浅谈 ACProtect V1.09 Pro 的反跟踪And脱壳

ACPr下载：  http://www.ultraprotect.com acpro_up.exe    
软件大小：  1.44 M

【软件简介】：ACProtect is an application that allows you to protect Windows executable files against piracy,using public keys encryption algorithms (RSA) to create and verify the registration keys and unlock some RSA key locked code,it has embedded cryptor against dump and unpacker.it also has many anti debug tricks.  And you can use it to  create  evaluation and trial application versions. with specialized API system, mutual communication between loader and application is also can be achieved.

【作者声明】：初学Crack，只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教！

【调试环境】：WinXP、Ollydbg1.09D修改版、LordPE、ImportREC

—————————————————————————————————  
【过    程】：
      
    

偶的试炼品：用ACProtect V1.09 Pro未注册版加壳的某个小程序。上传在本贴后的附件里。

        
首先郑重申明：偶仅仅是刚开始学习脱壳的菜鸟，错误之处肯定多多，烦请诸位朋友批评、指点！偶洗耳恭听。以下的一点笔记只是偶跟踪这个试炼品所记录的，不适用于ACProtect主程序;其他用ACProtect注册版加壳的程序偶没看过不清楚。

篇名的所谓“梦幻Ollydbg”云云只是仿 123112 脱侠的《妖幻TRW and videofixer的脱壳方法之我之拙见》，因为用偶修改后的Ollydbg可以避开ACProtect的反跟踪，不会被ACProtect自动关闭。有点“哗众取宠”，无他意。

“严重”  感谢 jingulong 老兄三番五次的指点！如果不是老兄的指教偶现在还找不到思路，jingulong 兄真是深藏不露的脱侠！佩服佩服！

由于ACProtect比较新，侦壳工具均不认识。用ACProtect加壳的程序一般会有一个“.perplex”区段，某些程序运行时会在临时文件夹下释放一个perplex.dll文件，如：videofixer.exe；Win XP的释放在Documents and Settings\用户名\Local Settings\Temp下。当然，还是载入调试器跟踪一下关键代码看的清楚点。

—————————————————————————————————
一、反跟踪


ACProtect 的反跟踪比起 幻影 来说可谓是很“照顾”CRACKER了， 作者别生气呀，其实已经做的很好了。
偶简单整理了一下，分作5类，欢迎朋友们补充！  为了分析这点东西，偶大约调试了两周，比较笨啦。  


1、调用CreateFileA 检测诸多CRACK工具。即《加密与解密》上说的“MeltICE”类型


如果发现“违禁”产品则用TerminateProcess杀掉其进程。123112 脱侠已经说的很清楚啦。

0040A46E     56                   push esi
0040A46F     50                   push eax
0040A470     8B85 0D454000        mov eax,dword ptr ss:[ebp+40450D]  
0040A476     8038 CC              cmp byte ptr ds:[eax],0CC
0040A479     74 10                je short 试炼ACP.0040A48B
0040A47B     90                   nop
0040A47C     90                   nop
0040A47D     90                   nop
0040A47E     90                   nop
0040A47F     58                   pop eax
0040A480     FF95 0D454000        call dword ptr ss:[ebp+40450D]   ; kernel32.CreateFileA

0040A609     58                   pop eax
0040A60A     46                   inc esi
0040A60B     803E 00              cmp byte ptr ds:[esi],0
0040A60E     75 FA                jnz short 试炼ACP.0040A60A
0040A610     46                   inc esi
0040A611     803E 00              cmp byte ptr ds:[esi],0
0040A614     0F84 66010000        je 试炼ACP.0040A780
0040A61A     E9 3DFEFFFF          jmp 试炼ACP.0040A45C

☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
“上榜”产品：  

0040A6C5  5C 5C 2E 5C 53 49 43 45 00 5C 5C 2E 5C 4E 54 49  \\.\SICE.\\.\NTI
0040A6D5  43 45 00 5C 5C 2E 5C 4E 54 49 43 45 37 38 37 31  CE.\\.\NTICE7871
0040A6E5  00 5C 5C 2E 5C 4E 54 49 43 45 44 30 35 32 00 5C  .\\.\NTICED052.\
0040A6F5  5C 2E 5C 54 52 57 44 45 42 55 47 00 5C 5C 2E 5C  \.\TRWDEBUG.\\.\
0040A705  54 52 57 00 5C 5C 2E 5C 54 52 57 32 30 30 30 00  TRW.\\.\TRW2000.
0040A715  5C 5C 2E 5C 53 55 50 45 52 42 50 4D 00 5C 5C 2E  \\.\SUPERBPM.\\.
0040A725  5C 49 43 45 44 55 4D 50 00 5C 5C 2E 5C 52 45 47  \ICEDUMP.\\.\REG
0040A735  4D 4F 4E 00 5C 5C 2E 5C 46 49 4C 45 4D 4F 4E 00  MON.\\.\FILEMON.
0040A745  5C 5C 2E 5C 52 45 47 56 58 44 00 5C 5C 2E 5C 46  \\.\REGVXD.\\.\F
0040A755  49 4C 45 56 58 44 00 5C 5C 2E 5C 56 4B 45 59 50  ILEVXD.\\.\VKEYP
0040A765  52 4F 44 00 5C 5C 2E 5C 42 57 32 4B 00 5C 5C 2E  ROD.\\.\BW2K.\\.
0040A775  5C 53 49 57 44 45 42 55 47 00 00 60 E8 00 00 00  \SIWDEBUG..`....
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆

