|
[求助]自己的脱壳日记
10.Import REConstructor 登场 选择调试的程序 OEP在哪里? 就是上面跟踪到的 00401000,呵呵,OEP填入 00001000 选择 IAT AutoSearch,让它自己找! 恩,找到了 RAV=00001FFC Size=0000003C 点击 Get Imports ,获取输入表,没有任何错误。还差1步了 点 Fix Dump 选择刚才 完整转存的镜像文件,成功!!! Fixing a dumped file... 3 (decimal:3) module(s) B (decimal:11) imported function(s). *** New section added successfully. RVA:0003D000 SIZE:00001000 Image Import Descriptor size: 3C; Total length: 120 D:\rxjnh\dumped_.exe saved successfully. 感谢kanxue大大的提醒,我是边做边post,不好意思了,马上改 下面继续 11.脱壳后的程序运行,晕 竟然自己注销用户,算它狠,自校验,看来还需要努力 12.OllyICE载入脱壳后的程序,想想注销相关的API 恩,差不多是 ExitWindowsEx,恶补一下相关知识 (以下是转自 Cfanhome) 关于ExitWindowsEx函数的应用 大家都知道关闭计算机可以是用ExitWindowsEx函数,但是因为NT核心的系统对于计算机关闭的权限要求是很高的所以不能直接用ExitWindowsEx函数来关闭计算机了,那我们要怎么办呢?首先要用到AdjustTokenPrivileges函数,还要用到OpenProcessToken函数,在要用到GetCurrentProcess函数,还要用到LookupPrivilegevalue函数,共要用到五个相关的函数. Private Const EWX_LOGOFF = 0 Private Const EWX_SHUTDOWN = 1 Private Const EWX_REBOOT = 2 Private Const EWX_FORCE = 4 Private Const TOKEN_ADJUST_PRIVILEGES = &H20 Private Const TOKEN_QUERY = &H8 Private Const SE_PRIVILEGE_ENABLED = &H2 Private Const ANYSIZE_ARRAY = 1 Private Const VER_PLATFORM_WIN32_NT = 2 Type OSVERSIONINFO dwOSVersionInfoSize As Long dwMajorVersion As Long dwMinorVersion As Long dwBuildNumber As Long dwPlatformId As Long szCSDVersion As String * 128 End Type Type LUID LowPart As Long HighPart As Long End Type Type LUID_AND_ATTRIBUTES pLuid As LUID Attributes As Long End Type Type TOKEN_PRIVILEGES PrivilegeCount As Long Privileges(ANYSIZE_ARRAY) As LUID_AND_ATTRIBUTES End Type Private Declare Function GetCurrentProcess Lib "kernel32" () As Long Private Declare Function OpenProcessToken Lib "advapi32" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long Private Declare Function LookupPrivilegevalue Lib "advapi32" Alias "LookupPrivilegevalueA" (ByVal lpSystemName As String, ByVal lpName As String, lpLuid As LUID) As Long Private Declare Function AdjustTokenPrivileges Lib "advapi32" (ByVal TokenHandle As Long, ByVal DisableAllPrivileges As Long, NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Long, PreviousState As TOKEN_PRIVILEGES, ReturnLength As Long) As Long Private Declare Function ExitWindowsEx Lib "user32" (ByVal uFlags As Long, ByVal dwReserved As Long) As Long Private Declare Function GetVersionEx Lib "kernel32" Alias "GetVersionExA" (ByRef lpVersionInformation As OSVERSIONINFO) As Long 'Detect if the program is running under Windows NT Public Function IsWinNT() As Boolean Dim myOS As OSVERSIONINFO myOS.dwOSVersionInfoSize = Len(myOS) GetVersionEx myOS IsWinNT = (myOS.dwPlatformId = VER_PLATFORM_WIN32_NT) End Function 