-
-
[分享一下]关于脱tElock 1.0 (private) -> tE!壳
-
发表于: 2011-5-16 14:23 7664
-
标 题: 【原创】取巧脱tElock 1.0 (private) -> tE!壳 作 者: swordkok 时 间: 2011-05-16,01:50:00 链 接: [URL="http://bbs.pediy.com/showthread.php?p=959225"]http://bbs.pediy.com/showthread.php?p=959225[/URL]
//我看了这篇文章,研究了一下,
//对这个软件试了几个OD,最后使用的OD的版本是吾爱破解的,方便调试这个壳
//我就补充一点
来到0040B848之后 留意右下角的窗口
0012FF8C 005F0ADF 返回到 REDitorI.005F0ADF 来自 REDitorI.0040B848 0012FF90 0012B970 0012FF94 7FFDE000 0012FF98 00000000 0012FF9C 00000000 0012FFA0 00000000 0012FFA4 00000000
显示为 显然 0040B848不是真正的OEP 我们返回到
那我们就跟随来到005F0ADF 往上翻查看 可以找到段首就是005F0AC4了
005F0AC4 55 push ebp 005F0AC5 8BEC mov ebp, esp 005F0AC7 B9 05000000 mov ecx, 5 005F0ACC 6A 00 push 0 005F0ACE 6A 00 push 0 005F0AD0 49 dec ecx 005F0AD1 ^ 75 F9 jnz short REDitorI.005F0ACC 005F0AD3 53 push ebx 005F0AD4 56 push esi 005F0AD5 B8 38655E00 mov eax, REDitorI.005E6538 005F0ADA E8 69ADE1FF call REDitorI.0040B848 [COLOR="Red"] //看到了吗?就是这个CALL0040B848[/COLOR] 005F0ADF 8B1D B0A65F00 mov ebx, dword ptr ds:[5FA6B0] ; REDitorI.006002C0 005F0AE5 33C0 xor eax, eax 005F0AE7 55 push ebp 005F0AE8 68 520D5F00 push REDitorI.005F0D52 005F0AED 64:FF30 push dword ptr fs:[eax] 005F0AF0 64:8920 mov dword ptr fs:[eax], esp 005F0AF3 A1 D4A95F00 mov eax, dword ptr ds:[5FA9D4]
关于脱tElock 1.0 (private) -> tE! 可以参考(我不到文章的链接地址)所以把原文放上来了
标 题:tElock 0.9x-1.0x (private) 反Ollydbg分析和脱壳——BadCopyProV3_71_0727 KeyGen 发信人:fly 时 间: 2003年10月14日 05:41 详细信息: tElock 0.9x-1.0x (private) 反Ollydbg分析和脱壳——BadCopyProV3_71_0727 KeyGen 【作者声明】:初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教! 【调试环境】:WinXP、Ollydbg1.09、PEiD、LordPE、WinHex、PEditor ————————————————————————————————— 【过 程】: TEAM ECLiPSE 发布的BadCopyProV3_71_0727的注册机,网上应该很多,自己找找吧。 PEiD 0.9显示:tElock 0.9x - 1.0x (private) ,呵呵,应该是高手们调教过的变形tElock啦。 没什么大变化,值得注意的是这个东东自动关闭Ollydbg啦,以前的tElock没有这个效果。 WinXP下可以隐藏OD啦。调试前先设置一下Ollydbg。打开:Ollydbg——>选项——>调试设置——>异常 把“忽略在KERNEL32中的内存访问异常”、“INT3中断”、“单步中断” 这3个选项选上。 ————————————————————————————————— 一、反Ollydbg分析 用Ollydbg手动脱壳,老规矩:载入后弹出“是压缩代码——要继续进行分析吗?”,点“否”。 004390BC E9 3FDFFFFF jmp BadCopyP.00437000 ====>进入OD后断在这!F9运行,程序会在异常处中断。 004370A7 F7F3 div ebx ====>第1次异常 如果Shift+F9程序就自动退出啦,所以现在就跟踪看看啦。注:用F7走,省略的地方没什么大跳转。 004370C5 8B4424 04 mov eax,dword ptr ss:[esp+4] ====>堆栈区的第二条地址 设断 Shift+F9断在此处 …… …… 省 略 …… …… 004370FE EB 60 jmp short BadCopyP.00437160 00437160 C3 retn ====>进入系统DLL,在下面的地方下断,F9断下。 