^O^ ^O^ →对付方法：修改跳转或用TRW娃娃修改版或用Ollydbg或你自己“照顾”好SoftICE。


————————————————————————
2、检测API断点


检测关键API的入口的第1个字节是否为INT 3（0xCC）？是则OVER

00408DF6     53                   push ebx
00408DF7     50                   push eax
00408DF8     52                   push edx
00408DF9     03C5                 add eax,ebp
00408DFB     50                   push eax
00408DFC     53                   push ebx
00408DFD     50                   push eax
00408DFE     8B85 68C24100        mov eax,dword ptr ss:[ebp+41C268]
00408E04     8038 CC              cmp byte ptr ds:[eax],0CC
                                  ====>比较第1个字节是否为CC？是则被设置了BPX断点
00408E07     74 10                je short 试炼ACP.00408E19
00408E09     90                   nop
00408E0A     90                   nop
00408E0B     90                   nop
00408E0C     90                   nop
00408E0D     58                   pop eax
00408E0E     FF95 68C24100        call dword ptr ss:[ebp+41C268]
00408E14     E9 AD000000          jmp 试炼ACP.00408EC6

下面的每1处CALL检测一个关键API，并且其他地方也随处可见这种方式的检测。

0040C091     B8 72434000          mov eax,试炼ACP.00404372
0040C096     BA E1444000          mov edx,试炼ACP.004044E1
0040C09B     E8 56CDFFFF          call 试炼ACP.00408DF6
0040C0A0     B8 7E434000          mov eax,试炼ACP.0040437E
0040C0A5     BA E5444000          mov edx,试炼ACP.004044E5
0040C0AA     E8 47CDFFFF          call 试炼ACP.00408DF6
0040C0AF     B8 89434000          mov eax,试炼ACP.00404389
0040C0B4     BA F9444000          mov edx,试炼ACP.004044F9
0040C0B9     E8 38CDFFFF          call 试炼ACP.00408DF6
0040C0BE     B8 9D434000          mov eax,试炼ACP.0040439D
0040C0C3     BA FD444000          mov edx,试炼ACP.004044FD
0040C0C8     E8 29CDFFFF          call 试炼ACP.00408DF6
0040C0CD     B8 B6434000          mov eax,试炼ACP.004043B6
0040C0D2     BA 01454000          mov edx,试炼ACP.00404501
0040C0D7     E8 1ACDFFFF          call 试炼ACP.00408DF6
0040C0DC     B8 C5434000          mov eax,试炼ACP.004043C5
0040C0E1     BA 05454000          mov edx,试炼ACP.00404505
0040C0E6     E8 0BCDFFFF          call 试炼ACP.00408DF6
0040C0EB     B8 D3434000          mov eax,试炼ACP.004043D3
0040C0F0     BA 09454000          mov edx,试炼ACP.00404509
0040C0F5     E8 FCCCFFFF          call 试炼ACP.00408DF6
0040C0FA     B8 DF434000          mov eax,试炼ACP.004043DF
0040C0FF     BA 0D454000          mov edx,试炼ACP.0040450D
0040C104     E8 EDCCFFFF          call 试炼ACP.00408DF6
0040C109     B8 EB434000          mov eax,试炼ACP.004043EB
0040C10E     BA 11454000          mov edx,试炼ACP.00404511
0040C113     E8 DECCFFFF          call 试炼ACP.00408DF6
0040C118     B8 FC434000          mov eax,试炼ACP.004043FC
0040C11D     BA 29454000          mov edx,试炼ACP.00404529
0040C122     E8 CFCCFFFF          call 试炼ACP.00408DF6
0040C127     B8 0E444000          mov eax,试炼ACP.0040440E
0040C12C     BA 2D454000          mov edx,试炼ACP.0040452D
0040C131     E8 C0CCFFFF          call 试炼ACP.00408DF6
0040C136     B8 1A444000          mov eax,试炼ACP.0040441A
0040C13B     BA 31454000          mov edx,试炼ACP.00404531
0040C140     E8 B1CCFFFF          call 试炼ACP.00408DF6
0040C145     B8 23444000          mov eax,试炼ACP.00404423
0040C14A     BA 35454000          mov edx,试炼ACP.00404535
0040C14F     E8 A2CCFFFF          call 试炼ACP.00408DF6
0040C154     B8 2D444000          mov eax,试炼ACP.0040442D
0040C159     BA 39454000          mov edx,试炼ACP.00404539
0040C15E     E8 93CCFFFF          call 试炼ACP.00408DF6
0040C163     B8 39444000          mov eax,试炼ACP.00404439
0040C168     BA 3D454000          mov edx,试炼ACP.0040453D
0040C16D     E8 84CCFFFF          call 试炼ACP.00408DF6
0040C172     B8 46444000          mov eax,试炼ACP.00404446
0040C177     BA 41454000          mov edx,试炼ACP.00404541
0040C17C     E8 75CCFFFF          call 试炼ACP.00408DF6
0040C181     B8 5F444000          mov eax,试炼ACP.0040445F
0040C186     BA 49454000          mov edx,试炼ACP.00404549
0040C18B     E8 66CCFFFF          call 试炼ACP.00408DF6
0040C190     B8 70444000          mov eax,试炼ACP.00404470
0040C195     BA 4D454000          mov edx,试炼ACP.0040454D
0040C19A     E8 57CCFFFF          call 试炼ACP.00408DF6
0040C19F     B8 81444000          mov eax,试炼ACP.00404481
0040C1A4     BA 51454000          mov edx,试炼ACP.00404551
0040C1A9     E8 48CCFFFF          call 试炼ACP.00408DF6
0040C1AE     B8 81454000          mov eax,试炼ACP.00404581
0040C1B3     BA 7D454000          mov edx,试炼ACP.0040457D
0040C1B8     E8 39CCFFFF          call 试炼ACP.00408DF6
0040C1BD     83BD F1204000 00     cmp dword ptr ss:[ebp+4020F1],0
                                  ====>[ebp+4020F1]应＝0
0040C1C4     74 24                je short 试炼ACP.0040C1EA
   …… …… 省 略 …… ……
0040C396     B8 9D444000          mov eax,试炼ACP.0040449D
0040C39B     BA E9444000          mov edx,试炼ACP.004044E9
0040C3A0     E8 51CAFFFF          call 试炼ACP.00408DF6
0040C3A5     B8 A9444000          mov eax,试炼ACP.004044A9
0040C3AA     BA ED444000          mov edx,试炼ACP.004044ED
0040C3AF     E8 42CAFFFF          call 试炼ACP.00408DF6
0040C3B4     B8 B8444000          mov eax,试炼ACP.004044B8
0040C3B9     BA F1444000          mov edx,试炼ACP.004044F1
0040C3BE     E8 33CAFFFF          call 试炼ACP.00408DF6
0040C3C3     B8 C6444000          mov eax,试炼ACP.004044C6
0040C3C8     BA F5444000          mov edx,试炼ACP.004044F5
0040C3CD     E8 24CAFFFF          call 试炼ACP.00408DF6
0040C3D2     C3                   retn