'set the shut down privilege for the current application Private Sub EnableShutDown() Dim hProc As Long Dim hToken As Long Dim mLUID As LUID Dim mPriv As TOKEN_PRIVILEGES Dim mNewPriv As TOKEN_PRIVILEGES hProc = GetCurrentProcess() OpenProcessToken hProc, TOKEN_ADJUST_PRIVILEGES + TOKEN_QUERY, hToken LookupPrivilegevalue "", "SeShutdownPrivilege", mLUID mPriv.PrivilegeCount = 1 mPriv.Privileges(0).Attributes = SE_PRIVILEGE_ENABLED mPriv.Privileges(0).pLuid = mLUID ' enable shutdown privilege for the current application AdjustTokenPrivileges hToken, False, mPriv, 4 + (12 * mPriv.PrivilegeCount), mNewPriv, 4 + (12 * mNewPriv.PrivilegeCount) End Sub ' Shut Down NT Public Sub ShutDownNT(Force As Boolean) Dim ret As Long Dim Flags As Long Flags = EWX_SHUTDOWN If Force Then Flags = Flags + EWX_FORCE If IsWinNT Then EnableShutDown ExitWindowsEx Flags, 0 End Sub 'Restart NT Public Sub RebootNT(Force As Boolean) Dim ret As Long Dim Flags As Long Flags = EWX_REBOOT If Force Then Flags = Flags + EWX_FORCE If IsWinNT Then EnableShutDown ExitWindowsEx Flags, 0 End Sub 'Log off the current user Public Sub LogOffNT(Force As Boolean) Dim ret As Long Dim Flags As Long Flags = EWX_LOGOFF If Force Then Flags = Flags + EWX_FORCE ExitWindowsEx Flags, 0 End Sub Private Sub Command1_Click() LogOffNT True End Sub Private Sub Command2_Click() RebootNT True End Sub Private Sub Command3_Click() ShutDownNT True End Sub Private Sub Form_Load() Command1.Caption = "Log Off NT" Command2.Caption = "Reboot NT" Command3.Caption = "Shutdown NT" End Sub 这样就可以完成对与NT系统的关闭了,但是有人会说了,我用了你的代码,每次都要按下开关后才能关闭计算机.怎么办呢,不要急,微软还隐藏了其一个很重要的参数EWX_POWEROFF = 8(关闭电源,NT系统需要),只要把 Public Sub ShutDownNT(Force As Boolean) Const EWX_POWEROFF = 8 Dim ret As Long Dim Flags As Long Flags = EWX_SHUTDOWN + EWX_POWEROFF If Force Then Flags = Flags + EWX_FORCE If IsWinNT Then EnableShutDown ExitWindowsEx Flags, 0 End Sub 这样就可以正常的关闭计算机了(微软为什么要把这个参数隐藏起来不让我们来使用呢,真是让人纳闷啊) 13. 命令行 输入 bp ExitWindowsEx 中断在这里 77D5A045 > 8BFF mov edi, edi 77D5A047 55 push ebp 77D5A048 8BEC mov ebp, esp 77D5A04A 83EC 18 sub esp, 18 77D5A04D 53 push ebx 77D5A04E 8B5D 08 mov ebx, dword ptr [ebp+8] 堆栈信息如下 0012F8E4 0041A6C2 /CALL 到 ExitWindowsEx 来自 ***.0041A6BD 0012F8E8 00000000 |Options = EWX_LOGOFF 0012F8EC 00000000 \Reserved = 0 呵呵,原来自动注销用户来自 ***.0041A6BD 很好,我们过去看看 0041A696 . E8 FA750000 call 00421C95 0041A69B . 83C4 10 add esp, 10 0041A69E . 33C9 xor ecx, ecx 0041A6A0 > 41 inc ecx 0041A6A1 . 51 push ecx 0041A6A2 . 50 push eax 0041A6A3 . 3BC8 cmp ecx, eax 0041A6A5 . 0F8F 37000000 jg 0041A6E2 0041A6AB . 8965 FC mov dword ptr [ebp-4], esp 0041A6AE . 68 00000000 push 0 0041A6B3 . 68 00000000 push 0 0041A6B8 . B8 00000000 mov eax, 0 0041A6BD . E8 DF750000 call 00421CA1 嗯,看不太明白,不过有个比较,呵呵 0041A6A3 . 3BC8 cmp ecx, eax 0041A6A5 . 0F8F 37000000 jg 0041A6E2 差不多元凶就在这里了,jg? 嘿嘿,改成jmp 右键 复制到可执行文件->所有修改,保存后执行看看 呵呵,终于成功了。不过 现在才刚刚起步,只是脱壳+自校验完毕,万里长征才迈出第一步。 |
