|
|
|
怎么为脱壳后的程序在加上壳???
aspack |
|
[注意]今天电脑中了这个毒!加的未知壳!
比较忙,简单看了一下,主exe无壳。 exe运行后释放隐藏在资源中的木马DLL,加载dll使其运作 .RIF1:00401230 ; =============== S U B R O U T I N E ?===================================== .RIF1:00401230 .RIF1:00401230 .RIF1:00401230 public start .RIF1:00401230 start proc near .RIF1:00401230 .RIF1:00401230 LibFileName= byte ptr -108h .RIF1:00401230 .RIF1:00401230 sub esp, 108h .RIF1:00401236 lea eax, [esp+108h+LibFileName] .RIF1:0040123A push esi .RIF1:0040123B push eax .RIF1:0040123C call sub_401360 //释放藏在资源中的winhtm.dll .RIF1:0040123C .RIF1:00401241 add esp, 4 .RIF1:00401244 test eax, eax .RIF1:00401246 jz short loc_40127A .RIF1:00401246 .RIF1:00401248 lea ecx, [esp+10Ch+LibFileName] .RIF1:0040124C push ecx ; lpLibFileName .RIF1:0040124D call LoadLibraryA //载入木马DLL(winhtm.dll) .RIF1:0040124D .RIF1:00401253 mov esi, eax .RIF1:00401255 test esi, esi .RIF1:00401257 jz short loc_40127A .RIF1:00401257 .RIF1:00401259 push offset ProcName ; "InstallServerEx" .RIF1:0040125E push esi ; hModule .RIF1:0040125F call GetProcAddress //获取木马DLL的InstallServerEx导出函数地址 .RIF1:0040125F .RIF1:00401265 test eax, eax .RIF1:00401267 jz short loc_401273 .RIF1:00401267 .RIF1:00401269 lea edx, [esp+10Ch+LibFileName] .RIF1:0040126D push edx .RIF1:0040126E call eax //Call InstallServerEx 木马开始工作 //木马如何运作,自己去分析winhtm.dll .RIF1:0040126E .RIF1:00401270 add esp, 4 .RIF1:00401273 .RIF1:00401273 loc_401273: ; CODE XREF: start+37j .RIF1:00401273 push esi ; hLibModule .RIF1:00401274 call FreeLibrary //安装木马后就可以释放winhtm.dll .RIF1:00401274 .RIF1:0040127A .RIF1:0040127A loc_40127A: ; CODE XREF: start+16j .RIF1:0040127A ; start+27j .RIF1:0040127A push 0 ; uExitCode .RIF1:0040127C call ExitProcess //Game Over .RIF1:0040127C .RIF1:00401282 xor eax, eax .RIF1:00401284 pop esi .RIF1:00401285 add esp, 108h .RIF1:0040128B retn 10h .RIF1:0040128B .RIF1:0040128B start endp 你可以用16进制编辑工具打开此文件,偏移00002000处就是捆绑的winhtm.dll Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00002000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ?........?.. 00002010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ?......@....... 00002020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00002030 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00 ............?.. 00002040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ..?.???L?Th 00002050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno 00002060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS 00002070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$....... .RIF1:0040143C lea ecx, [esp+220h+FileName] .RIF1:00401440 push ecx ; lpFileName .RIF1:00401441 call sub_401290 .RIF1:00401290 ; =============== S U B R O U T I N E ?