-
-
[原创]PECompact v2.xx秒脱
-
发表于: 2009-11-21 16:49
-
【文章标题】: PECompact v2.xx秒脱
【文章作者】: ミ木葉メ咔咔(Netki1l)
【作者邮箱】: Netki1l[at]126.com
【作者主页】: http://hi.baidu.com/hack8k
【下载地址】: 自己搜索下载
【加壳方式】: PECompact v2.xx
【编写语言】: Delphi/C++
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
本人发现了PECompact v2.4xx 壳的特征码可以直接秒
特征码:
03 CA 68 00 80 00 00 6A 00 57 FF 11 8B C6 5A 5E 5F 59 5B 5D
来到
-----------------------------------------------------------------------------------
0047AB09 0343 08 ADD EAX,DWORD PTR DS:[EBX+8]
0047AB0C 8BF8 MOV EDI,EAX
0047AB0E 52 PUSH EDX
0047AB0F 8BF0 MOV ESI,EAX
0047AB11 8B46 FC MOV EAX,DWORD PTR DS:[ESI-4]
0047AB14 83C0 04 ADD EAX,4
0047AB17 2BF0 SUB ESI,EAX
0047AB19 8956 08 MOV DWORD PTR DS:[ESI+8],EDX
0047AB1C 8B4B 0C MOV ECX,DWORD PTR DS:[EBX+C]
0047AB1F 894E 14 MOV DWORD PTR DS:[ESI+14],ECX
0047AB22 FFD7 CALL EDI
0047AB24 8985 3F130010 MOV DWORD PTR SS:[EBP+1000133F],EAX
0047AB2A 8BF0 MOV ESI,EAX
0047AB2C 8B4B 14 MOV ECX,DWORD PTR DS:[EBX+14]
0047AB2F 5A POP EDX
0047AB30 EB 0C JMP SHORT svchost.0047AB3E
0047AB32 03CA ADD ECX,EDX
0047AB34 68 00800000 PUSH 8000
0047AB39 6A 00 PUSH 0
0047AB3B 57 PUSH EDI
0047AB3C FF11 CALL DWORD PTR DS:[ECX]
0047AB3E 8BC6 MOV EAX,ESI
0047AB40 5A POP EDX
0047AB41 5E POP ESI
0047AB42 5F POP EDI
0047AB43 59 POP ECX
0047AB44 5B POP EBX
0047AB45 5D POP EBP
0047AB46 FFE0 JMP EAX ; <---------[飞向OEP]
OEP:
00458724 55 PUSH EBP ; <-----这里就是OEP了
00458725 8BEC MOV EBP,ESP
00458727 83C4 F0 ADD ESP,-10
0045872A B8 8C714500 MOV EAX,svchost.0045718C
0045872F E8 98DEFAFF CALL svchost.004065CC
00458734 A1 3CAA4500 MOV EAX,DWORD PTR DS:[45AA3C]
00458739 8B00 MOV EAX,DWORD PTR DS:[EAX]
0045873B E8 0CC0FFFF CALL svchost.0045474C
00458740 A1 3CAA4500 MOV EAX,DWORD PTR DS:[45AA3C]
00458745 8B00 MOV EAX,DWORD PTR DS:[EAX]
00458747 C640 5B 00 MOV BYTE PTR DS:[EAX+5B],0
0045874B A1 3CAA4500 MOV EAX,DWORD PTR DS:[45AA3C]
00458750 8B00 MOV EAX,DWORD PTR DS:[EAX]
00458752 B2 01 MOV DL,1
00458754 E8 DBDDFFFF CALL svchost.00456534
00458759 8B0D 5CAB4500 MOV ECX,DWORD PTR DS:[45AB5C] ; svchost.0045FCC8
0045875F A1 3CAA4500 MOV EAX,DWORD PTR DS:[45AA3C]
00458764 8B00 MOV EAX,DWORD PTR DS:[EAX]
00458766 8B15 EC6A4500 MOV EDX,DWORD PTR DS:[456AEC] ; svchost.00456B38
0045876C E8 F3BFFFFF CALL svchost.00454764
00458771 A1 3CAA4500 MOV EAX,DWORD PTR DS:[45AA3C]
00458776 8B00 MOV EAX,DWORD PTR DS:[EAX]
00458778 E8 1FC1FFFF CALL svchost.0045489C
0045877D E8 9EBFFAFF CALL svchost.00404720
-------------------------------------------------------------------------------
DUMP后直接可以运行 不用修复!
教程结束,谢谢观看!