00437161 2C 04 sub al,4 …… …… 省 略 …… …… 00437188 ^ EB F1 jmp short BadCopyP.0043717B 0043718A 8B42 3C mov eax,dword ptr ds:[edx+3C] …… …… 省 略 …… …… 004371C4 74 07 je short BadCopyP.004371CD 004371CD 8D7416 FC lea esi,dword ptr ds:[esi+edx-4] …… …… 省 略 …… …… 004371DE ^ 7C E6 jl short BadCopyP.004371C6 004371E0 8B06 mov eax,dword ptr ds:[esi] 004371E2 03C2 add eax,edx 004371E4 8138 4C6F6164 cmp dword ptr ds:[eax],64616F4C 004371EA 75 50 jnz short BadCopyP.0043723C …… …… 省 略 …… …… 004373F4 8138 47657450 cmp dword ptr ds:[eax],50746547 004373FA ^ 0F85 D8FDFFFF jnz BadCopyP.004371D8 00437400 8178 04 726F6341 cmp dword ptr ds:[eax+4],41636F72 00437407 ^ 0F85 CBFDFFFF jnz BadCopyP.004371D8 0043740D 8178 08 64647265 cmp dword ptr ds:[eax+8],65726464 00437414 ^ 0F85 BEFDFFFF jnz BadCopyP.004371D8 0043741A 68 82080000 push 882 0043741F ^ E9 DFFDFFFF jmp BadCopyP.00437203 ====>F4下去跳出循环! 00437424 58 pop eax …… …… 省 略 …… …… 0043744E ^ E2 F0 loopd short BadCopyP.00437440 ====>F4跳出LOOP 00437450 60 pushad 00437451 8DBD DA070000 lea edi,dword ptr ss:[ebp+7DA] 00437457 E8 2A000000 call BadCopyP.00437486 00437486 58 pop eax 00437487 83C0 0A add eax,0A 0043748A AB stos dword ptr es:[edi] 0043748B 83C0 F6 add eax,-0A 0043748E 50 push eax 0043748F FF95 95200000 call dword ptr ss:[ebp+2095] 00437495 33D8 xor ebx,eax 00437497 33C3 xor eax,ebx 00437499 33D8 xor ebx,eax 0043749B E8 0C000000 call BadCopyP.004374AC 004374AC 53 push ebx 004374AD FF95 82080000 call dword ptr ss:[ebp+882] ; kernel32.GetProcAddress 004374B3 40 inc eax 004374B4 48 dec eax 004374B5 0F84 32020000 je BadCopyP.004376ED 004374BB AB stos dword ptr es:[edi] 004374BC 8A00 mov al,byte ptr ds:[eax] 004374BE 2C CC sub al,0CC 33-CC=67 004374C0 0F84 27020000 je BadCopyP.004376ED 004374C6 E8 0D000000 call BadCopyP.004374D8 004374D8 53 push ebx 004374D9 FF95 82080000 call dword ptr ss:[ebp+882] 004374DF 40 inc eax 004374E0 48 dec eax 004374E1 0F84 06020000 je BadCopyP.004376ED 004374DE 0040 48 add byte ptr ds:[eax+48],al 004374E1 0F84 06020000 je BadCopyP.004376ED 004374E7 AB stos dword ptr es:[edi] 004374E8 8A00 mov al,byte ptr ds:[eax] 004374EA 2C CC sub al,0CC 004374EC 0F84 FB010000 je BadCopyP.004376ED 004374F2 E8 0E000000 call BadCopyP.00437505 004374F7 47 inc edi 004374F8 65:74 43 je short BadCopyP.0043753E 00437505 53 push ebx 00437506 FF95 82080000 call