[EAX]
004016DE |.^EB CD \JMP SHORT dumped_3.004016AD
004016E0 |> C785 20FFFFFF >MOV DWORD PTR SS:[EBP-E0],0
004016EA |> 8B85 20FFFFFF /MOV EAX,DWORD PTR SS:[EBP-E0]
004016F0 |. 3B85 08FFFFFF |CMP EAX,DWORD PTR SS:[EBP-F8]
004016F6 |. 7D 43 |JGE SHORT dumped_3.0040173B
004016F8 |. 8B95 14FFFFFF |MOV EDX,DWORD PTR SS:[EBP-EC]
004016FE |. 89D0 |MOV EAX,EDX
00401700 |. C1E0 03 |SHL EAX,3
00401703 |. 01D0 |ADD EAX,EDX
00401705 |. C1E0 02 |SHL EAX,2
00401708 |. 29D0 |SUB EAX,EDX
0040170A |. 89C1 |MOV ECX,EAX
0040170C |. 338D 18FFFFFF |XOR ECX,DWORD PTR SS:[EBP-E8]
00401712 |. 8B95 1CFFFFFF |MOV EDX,DWORD PTR SS:[EBP-E4]
00401718 |. 89D0 |MOV EAX,EDX
0040171A |. C1E0 02 |SHL EAX,2
0040171D |. 01D0 |ADD EAX,EDX
0040171F |. 8D1485 0000000>|LEA EDX,DWORD PTR DS:[EAX*4]
00401726 |. 01D0 |ADD EAX,EDX
00401728 |. 8D0401 |LEA EAX,DWORD PTR DS:[ECX+EAX]
0040172B |. 8985 10FFFFFF |MOV DWORD PTR SS:[EBP-F0],EAX
00401731 |. 8D85 20FFFFFF |LEA EAX,DWORD PTR SS:[EBP-E0]
00401737 |. FF00 |INC DWORD PTR DS:[EAX]
00401739 |.^EB AF \JMP SHORT dumped_3.004016EA
0040173B |> C785 20FFFFFF >MOV DWORD PTR SS:[EBP-E0],0
00401745 |> 8B85 20FFFFFF /MOV EAX,DWORD PTR SS:[EBP-E0]
0040174B |. 3B85 08FFFFFF |CMP EAX,DWORD PTR SS:[EBP-F8]
00401751 |. 7D 2D |JGE SHORT dumped_3.00401780
00401753 |. 8B85 14FFFFFF |MOV EAX,DWORD PTR SS:[EBP-EC]
00401759 |. 8B95 10FFFFFF |MOV EDX,DWORD PTR SS:[EBP-F0]
0040175F |. 31C2 |XOR EDX,EAX
00401761 |. 89D0 |MOV EAX,EDX
00401763 |. 01C0 |ADD EAX,EAX
00401765 |. 01D0 |ADD EAX,EDX
00401767 |. 89C2 |MOV EDX,EAX
00401769 |. C1E2 04 |SHL EDX,4
0040176C |. 29C2 |SUB EDX,EAX
0040176E |. 89D0 |MOV EAX,EDX
00401770 |. 8985 0CFFFFFF |MOV DWORD PTR SS:[EBP-F4],EAX
00401776 |. 8D85 20FFFFFF |LEA EAX,DWORD PTR SS:[EBP-E0]
0040177C |. FF00 |INC DWORD PTR DS:[EAX]
0040177E |.^EB C5 \JMP SHORT dumped_3.00401745
00401780 |> 8B85 24FFFFFF MOV EAX,DWORD PTR SS:[EBP-DC]
00401786 |. 3B85 0CFFFFFF CMP EAX,DWORD PTR SS:[EBP-F4]
0040178C |. 75 42 JNZ SHORT dumped_3.004017D0
0040178E |. C70424 9420440>MOV DWORD PTR SS:[ESP],dumped_3.00442094 ; ASCII "KeygenMe02 - Full"
00401795 |. E8 260C0100 CALL dumped_3.004123C0
0040179A |. 83EC 04 SUB ESP,4
0040179D |. E8 1E040000 CALL dumped_3.00401BC0
004017A2 |. E8 E9FBFFFF CALL dumped_3.00401390
004017A7 |. C74424 0C 0000>MOV DWORD PTR SS:[ESP+C],0
004017AF |. C74424 08 A620>MOV DWORD PTR SS:[ESP+8],dumped_3.004420>; ASCII "Full version"
004017B7 |. C74424 04 B420>MOV DWORD PTR SS:[ESP+4],dumped_3.004420>; ASCII "Exelente trabajo, gracias por resolverlo."
