-
-
[旧帖] [求助]VFP&EXE 9.2版脱壳后如何去程序自校验 0.00雪花
-
发表于: 2011-1-2 01:10
-
在论坛中看到好多的有关VFP&EXE脱壳的文章,自己也试着对VFP&EXE 6.20加密的程序进行了脱壳,发现按大大们说的步骤是可以脱壳的,但是脱壳后IAT的修复难度相当大,特别是对于初学者来说。
最近看到VFP&EXE NC到了9.20的版本,就下载了一个试用版试用了一下,然后用OD载入后试着脱壳了一下,发现可以脱壳,可是脱壳后的程序带有自校验,我就解决不了了,请高手指教一下。
首先查壳,用PEID0.94查,什么也没有发现,深度扫描、核心扫描提示是ASPack 2.x (without poly) -> Alexey Solodovnikov壳:用PEID 0.94小生怕怕版本查壳,发现是yoda's Protector v1.02 (.dll,.ocx) -> Ashkbiz Danehkar (h) *的壳,深度扫描、核心扫描提示是ASPack 2.x (without poly) -> Alexey Solodovnikov壳:
深度扫描、核心扫描发现是ASPack 2.x (without poly) -> Alexey Solodovnikov:
脱壳过程,OD载入,忽略所有异常,隐藏OD:
0056867A > 55 push ebp
0056867B 52 push edx
0056867C 53 push ebx
0056867D 51 push ecx
0056867E 57 push edi
0056867F 56 push esi
00568680 E8 01000000 call vfpexenc.00568686 //这里按F7
如下:
00568686 58 pop eax ; vfpexenc.00568685
00568687 2D 0B104000 sub eax,vfpexenc.0040100B
0056868C 8D90 C1104000 lea edx,dword ptr ds:[eax+4010C1]
00568692 52 push edx
00568693 50 push eax
00568694 8D80 47104000 lea eax,dword ptr ds:[eax+401047]
0056869A 5D pop ebp
0056869B 50 push eax
0056869C 8D85 65104000 lea eax,dword ptr ss:[ebp+401065]
005686A2 50 push eax
005686A3 64:FF35 0000000>push dword ptr fs:[0]
005686AA 64:8925 0000000>mov dword ptr fs:[0],esp//关键在这里,单步到这里后停下
005686B1 CC int3
005686B2 90 nop
005686B3 64:8F05 0000000>pop dword ptr fs:[0]//F2下断,F9运行,再单步
005686BA 83C4 04 add esp,4
005686BD C3 retn//运行到此处返回
如下,单步:
005686C1 8D9D 00104000 lea ebx,dword ptr ss:[ebp+401000]
005686C7 53 push ebx
005686C8 5F pop edi
005686C9 2BFA sub edi,edx
005686CB 57 push edi
005686CC 8A03 mov al,byte ptr ds:[ebx]
005686CE 3007 xor byte ptr ds:[edi],al
005686D0 43 inc ebx
005686D1 47 inc edi
005686D2 ^ E2 F8 loopd short vfpexenc.005686CC
005686D4 58 pop eax
005686D5 5E pop esi
005686D6 5E pop esi
005686D7 5F pop edi
005686D8 59 pop ecx
005686D9 5B pop ebx
005686DA 5A pop edx
005686DB 5D pop ebp
005686DC FFE0 jmp eax//这里按F4,再单步
005686DE C3 retn
00566001 60 pushad//这里是不是眼熟,对了,是ASPACK的壳,可里可以使用ESP定律,单步
00566002 E8 03000000 call vfpexenc.0056600A //hr esp下断,F9运行,到如下位置:
005663B0 /75 08 jnz short vfpexenc.005663BA
005663B2 |B8 01000000 mov eax,1
005663B7 |C2 0C00 retn 0C
005663BA \68 43D54B00 push vfpexenc.004BD543
005663BF C3 retn
单步,到如下地址:
004BD543 60 pushad
004BD544 E8 00000000 call vfpexenc.004BD549
004BD549 5D pop ebp
004BD54A 81ED 06104000 sub ebp,vfpexenc.00401006
004BD550 8D85 56104000 lea eax,dword ptr ss:[ebp+401056]
004BD556 50 push eax
004BD557 64:FF35 0000000>push dword ptr fs:[0]
004BD55E 64:8925 0000000>mov dword ptr fs:[0],esp
004BD565 CC int3
004BD566 90 nop
004BD567 64:8F05 0000000>pop dword ptr fs:[0] //在这里F2下断,F9运行,取消断点
004BD56E 83C4 04 add esp,4
004BD571 74 05 je short vfpexenc.004BD578
004BD573 75 03 jnz short vfpexenc.004BD578