dword ptr ss:[ebp+882] ; kernel32.GetProcAddress 0043750C 40 inc eax 0043750D 48 dec eax 0043750E 0F84 D9010000 je BadCopyP.004376ED 0043750E /0F84 D9010000 je BadCopyP.004376ED 00437514 |AB stos dword ptr es:[edi] 00437515 |8A00 mov al,byte ptr ds:[eax] 00437517 |2C CC sub al,0CC 6A-CC=9E 00437519 |0F84 CE010000 je BadCopyP.004376ED 0043751F |80BD 1D240000 00 cmp byte ptr ss:[ebp+241D],0 00437526 |75 0C jnz short BadCopyP.00437534 00437528 |AB stos dword ptr es:[edi] 00437529 |AB stos dword ptr es:[edi] 0043752A |AB stos dword ptr es:[edi] 0043752B |AB stos dword ptr es:[edi] 0043752C |AB stos dword ptr es:[edi] 0043752D |AB stos dword ptr es:[edi] 0043752E |AB stos dword ptr es:[edi] 0043752F |E9 20030000 jmp BadCopyP.00437854 00437854 83C7 D4 add edi,-2C 00437857 EB 30 jmp short BadCopyP.00437889 00437889 57 push edi 0043788A E8 58000000 call BadCopyP.004378E7 004378E7 FF57 04 call dword ptr ds:[edi+4] ; user32.EnumWindows ====>F7进入 77D17627 33C0 xor eax,eax 77D17629 50 push eax 77D1762A 50 push eax 77D1762B FF7424 10 push dword ptr ss:[esp+10] 77D1762F FF7424 10 push dword ptr ss:[esp+10] 77D17633 50 push eax 77D17634 50 push eax 77D17635 E8 BAFEFFFF call user32.77D174F4 77D174F4 55 push ebp 77D174F5 8BEC mov ebp,esp 77D174F7 51 push ecx 77D174F8 57 push edi 77D174F9 8D45 1C lea eax,dword ptr ss:[ebp+1C] 77D174FC 50 push eax 77D174FD FF75 18 push dword ptr ss:[ebp+18] 77D17500 C745 FC 01000000 mov dword ptr ss:[ebp-4],1 77D17507 FF75 1C push dword ptr ss:[ebp+1C] 77D1750A FF75 0C push dword ptr ss:[ebp+C] 77D1750D FF75 08 push dword ptr ss:[ebp+8] 77D17510 E8 24000000 call user32.77D17539 77D17515 8BF8 mov edi,eax 77D17517 83FF FF cmp edi,-1 77D1751A 0F84 43710300 je user32.77D4E663 77D17520 53 push ebx 77D17521 33DB xor ebx,ebx 77D17523 3BFB cmp edi,ebx 77D17525 0F85 F2000000 jnz user32.77D1761D 77D1761D 3BFB cmp edi,ebx 77D1761F 56 push esi 77D17620 8B75 1C mov esi,dword ptr ss:[ebp+1C] 77D17623 ^ 76 D5 jbe short user32.77D175FA 77D17625 ^ EB B1 jmp short user32.77D175D8 77D175D8 8B0E mov ecx,dword ptr ds:[esi] 77D175DA E8 71C5FFFF call user32.77D13B50 77D175DF 85C0 test eax,eax 77D175E1 74 0F je short user32.77D175F2 77D175E3 FF75 14 push dword ptr ss:[ebp+14] 77D175E6 FF36 push dword ptr ds:[esi] 77D175E8 FF55 10 call dword ptr ss:[ebp+10] ====>注意:这里面进行检测啦! 