===================================== .RIF1:00401290 .RIF1:00401290 .RIF1:00401290 ; int __cdecl sub_401290(LPCSTR lpFileName) .RIF1:00401290 sub_401290 proc near ; CODE XREF: sub_401360+E1p .RIF1:00401290 .RIF1:00401290 NumberOfBytesWritten= dword ptr -4 .RIF1:00401290 lpFileName= dword ptr 4 .RIF1:00401290 .RIF1:00401290 push ecx .RIF1:00401291 push ebx .RIF1:00401292 push ebp .RIF1:00401293 push esi .RIF1:00401294 push edi .RIF1:00401295 mov edi, GetModuleHandleA .RIF1:0040129B push 100h ; lpType .RIF1:004012A0 push 64h ; lpName .RIF1:004012A2 push 0 ; lpModuleName .RIF1:004012A4 call edi ; GetModuleHandleA .RIF1:004012A4 .RIF1:004012A6 push eax ; hModule .RIF1:004012A7 call FindResourceA .RIF1:004012A7 .RIF1:004012AD mov esi, eax .RIF1:004012AF push esi ; hResInfo .RIF1:004012B0 push 0 ; lpModuleName .RIF1:004012B2 call edi ; GetModuleHandleA .RIF1:004012B2 .RIF1:004012B4 push eax ; hModule .RIF1:004012B5 call LoadResource //资源载入内存00402000处 .RIF1:004012B5 .RIF1:004012BB test esi, esi .RIF1:004012BD mov ebp, eax .RIF1:004012BF jnz short loc_4012C9 .RIF1:004012BF .RIF1:004012C1 pop edi .RIF1:004012C2 pop esi .RIF1:004012C3 pop ebp .RIF1:004012C4 xor eax, eax .RIF1:004012C6 pop ebx .RIF1:004012C7 pop ecx .RIF1:004012C8 retn .RIF1:004012C8 .RIF1:004012DE ; --------------------------------------------------------------------------- .RIF1:004012DE .RIF1:004012DE loc_4012DE: ; CODE XREF: sub_401290+44j .RIF1:004012DE push esi ; hResInfo .RIF1:004012DF push 0 ; lpModuleName .RIF1:004012E1 call edi ; GetModuleHandleA .RIF1:004012E1 .RIF1:004012E3 push eax ; hModule .RIF1:004012E4 call SizeofResource .RIF1:004012E4 .RIF1:004012EA mov ebp, eax .RIF1:004012EC mov eax, dword_401000 .RIF1:004012F1 lea edi, [eax+ebx] .RIF1:004012F4 call sub_4011C0 .RIF1:004012F4 .RIF1:004012F9 mov ecx, [esp+14h+lpFileName] .RIF1:004012FD push 0 ; hTemplateFile .RIF1:004012FF push 80h ; dwFlagsAndAttributes .RIF1:00401304 push 2 ; dwCreationDisposition .RIF1:00401306 push 0 ; lpSecurityAttributes .RIF1:00401308 push 0 ; dwShareMode .RIF1:0040130A push 40000000h ; dwDesiredAccess .RIF1:0040130F push ecx ; lpFileName .RIF1:00401310 mov [edi+1C2h], eax .RIF1:00401316 call CreateFileA //在临时目录下生成和主程序同名的dll文件 .RIF1:00401316 .RIF1:0040131C mov esi, eax .RIF1:0040131E cmp esi, 0FFFFFFFFh .RIF1:00401321 jnz short loc_40132B .RIF1:00401321 .RIF1:00401323 pop edi .RIF1:00401324 pop esi .RIF1:00401325 pop ebp .RIF1:00401326 xor eax, eax .RIF1:00401328 pop ebx .RIF1:00401329 pop ecx .RIF1:0040132A retn .RIF1:0040132A .RIF1:0040132B ; --------------------------------------------------------------------------- .RIF1:0040132B .RIF1:0040132B loc_40132B: ; CODE XREF: sub_401290+91j .RIF1:0040132B lea edx, [esp+14h+NumberOfBytesWritten] .RIF1:0040132F push 0 ; lpOverlapped .RIF1:00401331 push edx ; lpNumberOfBytesWritten .RIF1:00401332 push ebp ; nNumberOfBytesToWrite .RIF1:00401333 push ebx ; lpBuffer .RIF1:00401334 mov ebx, WriteFile .RIF1:0040133A push esi ; hFile .RIF1:0040133B call ebx ; WriteFile .RIF1:0040133B .RIF1:0040133D lea eax, [esp+14h+NumberOfBytesWritten] .RIF1:00401341 push 0 ; lpOverlapped .RIF1:00401343 push eax ; lpNumberOfBytesWritten .RIF1:00401344 push 6F4h ; nNumberOfBytesToWrite .RIF1:00401349 push edi ; lpBuffer .RIF1:0040134A push esi ; hFile .RIF1:0040134B call ebx ; WriteFile .RIF1:0040134B .RIF1:0040134D push esi ; hObject .RIF1:0040134E call CloseHandle .RIF1:0040134E .RIF1:00401354 pop edi .RIF1:00401355 pop esi .RIF1:00401356 pop ebp .RIF1:00401357 mov eax, 1 .RIF1:0040135C pop ebx .RIF1:0040135D pop ecx .RIF1:0040135E retn .RIF1:0040135E .RIF1:0040135E sub_401290 endp |