^O^ ^O^ →对付方法：可下断如   BP GetProcAddress+1  避开第1字节的检测！


————————————————————————
3、调用 IsDebuggerPresent 检测使用 Debug API 跟踪程序的调试器
    
  
0040B88B     FF95 29454000        call dword ptr ss:[ebp+404529]
0040B891     0BC0                 or eax,eax
0040B893     0F84 B4000000        je 试炼ACP.0040B94D

77E52E92     64:A1 18000000       mov eax,dword ptr fs:[18]
77E52E98     8B40 30              mov eax,dword ptr ds:[eax+30]
77E52E9B     0FB640 02            movzx eax,byte ptr ds:[eax+2]
                                  ====>或者把这里的返回值改为：0
77E52E9F     C3                   retn

^O^ ^O^ →对付方法：最方便的直接用Ollydbg的IsDebug插件 去掉调试器标志 即可。


————————————————————————
4、黑名单


0040A100     FF95 01454000        call dword ptr ss:[ebp+404501] ; kernel32.Process32First
   …… …… 省 略 …… ……
0040A14D     47                   inc edi
0040A14E     8BF0                 mov esi,eax
0040A150     E8 01F1FFFF          call 试炼ACP.00409256
                                  ====>里面逐位比较是否有黑名单中的成员：0040928E cmp dh,dl
0040A155     80FE 01              cmp dh,1
0040A158     74 1C                je short 试炼ACP.0040A176
0040A15A     90                   nop
0040A15B     90                   nop
0040A15C     90                   nop
0040A15D     90                   nop
0040A15E     EB D7                jmp short 试炼ACP.0040A137
0040A160     B8 3D424000          mov eax,试炼ACP.0040423D
0040A165     03C5                 add eax,ebp
0040A167     50                   push eax
0040A168     FFB5 39424000        push dword ptr ss:[ebp+404239]
0040A16E     FF95 05454000        call dword ptr ss:[ebp+404505] ; kernel32.Process32Next
0040A174     EB 90                jmp short 试炼ACP.0040A106
                                  ====>循环取进程名

☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