今天讲一下带狗 hasp srm加密狗的破解
这个壳，在数据段释放后，IAT有两份（这个是未完全计算的api地址）
到达OEP后，IAT部分加密的。
我们的目的是把IAT加密部分还原。
查壳：HASP HL Protection 1.X -> Aladdin *

先OD加载dll
1：先到OEP后看一下
   ALT+M ，代码段下内存访问断点，到达OEP了，并打开ImportREC，查看一下IAT表 
   做一下记录，我这里已经做好了：

oep:  10061539    8BFF            mov edi,edi
IAT:
      10069000 size=A40
      10069000 ~ 10069A40
看到了有很多无效的API
复制一份到文本

我们找一下另一方IAT
ctrl_f12重启，在数据段下内存访问断点，数据窗口转IAT开头
这个时候IAT是未加密的，我们在10069410下硬件写入断点，记得删除内存访问断点，F9运行
看到了吗，这个时候是正常的，我们复制IAT到第二个加密的IAI
怎么找呢？
10069414对应1007B0BC,相差11CA8


另一份IAT:
                10069034  0007C382 => 1007ACDC  0007C382 相差=11CA8
      10069000+11CA8=1007ACA8
      1007ACA8 ~ 1007B6E8 

    找到另一方加密的IAT，我们把未加密的数据复制到加密的地方，
二进制复制

记得删除内存访问断点

   1032763E怎么来的，我后面讲，这里也是重点。
 
2：做好数据复制，并关键地址1032763E test eax,eax改成xor eax,eax后
   直接在OEP下断点，F9运行
   看到了吗，api基本修复了，还有3个未修复

3：lorepe,dumped

4: CFF Explorer.exe,删除壳段
   打开节头部，删除.protect,删除节（头部和数据），保存
   来到重建器，点重建，点保存

5：ImportREC.exe
   修复3个API
   
   GetProcAddress     
   GetCurrentProcessId
   GetCurrentProcess

修复保存为tssdmfcdll-dumped_.dll
好了，关闭od,lorepe,ImportREC

6: 修复DLL重定位

a)未脱壳的dll复制两份为 “复件1 TssdMfcDLL.dll”、“复件2 TssdMfcDLL.dll”
Dll_LoadEx.exe打开“复件1 TssdMfcDLL.dll”、“复件2 TssdMfcDLL.dll”
b)lorepe,分别dumped为01.dll、02.dll,注意现在不要关闭
c)ReloX.exe,选择4个节，其余两个节取消
  fix后保存为tssdmfcdll-dumped__.dll


7：ok啦，把tssdmfcdll-dumped__.dll改为原来的名字，工具可以全部关闭了。
   看到成功了。

8：现在讲一下1032763E怎么来的，
   到OEP后，我们看到很多加密的API，我们的想法是:
   让  一个OD写入正确的API时下断进入正常的api,
   让另一个od写入正确的API时下断进入错误的api,
看左边：
100690F8    7C92FE21  ntdll.RtlGetLastWin32Error
100690FC    7C92FE30  ntdll.RtlSetLastWin32Error
10069100    009F1C90 
od1在100690F8下硬件写入断点，因为断下后下面是进入正常的api
od2再100690FC下硬件写入断点，因为断下后下面是进入错误的api
下好断点后，这时需要复制未加密的iat到加密的iat,再进行跟踪
简单演示一下，就这样跟踪下去，我直接1032763E
看到了吗，就是这个关键点。

好啦，教程结束，谢谢观看！














oep:  10061539    8BFF            mov edi,edi
IAT:
      10069000 size=A40
      10069000 ~ 10069A40
另一份IAT:
                10069034  0007C382 => 1007ACDC  0007C382 相差=11CA8
      10069000+11CA8=1007ACA8
      1007ACA8 ~ 1007B6E8 

10327624    BA 01000000     mov edx,0x1
10327629    D3E2            shl edx,cl
1032762B    8B04B5 F83E3310 mov eax,dword ptr ds:[esi*4+0x10333EF>
10327632    66:3BF6         cmp si,si
10327635    23C2            and eax,edx
10327637    0F82 43B10000   jb TssdMfcD.10332780
1032763D    F8              clc
1032763E    85C0            test eax,eax   //
10327640    0F82 85B30000   jb TssdMfcD.103329CB
10327646  ^ 0F85 9ADCFFFF   jnz TssdMfcD.103252E6
1032764C    66:C1EF 40      shr di,0x40
10327650    8D6D 00         lea ebp,dword ptr ss:[ebp]
10327653    74 02           je short TssdMfcD.10327657
10327655    091E            or dword ptr ds:[esi],ebx
10327657    68 74F93210     push TssdMfcD.1032F974
1032765C    C3              retn


