这次我们要破的软件是: The software is ChkEXE v1.16 FreeWare from Hann0 Boeck 在它的说明书中,你可以看到TR可以破CHKEXE V1.14和V1.15。谢谢Hann0对TR 的提名!TR一定不会让Hann0先生失望,坚决把V1.16也破掉!让我们看看它有 什么新思路。 In its 'chkexe.doc' you can realize that TR can crack ChkEXE V1.15 and V1.14. Now it is V1.16, whats new ? -------------------------------------- 1. 首先还是让我们用TR v1.92先试一下, First, Lets try it with TR v1.92, TR chkexe.exe g ;just go and see what happen After a while, TR stops at cs:03f8 int 20 ;cd 20 TR在INT 20处停住,报告“程序结束”。可是我知道真正的程序还没运行呢, 什么地方错了吗?人如其软件。CHKEXE不只糊住了TR,也糊住了我。我费了 十多分钟时间查找TR在此之前出了什么差错。最后终于明白TR没有错,只是 这还没有结束,可以试试: and message "Program Terminate" appear. Program terminated, whats wrong ? It took me more than 10 minutes before I realize that TR made no mistake. ONly that this 'int 20' will not terminate the program, you can test it: GG ;even if 'int 20', run anyway CHKEXE还是正常运行了! you can see chkexe do correctly. 看起来TR需要作的改进就是如何知道这不是程序结束。 What I should do to improve TR is let TR know this is not the end. 如果一个程序修改了INT 20的中断向量然后INT 20,TR知道这不是程序结束 并且会跟到用户中断处理程序中去。但CHKEXE不是这样干,它不改中断向量, 而是直接把原来INT20的中断程序第一字节改为IRET(CF)。TR 1.92不能理 解这点。 If program changed int 20 vector and run 'int 20', TR can understand this and trace into user's vector routine. But what chkexe do this time is , do not change vector, only change the first byte of vector routine to IRET(cf). TR 1.92 do not understand this. 所以,现在有了TR v1.93! So, This is TR v1.93! 2. Lets unpack Chkexe 1.16 with TR v1.93 TR chkexe.exe getknl mkexe 这会生成文件MEM.EXE(不要运行它)。用原来的CHKEXE检查它已经脱掉了第 一层壳:CrackStop 1.0(b),还剩下第二层:XPACK 1.67m. 继续: This will make file 'MEM.EXE'(do not run it). You can run origin chkexe.exe to check it. MEM.exe is out of the first shell: CrackStop 1.0(b). The next shell is: XPACK 1.67m. TR mem.exe exe1 reload goxb b1 cf eb fd ;this is xpack normal end T T wexe1 exe2 reload goxb b1 cf eb fd T T wexe2 q mkexe chkexe.exe ;must simulate origin file You can try new MEM.EXE !