004BD575 EB 07 jmp short vfpexenc.004BD57E
此时要注意,这里也是一个关键,就是在处理int3和nop。
004BD577 59 pop ecx
004BD578 8D9D 00104000 lea ebx,dword ptr ss:[ebp+401000]
004BD57E 53 push ebx ; vfpexenc.004BD543
004BD57F 5F pop edi
004BD580 2BFA sub edi,edx
004BD582 57 push edi
004BD583 8A03 mov al,byte ptr ds:[ebx]
004BD585 3007 xor byte ptr ds:[edi],al
004BD587 43 inc ebx
004BD588 47 inc edi
004BD589 ^ E2 F8 loopd short vfpexenc.004BD583
004BD58B 58 pop eax
004BD58C 894424 1C mov dword ptr ss:[esp+1C],eax
004BD590 61 popad
004BD591 FFE0 jmp eax //这里按F4,F9,然后单步,直飞光明顶
004BD593 74 60 je short vfpexenc.004BD5F5
004BD358 55 push ebp
004BD359 8BEC mov ebp,esp
004BD35B 83C4 F0 add esp,-10
004BD35E 53 push ebx
004BD35F B8 70D04B00 mov eax,vfpexenc.004BD070
004BD364 E8 1F91F4FF call vfpexenc.00406488
004BD369 8B1D A0FE4B00 mov ebx,dword ptr ds:[4BFEA0] ; vfpexenc.004C1BB0
004BD36F 8B03 mov eax,dword ptr ds:[ebx]
004BD371 E8 CADCF9FF call vfpexenc.0045B040
004BD376 A1 FCFD4B00 mov eax,dword ptr ds:[4BFDFC]
004BD37B 8038 00 cmp byte ptr ds:[eax],0
004BD37E 75 13 jnz short vfpexenc.004BD393
004BD380 E8 00000000 call vfpexenc.004BD385
004BD385 58 pop eax
004BD386 83E8 15 sub eax,15
004BD389 B9 14000000 mov ecx,14
004BD38E 8908 mov dword ptr ds:[eax],ecx
004BD390 40 inc eax
004BD391 ^ E2 FB loopd short vfpexenc.004BD38E
然后下断,直接使用OD的DUMP,保存文件。运行时出现:
此时我就处理不了了,请教高手们如何处理。
第一次发贴,不知道说的是否清楚。
VFP&EXE NC9.2试用下载地址:http://www.czkj.com/xzzip/vfpexenc92.zip
最近看到VFP&EXE NC到了9.20的版本,就下载了一个试用版试用了一下,然后用OD载入后试着脱壳了一下,发现可以脱壳,可是脱壳后的程序带有自校验,我就解决不了了,请高手指教一下。
首先查壳,用PEID0.94查,什么也没有发现,深度扫描、核心扫描提示是ASPack 2.x (without poly) -> Alexey Solodovnikov壳:用PEID 0.94小生怕怕版本查壳,发现是yoda's Protector v1.02 (.dll,.ocx) -> Ashkbiz Danehkar (h) *的壳,深度扫描、核心扫描提示是ASPack 2.x (without poly) -> Alexey Solodovnikov壳:
深度扫描、核心扫描发现是ASPack 2.x (without poly) -> Alexey Solodovnikov:
脱壳过程,OD载入,忽略所有异常,隐藏OD:
0056867A > 55 push ebp
0056867B 52 push edx
0056867C 53 push ebx
0056867D 51 push ecx
0056867E 57 push edi
0056867F 56 push esi
00568680 E8 01000000 call vfpexenc.00568686 //这里按F7
如下:
00568686 58 pop eax ; vfpexenc.00568685
00568687 2D 0B104000 sub eax,vfpexenc.0040100B
0056868C 8D90 C1104000 lea edx,dword ptr ds:[eax+4010C1]
00568692 52 push edx
00568693 50 push eax
00568694 8D80 47104000 lea eax,dword ptr ds:[eax+401047]
0056869A 5D pop ebp
0056869B 50 push eax
0056869C 8D85 65104000 lea eax,dword ptr ss:[ebp+401065]
005686A2 50 push eax
005686A3 64:FF35 0000000>push dword ptr fs:[0]
005686AA 64:8925 0000000>mov dword ptr fs:[0],esp//关键在这里,单步到这里后停下
005686B1 CC int3
005686B2 90 nop
005686B3 64:8F05 0000000>pop dword ptr fs:[0]//F2下断,F9运行,再单步
005686BA 83C4 04 add esp,4
005686BD C3 retn//运行到此处返回
如下,单步:
005686C1 8D9D 00104000 lea ebx,dword ptr ss:[ebp+401000]