100690CC  77EFB84B  gdi32.SetPixel
100690D0  77EFB74C  gdi32.GetPixel
100690D4  009F2610
100690D8  77EF6E5F  gdi32.DeleteDC
100690DC  00000000
100690E0  7C80AC7E  kernel32.FreeLibrary
100690E4  009F1C20
100690E8  009F1C30
100690EC  009F1C40
100690F0  009F1C50
100690F4  009F1C60
100690F8  7C92FE21  ntdll.RtlGetLastWin32Error //100690F8+11CA8=1107ADA0
100690FC  7C92FE30  ntdll.RtlSetLastWin32Error //100690FC+11CA8=1107ADA4
10069100  009F1C90
10069104  7C80934A  kernel32.GetTickCount
10069108  7C80B475  kernel32.GetModuleFileNameW
1006910C  7C809BE7  kernel32.CloseHandle
10069110  7C8112FF  kernel32.WriteFile
10069114  009F1CE0
10069118  009F1CF0
1006911C  009F1D00
10069120  009F1D10
10069124  009F1D20
10069128  009F1D30
1006912C  009F1D40
10069130  7C864CF2  kernel32.UnhandledExceptionFilter
10069134  009F1D60
10069138  009F1D70
1006913C  7C809842  kernel32.InterlockedCompareExchange
10069140  009F1D90
10069144  7C80982E  kernel32.InterlockedExchange
10069148  009F1DB0
1006914C  009F1DC0
10069150  7C80BD09  kernel32.SizeofResource
10069154  009F1DE0
10069158  7C80BC6E  kernel32.FindResourceW
1006915C  7C80FCFF  kernel32.GlobalFree
10069160  009F1E10
10069164  7C80FDFD  kernel32.GlobalAlloc
10069168  009F1E30
1006916C  7C80AA36  kernel32.lstrcmpiW
10069170  009F1E50
10069174  009F1E60
10069178  009F1E70
1006917C  7C80BB04  kernel32.lstrcpyW
10069180  009F1E90
10069184  009F1EA0
10069188  7C809AA9  kernel32.lstrlenW
1006918C  00000000
10069190  78485EBB  msvcp90.??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
10069194  78487149  msvcp90.??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z
10069198  78487286  msvcp90.??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
1006919C  00000000
100691A0  7855AE20  msvcr90.memcpy
100691A4  7859ACF0  msvcr90._CIatan
100691A8  7857DF18  msvcr90._CxxThrowException
100691AC  7859B6B0  msvcr90._CIsqrt
100691B0  7857DB6E  msvcr90.__CxxFrameHandler3
100691B4  7859AE30  msvcr90._CIcos
100691B8  7859B5C0  msvcr90._CIsin
100691BC  7855B680  msvcr90.memset
100691C0  7857C733  msvcr90.__clean_type_info_names_internal
100691C4  7857C32F  msvcr90.?_type_info_dtor_internal_method@type_info@@QAEXXZ
100691C8  78591850  msvcr90._except_handler4_common
100691CC  78591661  msvcr90._crt_debugger_hook
100691D0  7858D0ED  msvcr90.__CppXcptFilter
100691D4  785BC618  offset msvcr90._adjust_fdiv
100691D8  78542157  msvcr90._amsg_exit
100691DC  78542211  msvcr90._initterm_e
100691E0  785421EE  msvcr90._initterm
100691E4  785435F9  msvcr90._encoded_null
100691E8  7858374D  msvcr90._malloc_crt
100691EC  78543607  msvcr90._decode_pointer
100691F0  7858CE5A  msvcr90._onexit
100691F4  78542EFA  msvcr90._lock
100691F8  78543582  msvcr90._encode_pointer
100691FC  7858CEB7  msvcr90.__dllonexit
10069200  78542E16  msvcr90._unlock
10069204  7857BE7B  msvcr90.?terminate@@YAXXZ
10069208  78578E74  msvcr90._memicmp
1006920C  78550A2A  msvcr90.fseek
10069210  785574C0  msvcr90.wcsncmp
10069214  7854FC61  msvcr90.fclose
10069218  78556AE1  msvcr90.strncmp
1006921C  785506A6  msvcr90.fread
10069220  785557BB  msvcr90._wfopen
10069224  78594F56  msvcr90.srand
10069228  78552E73  msvcr90.sprintf
1006922C  7855A4AC  msvcr90._time64
10069230  785572E8  msvcr90._wcsdup
10069234  78557524  msvcr90.wcsncpy
10069238  78583C40  msvcr90.calloc
1006923C  78583B4E  msvcr90.free
10069240  78583D3F  msvcr90.malloc
10069244  7855F6F9  msvcr90.wcstoul
10069248  78557887  msvcr90.wcsstr
1006924C  7857BF24  msvcr90.??0exception@std@@QAE@XZ
10069250  7857BF3A  msvcr90.??0exception@std@@QAE@ABQBD@Z
10069254  7857C076  msvcr90.??1exception@std@@UAE@XZ
10069258  7857C091  msvcr90.?what@exception@std@@UBEPBDXZ
1006925C  7857BFB4  msvcr90.??0exception@std@@QAE@ABV01@@Z
