标 题: 【原创】取巧脱tElock 1.0 (private) -> tE!壳
作 者: swordkok
时 间: 2011-05-16,01:50:00
链 接: http://bbs.pediy.com/showthread.php?p=959225

【文章标题】: 取巧脱tElock 1.0 (private) -> tE!壳
【文章作者】: swordkok
【作者邮箱】:
【软件名称】: REDitorII
【下载地址】: http://u.115.com/file/clcunmn7#
【加壳方式】: tElock 1.0 (private) -> tE!
【保护方式】:
【编写语言】: Delphi??
【使用工具】: OD,IREC,LORDPE
【作者声明】: 只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
PEID插壳，tElock 1.0 (private) -> tE!
OD忽略除了INT3之外的所有异常,IsDebug去掉Od标志
用OD载入，停在

00A7509D >^\E9 5EDFFFFF     jmp REDitorI.00A73000
00A750A2    0000            add byte ptr ds:[eax],al
00A750A4    000B            add byte ptr ds:[ebx],cl
00A750A6    D9BB B6E55067   fstcw word ptr ds:[ebx+0x6750E5B6]

mov ebx,edx
shr ebx,10
mov eax,dword ptr ds:[esi]

00A74558    8BDA            mov ebx,edx
00A7455A    C1EB 10         shr ebx,0x10
00A7455D    8B06            mov eax,dword ptr ds:[esi]
00A7455F    85C0            test eax,eax
00A74561    74 70           je short REDitorI.00A745D3
00A74563    8B4E 04         mov ecx,dword ptr ds:[esi+0x4]
00A74566    83E9 08         sub ecx,0x8
00A74569    D1E9            shr ecx,1
00A7456B    8BBD 63374000   mov edi,dword ptr ss:[ebp+0x403763]
00A74571    03F8            add edi,eax
00A74573    83C6 08         add esi,0x8
00A74576    0FB706          movzx eax,word ptr ds:[esi]
00A74579    C1C8 0C         ror eax,0xC
00A7457C    FEC8            dec al
00A7457E    78 4C           js short REDitorI.00A745CC
00A74580    74 0E           je short REDitorI.00A74590
00A74582    FEC8            dec al
00A74584    74 13           je short REDitorI.00A74599
00A74586    FEC8            dec al
00A74588    74 3C           je short REDitorI.00A745C6
00A7458A    FEC8            dec al
00A7458C    74 14           je short REDitorI.00A745A2
00A7458E    EB 3C           jmp short REDitorI.00A745CC
00A74590    C1E8 14         shr eax,0x14
00A74593    66:011C38       add word ptr ds:[eax+edi],bx
00A74597    EB 33           jmp short REDitorI.00A745CC
00A74599    C1E8 14         shr eax,0x14
00A7459C    66:011438       add word ptr ds:[eax+edi],dx
00A745A0    EB 2A           jmp short REDitorI.00A745CC
00A745A2    52              push edx
00A745A3    C1E8 14         shr eax,0x14
00A745A6    8BD8            mov ebx,eax
00A745A8    C1E0 10         shl eax,0x10
00A745AB    66:8B16         mov dx,word ptr ds:[esi]
00A745AE    66:81E2 FF0F    and dx,0xFFF
00A745B3    66:8BC2         mov ax,dx
00A745B6    5A              pop edx
00A745B7    8D8402 00800000 lea eax,dword ptr ds:[edx+eax+0x8000]
00A745BE    89043B          mov dword ptr ds:[ebx+edi],eax
00A745C1    46              inc esi
00A745C2    46              inc esi
00A745C3    49              dec ecx
00A745C4    EB 06           jmp short REDitorI.00A745CC
00A745C6    C1E8 14         shr eax,0x14
00A745C9    011438          add dword ptr ds:[eax+edi],edx
00A745CC    46              inc esi
00A745CD    46              inc esi
00A745CE    49              dec ecx
00A745CF  ^ 7F A5           jg short REDitorI.00A74576
00A745D1  ^ EB 8A           jmp short REDitorI.00A7455D
00A745D3    8B95 63374000   mov edx,dword ptr ss:[ebp+0x403763]
00A745D9    8BB5 53374000   mov esi,dword ptr ss:[ebp+0x403753]   //IAT地址
00A745DF    85F6            test esi,esi
00A745E1    0F84 2F040000   je REDitorI.00A74A16  //magic jmp

00A74A16    8BBD 5B374000   mov edi,dword ptr ss:[ebp+0x40375B]
00A74A1C    85FF            test edi,edi
00A74A1E    EB 03           jmp short REDitorI.00A74A23
00A74A20    0100            add dword ptr ds:[eax],eax
00A74A22    EB 74           jmp short REDitorI.00A74A98

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)