附件中是演示录像!
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2009年11月21日 16:38:38
【文章作者】: ミ木葉メ咔咔(Netki1l)
【作者邮箱】: Netki1l[at]126.com
【作者主页】: http://hi.baidu.com/hack8k
【下载地址】: 自己搜索下载
【加壳方式】: PECompact v2.xx
【编写语言】: Delphi/C++
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
本人发现了PECompact v2.4xx 壳的特征码可以直接秒
特征码:
03 CA 68 00 80 00 00 6A 00 57 FF 11 8B C6 5A 5E 5F 59 5B 5D
来到
-----------------------------------------------------------------------------------
0047AB09 0343 08 ADD EAX,DWORD PTR DS:[EBX+8]
0047AB0C 8BF8 MOV EDI,EAX
0047AB0E 52 PUSH EDX
0047AB0F 8BF0 MOV ESI,EAX
0047AB11 8B46 FC MOV EAX,DWORD PTR DS:[ESI-4]
0047AB14 83C0 04 ADD EAX,4
0047AB17 2BF0 SUB ESI,EAX
0047AB19 8956 08 MOV DWORD PTR DS:[ESI+8],EDX
0047AB1C 8B4B 0C MOV ECX,DWORD PTR DS:[EBX+C]
0047AB1F 894E 14 MOV DWORD PTR DS:[ESI+14],ECX
0047AB22 FFD7 CALL EDI
0047AB24 8985 3F130010 MOV DWORD PTR SS:[EBP+1000133F],EAX
0047AB2A 8BF0 MOV ESI,EAX
0047AB2C 8B4B 14 MOV ECX,DWORD PTR DS:[EBX+14]
0047AB2F 5A POP EDX
0047AB30 EB 0C JMP SHORT svchost.0047AB3E
0047AB32 03CA ADD ECX,EDX
0047AB34 68 00800000 PUSH 8000
0047AB39 6A 00 PUSH 0
0047AB3B 57 PUSH EDI
0047AB3C FF11 CALL DWORD PTR DS:[ECX]
0047AB3E 8BC6 MOV EAX,ESI
0047AB40 5A POP EDX
0047AB41 5E POP ESI
0047AB42 5F POP EDI
0047AB43 59 POP ECX
0047AB44 5B POP EBX
0047AB45 5D POP EBP
0047AB46 FFE0 JMP EAX ; <---------[飞向OEP]
OEP:
00458724 55 PUSH EBP ; <-----这里就是OEP了
00458725 8BEC MOV EBP,ESP
00458727 83C4 F0 ADD ESP,-10
0045872A B8 8C714500 MOV EAX,svchost.0045718C
0045872F E8 98DEFAFF CALL svchost.004065CC
00458734 A1 3CAA4500 MOV EAX,DWORD PTR DS:[45AA3C]
00458739 8B00 MOV EAX,DWORD PTR DS:[EAX]
0045873B E8 0CC0FFFF CALL svchost.0045474C
00458740 A1 3CAA4500 MOV EAX,DWORD PTR DS:[45AA3C]
00458745 8B00 MOV EAX,DWORD PTR DS:[EAX]
00458747 C640 5B 00 MOV BYTE PTR DS:[EAX+5B],0
0045874B A1 3CAA4500 MOV EAX,DWORD PTR DS:[45AA3C]
00458750 8B00 MOV EAX,DWORD PTR DS:[EAX]
00458752 B2 01 MOV DL,1
00458754 E8 DBDDFFFF CALL svchost.00456534
00458759 8B0D 5CAB4500 MOV ECX,DWORD PTR DS:[45AB5C] ; svchost.0045FCC8
0045875F A1 3CAA4500 MOV EAX,DWORD PTR DS:[45AA3C]
00458764 8B00 MOV EAX,DWORD PTR DS:[EAX]
00458766 8B15 EC6A4500 MOV EDX,DWORD PTR DS:[456AEC] ; svchost.00456B38
0045876C E8 F3BFFFFF CALL svchost.00454764
00458771 A1 3CAA4500 MOV EAX,DWORD PTR DS:[45AA3C]
00458776 8B00 MOV EAX,DWORD PTR DS:[EAX]
00458778 E8 1FC1FFFF CALL svchost.0045489C
0045877D E8 9EBFFAFF CALL svchost.00404720
-------------------------------------------------------------------------------
DUMP后直接可以运行 不用修复!
教程结束,谢谢观看!
附件中是演示录像!
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2009年11月21日 16:38:38
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