|
[求助]脱PE-PACK时,我的OEP没找对??又有新问题
可以手动定位IAT RVA和Size |
|
[求助]脱PE-PACK时,我的OEP没找对??又有新问题
先用PE-PACK加壳98记事本练习脱壳 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Pespin0.3的dump问题
看教程了没有 |
|
[注意]发2个带壳程序,脱脱看~
SoftDefender是SDProtect以前版本的名称 比如Ultra Protect是ACProtector以前版本的名称 记得exetools有人发布过SoftDefender.v.1.12.patch.keygen |
|
|
|
|
|
|
|
telock 1.0 脱壳
这个tELock算是修改版,输入表处理方法见tElock XXX脱壳 若想使用原来的IAT,看着修改就行了 00483713 3A5408 FF cmp dl,byte ptr ds:[eax+ecx-1] 00483717 74 E8 je short 00483701 00483719 3A5408 08 cmp dl,byte ptr ds:[eax+ecx+8] 0048371D 74 E2 je short 00483701 0048371F 3A5408 12 cmp dl,byte ptr ds:[eax+ecx+12] 00483723 74 DC je short 00483701 00483725 3A5408 1D cmp dl,byte ptr ds:[eax+ecx+1D] 00483729 74 D6 je short 00483701 0048372B EB D0 jmp short 004836FD //判断是否是需要加密的DLL 0048372D 0AF6 or dh,dh 0048372F 895424 1C mov dword ptr ss:[esp+1C],edx 00483733 61 popad 00483734 C685 FD2F4000 00 mov byte ptr ss:[ebp+402FFD],0 0048373B 74 24 je short 00483761 //Magic Jump!改为JMP ★ 004839B0 8385 4F374000 04 add dword ptr ss:[ebp+40374F],4 004839B7 E9 B5FDFFFF jmp 00483771 004839BC 83C6 14 add esi,14 004839BF 8B95 63374000 mov edx,dword ptr ss:[ebp+403763] 004839C5 E9 1FFCFFFF jmp 004835E9 //循环处理输入表 00483A16 8BBD 5B374000 mov edi,dword ptr ss:[ebp+40375B] //中断在这里输入表处理完毕 00483A1C 85FF test edi,edi 00483A1E EB 03 jmp short 00483A23 修改Magic Jump后就能得到所有有效的函数了 00430E9A 6A 60 push 60 //OEP 00430E9C 68 40DD4500 push 45DD40 00430EA1 E8 4E1E0000 call 00432CF4 00430EA6 BF 94000000 mov edi,94 00430EAB 8BC7 mov eax,edi 00430EAD E8 6EE9FFFF call 0042F820 OEP: 00030E9A IATRVA: 00055000 IATSize: 000006A4 |
|
一个雨滴屏幕保护程序简单破解[原创]
可以试试爆破,直接去掉其启动时的注册验证 .text:004029F0 ; =============== S U B R O U T I N E ?===================================== .text:004029F0 .text:004029F0 .text:004029F0 ; int __stdcall sub_4029F0(char *) .text:004029F0 sub_4029F0 proc near ; CODE XREF: sub_402460+1B0p .text:004029F0 .text:004029F0 var_18 = dword ptr -18h .text:004029F0 var_14 = dword ptr -14h .text:004029F0 var_10 = dword ptr -10h .text:004029F0 var_C = dword ptr -0Ch .text:004029F0 var_4 = dword ptr -4 .text:004029F0 arg_0 = dword ptr 4 .text:004029F0 .text:004029F0 push 0FFFFFFFFh .text:004029F2 push offset loc_417F78 .text:004029F7 mov eax, large fs:0 .text:004029FD push eax .text:004029FE mov large fs:0, esp .text:00402A05 sub esp, 0Ch .text:00402A08 push ebx .text:00402A09 push ebp .text:00402A0A push esi .text:00402A0B push edi .text:00402A0C mov eax, [esp+28h+arg_0] .text:00402A10 push eax ; char * .text:00402A11 call _atol .text:00402A11 .text:00402A16 mov ecx, eax .text:00402A18 mov eax, 66666667h .text:00402A1D imul ecx .text:00402A1F sar edx, 2 .text:00402A22 mov eax, edx .text:00402A24 add esp, 4 .text:00402A27 shr eax, 1Fh .text:00402A2A add edx, eax .text:00402A2C lea eax, [edx+edx*4] .text:00402A2F shl eax, 1 .text:00402A31 sub ecx, eax .text:00402A33 mov eax, 66666667h .text:00402A38 mov [esp+28h+var_10], ecx .text:00402A3C mov ecx, edx .text:00402A3E imul ecx .text:00402A40 sar edx, 2 .text:00402A43 mov eax, edx .text:00402A45 shr eax, 1Fh .text:00402A48 add edx, eax .text:00402A4A lea eax, [edx+edx*4] .text:00402A4D shl eax, 1 .text:00402A4F sub ecx, eax .text:00402A51 mov eax, 66666667h .text:00402A56 mov [esp+28h+var_14], ecx .text:00402A5A mov ecx, edx .text:00402A5C imul ecx .text:00402A5E sar edx, 2 .text:00402A61 mov eax, edx .text:00402A63 shr eax, 1Fh .text:00402A66 add edx, eax .text:00402A68 lea eax, [edx+edx*4] .text:00402A6B shl eax, 1 .text:00402A6D sub ecx, eax .text:00402A6F mov eax, 66666667h .text:00402A74 mov ebp, ecx .text:00402A76 mov ecx, edx .text:00402A78 imul ecx .text:00402A7A sar edx, 2 .text:00402A7D mov eax, edx .text:00402A7F shr eax, 1Fh .text:00402A82 add edx, eax .text:00402A84 lea eax, [edx+edx*4] .text:00402A87 shl eax, 1 .text:00402A89 sub ecx, eax .text:00402A8B mov eax, 66666667h .text:00402A90 mov [esp+28h+var_18], ecx .text:00402A94 mov ecx, edx .text:00402A96 imul ecx .text:00402A98 sar edx, 2 .text:00402A9B mov eax, edx .text:00402A9D shr eax, 1Fh .text:00402AA0 add edx, eax .text:00402AA2 lea eax, [edx+edx*4] .text:00402AA5 shl eax, 1 .text:00402AA7 sub ecx, eax .text:00402AA9 mov eax, 66666667h .text:00402AAE mov edi, ecx .text:00402AB0 mov ecx, edx .text:00402AB2 imul ecx .text:00402AB4 sar edx, 2 .text:00402AB7 mov eax, edx .text:00402AB9 shr eax, 1Fh .text:00402ABC add edx, eax .text:00402ABE mov esi, edx .text:00402AC0 lea eax, [edx+edx*4] .text:00402AC3 shl eax, 1 .text:00402AC5 sub ecx, eax .text:00402AC7 mov eax, 66666667h .text:00402ACC imul esi .text:00402ACE sar edx, 2 .text:00402AD1 mov ebx, ecx .text:00402AD3 mov ecx, edx .text:00402AD5 shr ecx, 1Fh .text:00402AD8 add edx, ecx .text:00402ADA mov eax, 66666667h .text:00402ADF mov ecx, edx .text:00402AE1 lea edx, [ecx+ecx*4] .text:00402AE4 shl edx, 1 .text:00402AE6 sub esi, edx .text:00402AE8 imul ecx .text:00402AEA sar edx, 2 .text:00402AED mov eax, edx .text:00402AEF shr eax, 1Fh .text:00402AF2 add edx, eax .text:00402AF4 lea edx, [edx+edx*4] .text:00402AF7 shl edx, 1 .text:00402AF9 sub ecx, edx .text:00402AFB lea eax, [ecx+esi] .text:00402AFE cmp eax, 5 .text:00402B01 jz short loc_402B23 .text:00402B01 .text:00402B03 add eax, 0FFFFFFF6h .text:00402B06 cmp eax, 5 .text:00402B09 jz short loc_402B23 .text:00402B09 .text:00402B0B lea ecx, [esp+28h+arg_0] .text:00402B0F mov [esp+28h+var_4], 0FFFFFFFFh .text:00402B17 call sub_41206A .text:00402B17 .text:00402B1C xor