原程序: Borland Delphi 7.0
保护壳: Themida & Winlicense 2.0.8.0 ~ 2.0.9.0
工具集: ODbyDYK v1.10 + ODbgScript 1.65 + StrongOD 0.2.6.405
脚本 : Themida&WinLicenScript_1.91(期待更新的脚本)
以下是 经过伪装的 EP 入口点特征
00B47000 M> 83EC 04 sub esp,4
00B47003 50 push eax
00B47004 53 push ebx
00B47005 E8 01000000 call 00B4700B
00B4700A CC int3
00B4700B 58 pop eax
00B4700C 8BD8 mov ebx,eax
00B4700E 40 inc eax
00B4700F 2D 00801800 sub eax,188000 ---->(发现 188000 刚好为当前区段上的exports区段的大小)
00B47014 2D 65E36000 sub eax,0060E365
00B47019 05 5AE36000 add eax,0060E35A ---->(得到新的EP为 9BF000 刚好为 exports 区段地址)
00B4701E 803B CC cmp byte ptr ds:[ebx],0CC
00B47021 75 19 jnz short 00B4703C
00B47023 C603 00 mov byte ptr ds:[ebx],0
00B47026 BB 00100000 mov ebx,1000 ---->(伪装EP的大小)
00B4702B 68 797F7909 push 9797F79
00B47030 68 0F9D9842 push 42989D0F
00B47035 53 push ebx
00B47036 50 push eax
00B47037 E8 0A000000 call 00B47046
00B4703C 83C0 00 add eax,0
00B4703F 894424 08 mov dword ptr ss:[esp+8],eax
00B47043 5B pop ebx
00B47044 58 pop eax
00B47045 C3 retn
00B47046 55 push ebp
00B47047 8BEC mov ebp,esp
00B47049 60 pushad
00B4704A 8B75 08 mov esi,dword ptr ss:[ebp+8]
00B4704D 8B4D 0C mov ecx,dword ptr ss:[ebp+C]
00B47050 C1E9 02 shr ecx,2
00B47053 8B45 10 mov eax,dword ptr ss:[ebp+10]
00B47056 8B5D 14 mov ebx,dword ptr ss:[ebp+14]
00B47059 EB 08 jmp short 00B47063
00B4705B 3106 xor dword ptr ds:[esi],eax
00B4705D 011E add dword ptr ds:[esi],ebx
00B4705F 83C6 04 add esi,4
00B47062 49 dec ecx
00B47063 0BC9 or ecx,ecx
00B47065 ^ 75 F4 jnz short 00B4705B
00B47067 61 popad
00B47068 C9 leave
00B47069 C2 1000 retn 10
---------------------
通过内存对该区段断点后,运行跑到此处,dump
这里应该是真实EP 到这里断点以后 普通的 PEiD 就可查出 该壳为
Themida/WinLicense V1.8.X-V2.X -> Oreans Technologies * Sign.By.fly * 20080131 *
虽然代码长的像,但是应该比这个新很多
009BF000 B8 00000000 mov eax,0
009BF005 60 pushad
009BF006 0BC0 or eax,eax
009BF008 74 68 je short 009BF072
009BF00A E8 00000000 call 009BF00F
009BF00F 58 pop eax
009BF010 05 53000000 add eax,53
009BF015 8038 E9 cmp byte ptr ds:[eax],0E9
009BF018 75 13 jnz short 009BF02D
009BF01A 61 popad
009BF01B EB 45 jmp short 009BF062
009BF01D DB2D D8386A00 fld tbyte ptr ds:[6A38D8]
009BF023 FFFF ??? ; 未知命令
009BF025 FFFF ??? ; 未知命令
009BF027 FFFF ??? ; 未知命令
009BF029 FFFF ??? ; 未知命令
009BF02B 3D 40E80000 cmp eax,0E840
009BF030 0000 add byte ptr ds:[eax],al
009BF032 58 pop eax
009BF033 25 00F0FFFF and eax,FFFFF000
009BF038 33FF xor edi,edi
009BF03A 66:BB 195A mov bx,5A19
009BF03E 66:83C3 34 add bx,34
009BF042 66:3918 cmp word ptr ds:[eax],bx
009BF045 75 12 jnz short 009BF059
009BF047 0FB750 3C movzx edx,word ptr ds:[eax+3C]
009BF04B 03D0 add edx,eax
009BF04D BB E9440000 mov ebx,44E9
009BF052 83C3 67 add ebx,67
009BF055 391A cmp dword ptr ds:[edx],ebx
009BF057 74 07 je short 009BF060
009BF059 2D 00100000 sub eax,1000
009BF05E ^ EB DA jmp short 009BF03A
009BF060 8BF8 mov edi,eax
009BF062 B8 14103F00 mov eax,3F1014
009BF067 03C7 add eax,edi
009BF069 B9 59F25B00 mov ecx,005BF259
009BF06E 03CF add ecx,edi
009BF070 EB 0A jmp short 009BF07C
009BF072 B8 14107F00 mov eax,007F1014
009BF077 B9 59F29B00 mov ecx,009BF259
009BF07C 50 push eax
009BF07D 51 push ecx
009BF07E E8 87000000 call 009BF10A
009BF083 E8 00000000 call 009BF088
009BF088 58 pop eax
009BF089 2D 26000000 sub eax,26
009BF08E B9 093B6A00 mov ecx,006A3B09
009BF093 81E9 1C396A00 sub ecx,006A391C
009BF099 8948 01 mov dword ptr ds:[eax+1],ecx
009BF09C C600 E9 mov byte ptr ds:[eax],0E9
009BF09F 61 popad
009BF0A0 E9 AF010000 jmp 009BF254
009BF0A5 04 00 add al,0
009BF0A7 0000 add byte ptr ds:[eax],al
009BF0A9 98 cwde
------------------------------------------
这dump出来的程序可以运行,但是tmd应该经行文件大小自校验(在OD和屏蔽反调试器的环境中科顺利通过)。。。这时就出问题了,有些是警告有些是重启,关机等,TMD应该可以设置这些
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法