77D175EB 85C0 test eax,eax 77D175ED 8945 FC mov dword ptr ss:[ebp-4],eax 77D175F0 74 08 je short user32.77D175FA 77D175F2 83C6 04 add esi,4 77D175F5 43 inc ebx 77D175F6 3BDF cmp ebx,edi 77D175F8 ^ 72 DE jb short user32.77D175D8 ====>循环比较当前进程! ———————————————————————— 进入:77D175E8 call dword ptr ss:[ebp+10] 0043788F C8 000000 enter 0,0 00437893 57 push edi 00437894 8B7D 0C mov edi,dword ptr ss:[ebp+C] 00437897 6A 20 push 20 00437899 FF37 push dword ptr ds:[edi] 0043789B FF75 08 push dword ptr ss:[ebp+8] 0043789E FF57 0C call dword ptr ds:[edi+C]; user32.GetClassNameA ====>GetClassNameA 得到当前窗口的类名 004378A1 8B07 mov eax,dword ptr ds:[edi] 004378A3 8138 4F4C4C59 cmp dword ptr ds:[eax],594C4C4F ====>有“OLLY”?即:检测Ollydbg 004378A9 74 21 je short BadCopyP.004378CC ====>跳则OVER! 004378AB 8138 4F574C5F cmp dword ptr ds:[eax],5F4C574F ====>有“OWL_”?什么武器? 004378B1 74 19 je short BadCopyP.004378CC ====>跳则OVER! 004378B3 8138 54446544 cmp dword ptr ds:[eax],44654454 ====>有“TDeD”?即:检测DeDe 004378B9 74 11 je short BadCopyP.004378CC ====>跳则OVER! 004378BB 8138 46696C65 cmp dword ptr ds:[eax],656C6946 004378C1 75 1C jnz short BadCopyP.004378DF ====>不跳则OVER! 004378C3 8178 04 4D6F6E43 cmp dword ptr ds:[eax+4],436E6F4D 004378CA 75 13 jnz short BadCopyP.004378DF ====>不跳则OVER! ☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆ 看看内存中藏着什么“好东东” 00437899 FF 37 FF 75 08 FF 57 0C 8B 07 81 38 4F 4C 4C 59 .7.u..W....8OLLY 004378A9 74 21 81 38 4F 57 4C 5F 74 19 81 38 54 44 65 44 t!.8OWL_t..8TDeD 004378B9 74 11 81 38 46 69 6C 65 75 1C 81 78 04 4D 6F 6E t..8Fileu..x.Mon 004378C9 43 75 13 6A 00 6A 00 6A 10 FF 75 08 FF 57 08 33 Cu.j.j.j..u..W.3 ☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆ 004378CC 6A 00 push 0 004378CE 6A 00 push 0 004378D0 6A 10 push 10 004378D2 FF75 08 push dword ptr ss:[ebp+8] 004378D5 FF57 08 call dword ptr ds:[edi+8] ====>这里就OVER啦!Ollydbg自动退出! 004378D8 33C0 xor eax,eax 004378DA 5F pop edi 004378DB C9 leave 004378DC C2 0800 retn 8 004378DF 6A 01 push 1 ====> push 1 则OK! 004378E1 58 pop eax 004378E2 5F pop edi 004378E3 C9 leave 004378E4 C2 0800 retn 8 晕倒,原来是调用EnumWindows、GetClassNameA 枚举窗口列表中的所有父窗口、取得窗口名,然后与作者内置的OLLY、OWL_、TDeD比较,如果有其中之一,那就对不起不陪你玩啦 呵呵,和FindWindow的效果差不多吗,算是比较温柔的反跟踪啦。 由于tElock有很强的内存、文件自校验,如果改动程序的话会弹出CRC ERROR的错误提示然后退出。所以懒人如偶就采用了最简便的方法啦。以前无聊时曾简单修改了一下Ollydbg,仅有的作用是:避开 {目标程序 通过在内存中检测本工具原有窗口类名} 而反调试。没想到这次终于派上了小用场。 ————————————————————————————————— 二、部分脱壳,得到IAT 继续脱壳吧,换上偶修改的Ollydbg进行跟踪!