10069260  7858CCC9  msvcr90._invalid_parameter_noinfo
10069264  78594F6D  msvcr90.rand
10069268  785536EB  msvcr90.swscanf
1006926C  785600B5  msvcr90._wtof
10069270  78546341  msvcr90._wtol
10069274  7854637A  msvcr90._wtoi
10069278  78556A25  msvcr90.memmove_s
1006927C  785569A3  msvcr90.memcpy_s
10069280  78579E36  msvcr90._wcsicmp
10069284  7859AA50  msvcr90._CIacos
10069288  00000000
1006928C  770F4920  oleaut32.VariantClear
10069290  77135576  oleaut32.GetActiveObject
10069294  77156131  oleaut32.OleLoadPicture
10069298  00000000
1006929C  7D5C1040  shell32.SHGetPathFromIDListW
100692A0  009F26A0
100692A4  7D5FB445  shell32.SHGetMalloc
100692A8  7D5BF7D3  shell32.SHGetSpecialFolderLocation
100692AC  009F26D0
100692B0  00000000
100692B4  77D298C8  user32.GetFocus
100692B8  77D29E3D  user32.IsWindowVisible
100692BC  77D18A01  user32.DispatchMessageW
100692C0  77D18BF6  user32.TranslateMessage
100692C4  77D2910F  user32.GetParent
100692C8  009F1F10
100692CC  77D29E81  user32.EqualRect
100692D0  77D2908E  user32.GetClientRect
100692D4  77D2D86B  user32.GetDoubleClickTime
100692D8  77D2F704  user32.GetScrollPos
100692DC  009F1F60
100692E0  009F1F70
100692E4  77D2C35E  user32.SetCapture
100692E8  77D3E940  user32.DrawFrameControl
100692EC  009F1FA0
100692F0  009F1FB0
100692F4  77D18EAB  user32.GetSysColorBrush
100692F8  77D298D5  user32.InflateRect
100692FC  009F1FE0
10069300  009F1FF0
10069304  77D2D1D2  user32.GetDesktopWindow
10069308  77D28FD5  user32.InvalidateRect
1006930C  77D2A5AE  user32.EnumWindows
10069310  77D1F967  user32.GetMenuState
10069314  77D4F1C8  user32.GetMenuItemID
10069318  77D6CC6E  user32.GetMenuItemRect
1006931C  77D2EF1C  user32.GetMenuItemCount
10069320  77D2A042  user32.CopyRect
10069324  77D29719  user32.PtInRect
10069328  77D298FE  user32.IsRectEmpty
1006932C  009F20A0
10069330  77D188A6  user32.GetWindowLongW
10069334  77D2977A  user32.IsWindowEnabled
10069338  009F20D0
1006933C  77D29B60  user32.ClientToScreen
10069340  77D29766  user32.WindowFromPoint
10069344  77D2E528  user32.SetWindowRgn
10069348  77D18C2E  user32.SetTimer
1006934C  009F2120
10069350  77D18C42  user32.KillTimer
10069354  77D297A0  user32.ScreenToClient
10069358  009F2150
1006935C  77D29313  user32.IsWindow
10069360  77D28D20  user32.DefWindowProcW
10069364  009F2180
10069368  77D29CBA  user32.SetRectEmpty
1006936C  009F21A0
10069370  77D29011  user32.OffsetRect
10069374  009F21C0
10069378  009F21D0
1006937C  77D29930  user32.SetCursor
10069380  77D19F06  user32.SystemParametersInfoW
10069384  009F2200
10069388  009F2210
1006938C  77D2D312  user32.DestroyIcon
10069390  77D18E78  user32.GetSysColor
10069394  77D2D312  user32.DestroyIcon
10069398  009F2250
1006939C  009F2260
100693A0  77D1C86C  user32.CreateIconIndirect
100693A4  77D2D427  user32.GetIconInfo
100693A8  009F2290
100693AC  77D30265  user32.CloseClipboard
100693B0  009F22B0
100693B4  77D30D96  user32.EmptyClipboard
100693B8  009F22D0
100693BC  009F22E0
100693C0  77D2C2E8  user32.GetActiveWindow
100693C4  77D20242  user32.LoadBitmapW
100693C8  009F2310
100693CC  77D2AEAB  user32.UpdateWindow
100693D0  77D4FC72  user32.InvertRect
100693D4  77D3D06C  user32.DrawIcon
100693D8  77D2E8BC  user32.LoadIconW
100693DC  009F2360
100693E0  009F2370
100693E4  77D29944  user32.RedrawWindow
100693E8  00000000
100693EC  020FF9B1  hasp_win.hasp_free
100693F0  020FE36E  hasp_win.hasp_login_scope
100693F4  0210566D  hasp_win.hasp_logout
100693F8  020C1AB2  hasp_win.hasp_get_rtc
100693FC  020DED86  hasp_win.hasp_hasptime_to_datetime
10069400  020EA166  hasp_win.hasp_encrypt
10069404  020ADB90  hasp_win.hasp_get_info
10069408  020E1BE9  hasp_win.hasp_decrypt
1006940C  00000000