004017BF |. C70424 0000000>MOV DWORD PTR SS:[ESP],0
004017C6 |. E8 D50B0100 CALL dumped_3.004123A0
004017CB |. 83EC 10 SUB ESP,10
004017CE |. EB 29 JMP SHORT dumped_3.004017F9
ejale,
bueno, hasta ahi para comentar...no tengo animos de reparar la iat de svpk por hoy
saludos Apuromafo
mas o menos en mi dumped quedo asi
0044A068 7C8392A3 kernel32.AddAtomA
0044A06C 7C838A53 kernel32.Beep
0044A070 7C812B8D kernel32.CreateSemaphoreA
0044A074 7C81CAA2 kernel32.ExitProcess
0044A078 7C872CF4 kernel32.FillConsoleOutputAttribute
0044A07C 7C872CA9 kernel32.FillConsoleOutputCharacterA
0044A080 7C80CB96 kernel32.FindAtomA
0044A084 7C85B093 kernel32.GetAtomNameA
0044A088 7C81B8F3 kernel32.GetConsoleScreenBufferInfo
0044A098 7C80977B kernel32.InterlockedIncrement
0044A09C 7C8724B5 kernel32.ReadConsoleOutputA
0044A0A0 7C80C8C4 kernel32.ReleaseSemaphore
0044A0A4 7C873BD1 kernel32.ScrollConsoleScreenBufferA
0044A0A8 7C873934 kernel32.SetConsoleCursorInfo
0044A0AC 7C8738BA kernel32.SetConsoleCursorPosition
0044A0B0 7C873C19 kernel32.SetConsoleTextAttribute
0044A0B4 7C870711 kernel32.SetConsoleTitleA
0044A0B8 7C809251 ASCII "NTDLL.RtlSetLastWin32Error"
0044A0BC 7C810386 kernel32.SetUnhandledExceptionFilter
0044A0C0 7C802442 kernel32.Sleep
0044A0C4 7C812B0F kernel32.TlsAlloc
0044A0C8 7C813453 kernel32.TlsFree
0044A0CC 7C809750 kernel32.TlsGetValue
0044A0D0 7C809BF5 kernel32.TlsSetValue
0044A0D4 7C802530 kernel32.WaitForSingleObject
0044A0D8 7C8727F5 kernel32.WriteConsoleOutputA
la condicional refiere
7C81B8F3
7C80903D
7C920331
7C812CA9
7C809794
7C80977B
7C8724B5
7C80C8C4
7C873BD1
7C873934
7C8738BA
7C873C19
7C870711
7C809251
7C920340
7C810386
7C802442
7C812B0F
7C813453
7C809750
7C809BF5
7C802530
7C8727F5
77C0EA08
77BFEAA1
77BFF894
77BFFAA3
77C16125
77C00303
77BEEEEB
77C2F97C
77BEF1C5
77BEF1DB
77C0537C
77C05566
77C09EB6
77BFD238
77BE28A0
77BEF2BC
77BFD9BB
77BFE07A
77C2FC80
77BEC561
77BFF0EA
77C04DF8
77C2F988
77BFFBC7
77C16320
77C164BF
77C0FF8A
77C06BB3
77C04E35
77C10AB1
77C0EEF6
77C10B86
77C0F010
77C10E13
77C111FB
77BFC21B
77C113EA
77C1173B
77C10B31
77C06D67
77BFC407
77C16E00
77C16F70
77C172B0
77C175F0
77C10E76
77C03C31
77C11A97
77C04FD4
77C17730
77C177B9
77C16030
77C190CD
77C178A0
77BED4AD
77C17DA7
77C11F23
77D5050B
uff, sera largo por si alguien quiere reparar las iat, sin conocer el packer...