005686C7 53 push ebx
005686C8 5F pop edi
005686C9 2BFA sub edi,edx
005686CB 57 push edi
005686CC 8A03 mov al,byte ptr ds:[ebx]
005686CE 3007 xor byte ptr ds:[edi],al
005686D0 43 inc ebx
005686D1 47 inc edi
005686D2 ^ E2 F8 loopd short vfpexenc.005686CC
005686D4 58 pop eax
005686D5 5E pop esi
005686D6 5E pop esi
005686D7 5F pop edi
005686D8 59 pop ecx
005686D9 5B pop ebx
005686DA 5A pop edx
005686DB 5D pop ebp
005686DC FFE0 jmp eax//这里按F4,再单步
005686DE C3 retn
00566001 60 pushad//这里是不是眼熟,对了,是ASPACK的壳,可里可以使用ESP定律,单步
00566002 E8 03000000 call vfpexenc.0056600A //hr esp下断,F9运行,到如下位置:
005663B0 /75 08 jnz short vfpexenc.005663BA
005663B2 |B8 01000000 mov eax,1
005663B7 |C2 0C00 retn 0C
005663BA \68 43D54B00 push vfpexenc.004BD543
005663BF C3 retn
单步,到如下地址:
004BD543 60 pushad
004BD544 E8 00000000 call vfpexenc.004BD549
004BD549 5D pop ebp
004BD54A 81ED 06104000 sub ebp,vfpexenc.00401006
004BD550 8D85 56104000 lea eax,dword ptr ss:[ebp+401056]
004BD556 50 push eax
004BD557 64:FF35 0000000>push dword ptr fs:[0]
004BD55E 64:8925 0000000>mov dword ptr fs:[0],esp
004BD565 CC int3
004BD566 90 nop
004BD567 64:8F05 0000000>pop dword ptr fs:[0] //在这里F2下断,F9运行,取消断点
004BD56E 83C4 04 add esp,4
004BD571 74 05 je short vfpexenc.004BD578
004BD573 75 03 jnz short vfpexenc.004BD578
004BD575 EB 07 jmp short vfpexenc.004BD57E
此时要注意,这里也是一个关键,就是在处理int3和nop。
004BD577 59 pop ecx
004BD578 8D9D 00104000 lea ebx,dword ptr ss:[ebp+401000]
004BD57E 53 push ebx ; vfpexenc.004BD543
004BD57F 5F pop edi
004BD580 2BFA sub edi,edx
004BD582 57 push edi
004BD583 8A03 mov al,byte ptr ds:[ebx]
004BD585 3007 xor byte ptr ds:[edi],al
004BD587 43 inc ebx
004BD588 47 inc edi
004BD589 ^ E2 F8 loopd short vfpexenc.004BD583
004BD58B 58 pop eax
004BD58C 894424 1C mov dword ptr ss:[esp+1C],eax
004BD590 61 popad
004BD591 FFE0 jmp eax //这里按F4,F9,然后单步,直飞光明顶
004BD593 74 60 je short vfpexenc.004BD5F5
004BD358 55 push ebp
004BD359 8BEC mov ebp,esp
004BD35B 83C4 F0 add esp,-10
004BD35E 53 push ebx
004BD35F B8 70D04B00 mov eax,vfpexenc.004BD070
004BD364 E8 1F91F4FF call vfpexenc.00406488
004BD369 8B1D A0FE4B00 mov ebx,dword ptr ds:[4BFEA0] ; vfpexenc.004C1BB0
004BD36F 8B03 mov eax,dword ptr ds:[ebx]
004BD371 E8 CADCF9FF call vfpexenc.0045B040
004BD376 A1 FCFD4B00 mov eax,dword ptr ds:[4BFDFC]
004BD37B 8038 00 cmp byte ptr ds:[eax],0
004BD37E 75 13 jnz short vfpexenc.004BD393
004BD380 E8 00000000 call vfpexenc.004BD385
004BD385 58 pop eax
004BD386 83E8 15 sub eax,15
004BD389 B9 14000000 mov ecx,14
004BD38E 8908 mov dword ptr ds:[eax],ecx
004BD390 40 inc eax
004BD391 ^ E2 FB loopd short vfpexenc.004BD38E
然后下断,直接使用OD的DUMP,保存文件。运行时出现:
此时我就处理不了了,请教高手们如何处理。
第一次发贴,不知道说的是否清楚。
VFP&EXE NC9.2试用下载地址:http://www.czkj.com/xzzip/vfpexenc92.zip