这次程序变乖啦,没有“不告而别” Shift+F9通过异常,6次程序运行。Try Again,按4次Shift+F9 00438069 CD 68 int 68 ====>第4次异常 004386E4 8B95 42D84000 mov edx,dword ptr ss:[ebp+40D842] 004386EA 8BB5 32D84000 mov esi,dword ptr ss:[ebp+40D832] 004386F0 85F6 test esi,esi ====>F2此处下断!ESI=输入表的RVA 004386F2 0F84 18040000 je BadCopyP.00438B10 ====>《加密与解密》说这里可以强行跳过,但是偶跳过却无法运行了 004386F8 03F2 add esi,edx 004386FA 83A5 32D94000 00 and dword ptr ss:[ebp+40D932],0 ====>找到这里! 在004386F0下断,按Shift+F9断了下来,看看esi的值:0000A1EC,这就是IAT的位置了,然后 D 0040A1EC,看见IAT,大小0040A8D0-0040A1EC=6E4 这时可以用LordPE部分脱壳。位置:0040A1EC,大小:6E4 存为:部分dumped.dmp ————————————————————————————————— 三、OK,让偶继续!Shift+F9再来一次,手动寻找OEP啦! 00438BD7 8DC0 lea eax,eax ====>第5次异常 00438BE5 8B6424 08 mov esp,dword ptr ss:[esp+8] ====>堆栈区的第二条地址 设断 Shift+F9断在此处 00438BE9 33C0 xor eax,eax 00438BEB FF6424 08 jmp dword ptr ss:[esp+8] 00438BFA 64:8F00 pop dword ptr fs:[eax] 00438BFD 58 pop eax 00438BFE EB 02 jmp short BadCopyP.00438C02 00438C02 58 pop eax 00438C03 5D pop ebp 00438C04 EB 02 jmp short BadCopyP.00438C08 00438C08 3D 5868133F cmp eax,3F136858 00438C0D E8 7E000000 call BadCopyP.00438C90 00438C90 F9 stc 00438C91 72 01 jb short BadCopyP.00438C94 00438C94 FC cld 00438C95 60 pushad 00438C96 E8 06000000 call BadCopyP.00438CA1 00438CA1 33C9 xor ecx,ecx 00438CA3 64:FF31 push dword ptr fs:[ecx] 00438CA6 64:8921 mov dword ptr fs:[ecx],esp 00438CA9 F1 int1 00438CAA F7F1 div ecx ====>异常!注意这里看看堆栈区的第二条地址! 00438C9B 8B6424 08 mov esp,dword ptr ss:[esp+8] 00438C9F EB 0D jmp short BadCopyP.00438CAE ====>堆栈区的第二条地址 设断 Shift+F9断在此处 00438CAE /EB 01 jmp short BadCopyP.00438CB1 00438CB1 15 09403318 adc eax,18334009 00438CB6 BE 00000000 mov esi,0 00438CBB 64:8F06 pop dword ptr fs:[esi] 00438CBE 5E pop esi 00438CBF EB 01 jmp short BadCopyP.00438CC2 00438CC2 F8 clc 00438CC3 60 pushad 00438CC4 E8 06000000 call BadCopyP.00438CCF 00438CCF 64:67:FF36 0000 push dword ptr fs:[0] 00438CD5 64:67:8926 0000 mov dword ptr fs:[0],esp 00438CDB 9C pushfd 00438CDC 810C24 00010000 or dword ptr ss:[esp],100 00438CE3 9D popfd 00438CE4 F8 clc ====>异常!注意这里看看堆栈区的第二条地址! 