de hace tiempo que no veia un svk protector
pd el stolen oep se ve asi
00C50000 50 PUSH EAX
00C50001 55 PUSH EBP
00C50002 68 77B8099A PUSH 9A09B877
00C50007 B8 4E08E418 MOV EAX,18E4084E
00C5000C 010424 ADD DWORD PTR SS:[ESP],EAX
00C5000F 58 POP EAX
00C50010 010424 ADD DWORD PTR SS:[ESP],EAX
00C50013 87C9 XCHG ECX,ECX
00C50015 5D POP EBP
00C50016 58 POP EAX
00C50017 81C5 4E08E418 ADD EBP,18E4084E
00C5001D 81C5 4E08E418 ADD EBP,18E4084E
00C50023 55 PUSH EBP
00C50024 50 PUSH EAX
00C50025 B8 4E08E418 MOV EAX,18E4084E
00C5002A 294424 04 SUB DWORD PTR SS:[ESP+4],EAX
00C5002E 58 POP EAX
00C5002F 81ED 4E08E418 SUB EBP,18E4084E
00C50035 89FF MOV EDI,EDI
00C50037 50 PUSH EAX
00C50038 68 00000000 PUSH 0
00C5003D 50 PUSH EAX
00C5003E B8 4E08E418 MOV EAX,18E4084E
00C50043 014424 04 ADD DWORD PTR SS:[ESP+4],EAX
00C50047 58 POP EAX
00C50048 58 POP EAX
00C50049 294424 04 SUB DWORD PTR SS:[ESP+4],EAX
00C5004D 58 POP EAX
00C5004E 81ED 4E08E418 SUB EBP,18E4084E
00C50054 05 4E08E418 ADD EAX,18E4084E
00C50059 50 PUSH EAX
00C5005A B8 4E08E418 MOV EAX,18E4084E
00C5005F 290424 SUB DWORD PTR SS:[ESP],EAX
00C50062 8B0424 MOV EAX,DWORD PTR SS:[ESP]
00C50065 68 77B8099A PUSH 9A09B877
00C5006A 05 4E08E418 ADD EAX,18E4084E
00C5006F 50 PUSH EAX
00C50070 B8 4E08E418 MOV EAX,18E4084E
00C50075 87C9 XCHG ECX,ECX
00C50077 290424 SUB DWORD PTR SS:[ESP],EAX
00C5007A 89E4 MOV ESP,ESP
00C5007C 8B0424 MOV EAX,DWORD PTR SS:[ESP]
00C5007F B8 4E08E418 MOV EAX,18E4084E
00C50084 014424 04 ADD DWORD PTR SS:[ESP+4],EAX
00C50088 58 POP EAX
00C50089 58 POP EAX
00C5008A 294424 04 SUB DWORD PTR SS:[ESP+4],EAX
00C5008E 58 POP EAX
00C5008F 81ED C5C0EDB2 SUB EBP,B2EDC0C5
00C50095 8BEC MOV EBP,ESP
00C50097 83EC 08 SUB ESP,8
00C5009A C70424 01000000 MOV DWORD PTR SS:[ESP],1
00C500A1 FF15 90A24400 CALL DWORD PTR DS:[44A290] ; msvcrt.__set_app_type
00C500A7 68 970178CE PUSH CE780197
00C500AC 50 PUSH EAX
00C500AD B8 4E08E418 MOV EAX,18E4084E
00C500B2 014424 04 ADD DWORD PTR SS:[ESP+4],EAX
00C500B6 58 POP EAX
00C500B7 50 PUSH EAX
00C500B8 68 00000000 PUSH 0
00C500BD 50 PUSH EAX
00C500BE 89C9 MOV ECX,ECX
00C500C0 B8 4E08E418 MOV EAX,18E4084E
00C500C5 014424 04 ADD DWORD PTR SS:[ESP+4],EAX
00C500C9 58 POP EAX
00C500CA 89ED MOV EBP,EBP
00C500CC 58 POP EAX
00C500CD 014424 04 ADD DWORD PTR SS:[ESP+4],EAX
00C500D1 58 POP EAX
00C500D2 C3 RETN
al desofuscar queda asi
00C50000 50 PUSH EAX
00C50001 55 PUSH EBP
00C50002 812C24 3B3F124D SUB DWORD PTR SS:[ESP],4D123F3B
00C50009 5D POP EBP
00C5000A 58 POP EAX
00C5000B 81C5 9C10C831 ADD EBP,31C8109C
00C50011 55 PUSH EBP
00C50012 812C24 9C10C831 SUB DWORD PTR SS:[ESP],31C8109C
00C50019 05 4E08E418 ADD EAX,18E4084E
00C5001E 50 PUSH EAX
00C5001F 812C24 4E08E418 SUB DWORD PTR SS:[ESP],18E4084E
00C50026 8B0424 MOV EAX,DWORD PTR SS:[ESP]
00C50029 68 77B8099A PUSH 9A09B877
00C5002E 05 4E08E418 ADD EAX,18E4084E
00C50033 50 PUSH EAX
00C50034 812C24 4E08E418 SUB DWORD PTR SS:[ESP],18E4084E
00C5003B 814424 04 4E08E4>ADD DWORD PTR SS:[ESP+4],18E4084E
00C50043 58 POP EAX
00C50044 58 POP EAX
00C50045 294424 04 SUB DWORD PTR SS:[ESP+4],EAX
00C50049 58 POP EAX
00C5004A 8BEC MOV EBP,ESP
00C5004C 83EC 04 SUB ESP,4
00C5004F 6A 01 PUSH 1
00C50051 FF15 90A24400 CALL DWORD PTR DS:[44A290] ; msvcrt.__set_app_type
00C50057 -E9 D7117BFF JMP KeygenMe.00401233
pero como mini podria ser asi
00C50001 55 PUSH EBP
00C50002 8BEC MOV EBP,ESP
00C50004 83EC 04 SUB ESP,4
00C50007 6A 01 PUSH 1
00C50009 FF15 90A24400 CALL DWORD PTR DS:[44A290] ; msvcrt.__set_app_type
00C5000F -E9 1F127BFF JMP KeygenMe.00401233
Autor
En línea