|
|
|
[求助]自己的脱壳日记
8.哇,看不懂,Ctrl+A,分析下,看懂了不? 00401000 . E8 06000000 call 0040100B 00401005 . 50 push eax ; /ExitCode 00401006 . E8 BB010000 call 004011C6 ; \ExitProcess 0040100B /$ 55 push ebp 0040100C |. 8BEC mov ebp, esp 0040100E |. 81C4 F0FEFFFF add esp, -110 00401014 |. E9 83000000 jmp 0040109C 00401019 |. 52 75 6E 73 2>ascii "Runs.dll",0 00401022 | 00 db 00 00401023 |. 52 75 6E 73 2>ascii "Runs.dll",0 0040102C | 00 db 00 0040102D |. 47 65 74 4E 6>ascii "GetNewSock",0 00401038 |. 73 6F 66 74 7>ascii "software\Y_GUA",0 00401047 |. 5C 45 5C 49 6>ascii "\E\Install",0 00401052 |. 50 61 74 68 0>ascii "Path",0 00401057 |. 4E 6F 74 20 6>ascii "Not found the ke" 00401067 |. 72 6E 65 6C 2>ascii "rnel library or " 00401077 |. 74 68 65 20 6>ascii "the kernel libra" 00401087 |. 72 79 20 69 7>ascii "ry is invalid!",0 00401096 |. 45 72 72 6F 7>ascii "Error",0 |
|
[求助]自己的脱壳日记
7.单步执行(F7),跟踪到这里 00401000 E8 db E8 00401001 06 db 06 00401002 00 db 00 00401003 00 db 00 00401004 00 db 00 00401005 50 db 50 ; CHAR 'P' |
|
[求助]自己的脱壳日记
6. F9开始执行,中断在这里 00430FC2 - E9 3900FDFF jmp 00401000 00430FC7 8BB5 67FEFFFF mov esi, dword ptr [ebp-199] 00430FCD 0BF6 or esi, esi 00430FCF 0F84 97000000 je 0043106C |
|
|
|
[求助]自己的脱壳日记
4. 查看 ESP,如下 =0012FFC0 0012FFC0 0012FFF8 0012FFC4 7C816FD7 RETURN to kernel32.7C816FD7 0012FFC8 7C930738 ntdll.7C930738 0012FFCC FFFFFFFF 0012FFD0 7FFD6000 0012FFD4 8054B6ED |
|
[求助]自己的脱壳日记
3. OllyICE 载入 ***.exe 停在入口处 (典型的Nspack特征) 00430D9D > 9C pushfd 00430D9E 60 pushad 00430D9F E8 00000000 call 00430DA4 00430DA4 B8 FFFFFF0F mov eax, 0FFFFFFF 00430DA9 B9 07000000 mov ecx, 7 00430DAE 5D pop ebp 00430DAF 2BE9 sub ebp, ecx 00430DB1 EB 0B jmp short 00430DBE |
|
[求助]自己的脱壳日记
D:\rxjnh\AutoUpdate.exe :: NsPack 1.4 by North Star (Liu Xing Ping) * D:\rxjnh\Client.dll :: NsPack 1.4 by North Star (Liu Xing Ping) * D:\rxjnh\Runs.dll :: NsPack 1.4 by North Star (Liu Xing Ping) * D:\rxjnh\STDLL.DLL :: NsPack 1.4 by North Star (Liu Xing Ping) * D:\rxjnh\windows.dll :: NsPack 1.4 by North Star (Liu Xing Ping) * D:\rxjnh\***.EXE :: NsPack 1.4 by North Star (Liu Xing Ping) * 基于原因,隐藏软件名称 |
|
[原创]Aspr2.XX_unpacker_v1.0
PFPF,Stolen Code 全部搞定,虽然垃圾代码还有些,可是瑕不掩瑜。 测试了下,EXE/DLL全部搞定 (2.12 ske),其中EXE含Stolen Code 测试日期 02/28/2007 13:50 感谢Volx大大的无私劳动 |
|
[端午节快乐]DiE 0.57汉化版 by CxLrb-侦测壳工具
有个垃圾程序,不知道用什么+的,拿着个44 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值