00438CC9 8B6424 08 mov esp,dword ptr ss:[esp+8] ====>堆栈区的第二条地址 设断 Shift+F9断在此处 00438CCD EB 1A jmp short BadCopyP.00438CE9 00438CE9 64:67:8F06 0000 pop dword ptr fs:[0] 00438CEF 58 pop eax 00438CF0 61 popad 00438CF1 F8 clc 00438CF2 73 02 jnb short BadCopyP.00438CF6 00438CF6 98 cwde 00438CF7 E8 0A000000 call BadCopyP.00438D06 00438D06 83E0 CF and eax,FFFFFFCF 00438D09 C3 retn ====>返回到 00438CFC 其实是变形的JMP 00438CFC 33C3 xor eax,ebx 00438CFE E9 08000000 jmp BadCopyP.00438D0B 00438D0B C1E0 16 shl eax,16 00438D0E E8 00000000 call BadCopyP.00438D13 //F8带过 00438D13 85E4 test esp,esp 00438D15 79 03 jns short BadCopyP.00438D1A 00438D1A 0BC3 or eax,ebx 00438D1C 8B2C24 mov ebp,dword ptr ss:[esp] 00438D1F 58 pop eax 00438D20 81ED 4E1F4100 sub ebp,BadCopyP.00411F4E 00438D26 F9 stc 00438D27 72 02 jb short BadCopyP.00438D2B 00438D2B F5 cmc 00438D2C 03C2 add eax,edx 00438D2E B8 4EEB5FAC mov eax,AC5FEB4E 00438D33 8BD8 mov ebx,eax 00438D35 81EB 01CD1EAC sub ebx,AC1ECD01 00438D3B F8 clc 00438D3C 73 02 jnb short BadCopyP.00438D40 00438D40 03DD add ebx,ebp 00438D42 B8 BA6B902C mov eax,2C906BBA 00438D47 8BF8 mov edi,eax 00438D49 81EF 9D6B902C sub edi,2C906B9D 00438D4F EB 01 jmp short BadCopyP.00438D52 00438D52 BE 7C40980E mov esi,0E98407C 00438D57 0BE4 or esp,esp 00438D59 75 01 jnz short BadCopyP.00438D5C 00438D5C 3D B3A81711 cmp eax,1117A8B3 00438D61 E8 0A000000 call BadCopyP.00438D70 00438D70 C3 retn ====>返回到 00438D66 00438D66 1BC3 sbb eax,ebx 00438D68 E9 09000000 jmp BadCopyP.00438D76 00438D76 23C3 and eax,ebx 00438D78 90 nop 00438D79 F9 stc 00438D7A 6BF6 4D imul esi,esi,4D 00438D7D 3133 xor dword ptr ds:[ebx],esi 00438D7F C1C6 03 rol esi,3 00438D82 F9 stc 00438D83 83D6 4B adc esi,4B 00438D86 43 inc ebx 00438D87 43 inc ebx 00438D88 43 inc ebx 00438D89 43 inc ebx 00438D8A EB 02 jmp short BadCopyP.00438D8E 00438D8E FC cld 00438D8F 81C6 0C519A22 add esi,229A510C 00438D95 F9 stc 00438D96 72 01 jb short BadCopyP.00438D99 00438D99 1D F99D6513 sbb eax,13659DF9 00438D9E 83EF 01 sub edi,1 00438DA1 EB 02 jmp short BadCopyP.00438DA5 00438DA5 48 dec eax 00438DA6 1BC6 sbb eax,esi 00438DA8 51 push ecx 00438DA9 8BCF mov ecx,edi 00438DAB E3 03 jecxz short BadCopyP.00438DB0 00438DAD 59 pop ecx 00438DAE ^ EB C9 jmp short BadCopyP.00438D79 ====>注意这个循环!向上找发现00438DAB可以跳过! 00438DB0 59 pop ecx ====>此处下断,F9,断在这! 