al, al .text:00402B1E jmp loc_402BB0 .text:00402B1E .text:00402B23 ; --------------------------------------------------------------------------- .text:00402B23 .text:00402B23 loc_402B23: ; CODE XREF: sub_4029F0+111j .text:00402B23 ; sub_4029F0+119j .text:00402B23 lea eax, [ebx+edi] .text:00402B26 cmp eax, 7 .text:00402B29 jz short loc_402B48 .text:00402B29 .text:00402B2B add eax, 0FFFFFFF6h .text:00402B2E cmp eax, 7 .text:00402B31 jz short loc_402B48 .text:00402B31 .text:00402B33 lea ecx, [esp+28h+arg_0] .text:00402B37 mov [esp+28h+var_4], 0FFFFFFFFh .text:00402B3F call sub_41206A .text:00402B3F .text:00402B44 xor al, al .text:00402B46 jmp short loc_402BB0 .text:00402B46 .text:00402B48 ; --------------------------------------------------------------------------- .text:00402B48 .text:00402B48 loc_402B48: ; CODE XREF: sub_4029F0+139j .text:00402B48 ; sub_4029F0+141j .text:00402B48 mov eax, [esp+28h+var_18] .text:00402B4C add eax, ebp .text:00402B4E cmp eax, 4 .text:00402B51 jz short loc_402B70 .text:00402B51 .text:00402B53 add eax, 0FFFFFFF6h .text:00402B56 cmp eax, 4 .text:00402B59 jz short loc_402B70 .text:00402B59 .text:00402B5B lea ecx, [esp+28h+arg_0] .text:00402B5F mov [esp+28h+var_4], 0FFFFFFFFh .text:00402B67 call sub_41206A .text:00402B67 .text:00402B6C xor al, al .text:00402B6E jmp short loc_402BB0 .text:00402B6E .text:00402B70 ; --------------------------------------------------------------------------- .text:00402B70 .text:00402B70 loc_402B70: ; CODE XREF: sub_4029F0+161j .text:00402B70 ; sub_4029F0+169j .text:00402B70 mov ecx, [esp+28h+var_14] .text:00402B74 mov edx, [esp+28h+var_10] .text:00402B78 lea eax, [ecx+edx] .text:00402B7B cmp eax, 9 .text:00402B7E jz short loc_402B9D .text:00402B7E .text:00402B80 add eax, 0FFFFFFF6h .text:00402B83 cmp eax, 9 .text:00402B86 jz short loc_402B9D .text:00402B86 .text:00402B88 lea ecx, [esp+28h+arg_0] .text:00402B8C mov [esp+28h+var_4], 0FFFFFFFFh .text:00402B94 call sub_41206A .text:00402B94 .text:00402B99 xor al, al .text:00402B9B jmp short loc_402BB0 .text:00402B9B .text:00402B9D ; --------------------------------------------------------------------------- .text:00402B9D .text:00402B9D loc_402B9D: ; CODE XREF: sub_4029F0+18Ej .text:00402B9D ; sub_4029F0+196j .text:00402B9D lea ecx, [esp+28h+arg_0] .text:00402BA1 mov [esp+28h+var_4], 0FFFFFFFFh .text:00402BA9 call sub_41206A .text:00402BA9 .text:00402BAE mov al, 1 .text:00402BB0 .text:00402BB0 loc_402BB0: ; CODE XREF: sub_4029F0+12Ej .text:00402BB0 ; sub_4029F0+156j .text:00402BB0 ; sub_4029F0+17Ej .text:00402BB0 ; sub_4029F0+1ABj .text:00402BB0 mov ecx, [esp+28h+var_C] .text:00402BB4 pop edi .text:00402BB5 pop esi .text:00402BB6 pop ebp .text:00402BB7 pop ebx .text:00402BB8 mov large fs:0, ecx .text:00402BBF add esp, 18h .text:00402BC2 retn 4 .text:00402BC2 .text:00402BC2 sub_4029F0 endp 修改: 00402B01 E9 97000000 jmp 00402B9D |
|
|
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值