跳出循环! 00438DB1 85E4 test esp,esp 00438DB3 79 03 jns short BadCopyP.00438DB8 00438DB8 F5 cmc 00438DB9 E8 0C000000 call BadCopyP.00438DCA 00438DCA 2BC5 sub eax,ebp 00438DCC 40 inc eax 00438DCD C3 retn ====>返回到 00438DBE 00438DBE 3D B43C9223 cmp eax,23923CB4 00438DC3 E9 0B000000 jmp BadCopyP.00438DD3 00438DD3 3D 96AA2021 cmp eax,2120AA96 00438DD8 61 popad 00438DD9 0BE4 or esp,esp 00438DDB 75 01 jnz short BadCopyP.00438DDE 00438DDE 2BC7 sub eax,edi 00438DE0 C3 retn ====>返回到 00438C12 00438C12 8B9D 62D84000 mov ebx,dword ptr ss:[ebp+40D862] 00438C18 33F6 xor esi,esi 00438C1A F7D3 not ebx 00438C1C 0BF3 or esi,ebx 00438C1E 75 08 jnz short BadCopyP.00438C28 00438C28 039D 42D84000 add ebx,dword ptr ss:[ebp+40D842] ====>EBX=00004C22 + 00400000=00404C22 这就是OEP值 00438C2E 895C24 F0 mov dword ptr ss:[esp-10],ebx 00438C32 8DBD 64D74000 lea edi,dword ptr ss:[ebp+40D764] 00438C38 33C0 xor eax,eax 00438C3A B9 CE030000 mov ecx,3CE 00438C3F F3:AA rep stos byte ptr es:[edi] 00438C41 8DBD 9CB64000 lea edi,dword ptr ss:[ebp+40B69C] 00438C47 B9 3E1C0000 mov ecx,1C3E 00438C4C F3:AA rep stos byte ptr es:[edi] 00438C4E 66:AB stos word ptr es:[edi] 00438C50 8DBD 9CB64000 lea edi,dword ptr ss:[ebp+40B69C] 00438C56 85F6 test esi,esi 00438C58 75 08 jnz short BadCopyP.00438C62 00438C62 C607 E9 mov byte ptr ds:[edi],0E9 00438C65 47 inc edi 00438C66 2BDF sub ebx,edi 00438C68 83EB 04 sub ebx,4 00438C6B 891F mov dword ptr ds:[edi],ebx 00438C6D 8DBD DAD24000 lea edi,dword ptr ss:[ebp+40D2DA] 00438C73 B9 2C000000 mov ecx,2C 00438C78 F3:AA rep stos byte ptr es:[edi] 00438C7A 66:AB stos word ptr es:[edi] 00438C7C EB 02 jmp short BadCopyP.00438C80 00438C80 61 popad 00438C81 FF6424 D0 jmp dword ptr ss:[esp-30] ====>飞向光明之巅! 跳至 00404C22 ———————————————————————— 00404C22 55 push ebp ====>在这儿用LordPE纠正ImageSize后完全DUMP这个进程 00404C23 8BEC mov ebp,esp 00404C25 6A FF push -1 00404C27 68 E0A14000 push BadCopyP.0040A1E0 00404C2C 68 DC4D4000 push BadCopyP.00404DDC ————————————————————————————————— 四、手动修复。 当然也可以用ImportREC修复啦。偶学习一下手动修复。 1、用WinHex把 部分dumped.dmp 的代码复制、写入到 dumped.exe 的相应位置保存。 2、再用PEditor打开dumped.exe, 修改入口点为00004C22;用dumpfixer修正区块。 3、用LordPE修正输入表地址为:0000A1EC。最后重建PE。OK,正常运行!71K ->191K 程序是用 VC++ 6.0 编译的,脱壳后可以跨系统平台运行! ————————————————————————————————— , _/ /| _.-~/ _ , 青春都一饷 ( /~ / ~-._ | `\ _/ ~ ) 忍把浮名 _-~~~-.) )__/;;,. _ //' /'_, --~ ~~~- ,;;___( (.-~~~-. 换了破解轻狂 `~ _( ,_..-- ( ,;'' / ~-- /._` /~~//' /' `~ ) /--.._, )_ `~ " `~" " `" /~'` `\~~ " " "~' "" Cracked By 巢水工作坊——fly [OCN][FCG] 2003-10-13 23:00 --------------------------------------------------------------------------------
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
赞赏
他的文章
看原图
赞赏
雪币:
留言: