下载页面: http://www.czkj.com/
软件大小: 390K
软件简介: vfp&exeNc内存型加密软件,采用全新的加密内核精心编制而成,vfp&exeNc采用拦截系统功能调用(hook)技术,还原和运行完全在内存中完成,加密后的文件既保持了VFP原有的运行速度,又足以防止现有的任何反编译软件的反编译,从而保护您的源代码。
【作者声明】:只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教
【调试环境】:Win2KSP4、OllyDbg、PEiD、LordPE
【脱壳过程】:
国内有很多VF程序用PEiD侦壳时显示ASPack 2.x (without poly),其实这是老王的vfp&exeNc加壳的。
对于Visual Foxpro程序了解很少,不过vfp&exeNc主程序是Delphi的,只好用主程序来脱壳看看,得罪之处,请老王谅解。
004FCB24 v> 60 pushad ;进入Ollydbg后暂停在这
004FCB25 E8 01000000 call vfpexeNc.004FCB2B
004FCB2A 6358 E8 arpl word ptr ds:[eax-18],bx
004FCB2D 0100 add dword ptr ds:[eax],eax
004FCB2F 0000 add byte ptr ds:[eax],al
004FCB31 7A 58 jpe short vfpexeNc.004FCB8B
004FCB33 2D 0D104000 sub eax,vfpexeNc.0040100D
004FCB38 8D90 C1104000 lea edx,dword ptr ds:[eax+4010C1]
004FCB3E 52 push edx
004FCB3F 50 push eax
004FCB40 8D80 49104000 lea eax,dword ptr ds:[eax+401049]
004FCB46 5D pop ebp
004FCB47 50 push eax
004FCB48 8D85 65104000 lea eax,dword ptr ss:[ebp+401065]
004FCB4E 50 push eax
004FCB4F 64:FF35 0000000>push dword ptr fs:[0]
004FCB56 64:8925 0000000>mov dword ptr fs:[0],esp
004FCB5D CC int3
004FCB5E 90 nop
004FCB5F 64:8F05 0000000>pop dword ptr fs:[0] ;F2下断,F9运行到此,取消断点
004FCB66 83C4 04 add esp,4
004FCB69 C3 retn
004FCB6A EB 11 jmp short vfpexeNc.004FCB7D
004FCB77 57 push edi
004FCB78 8A03 mov al,byte ptr ds:[ebx]
004FCB7A 3007 xor byte ptr ds:[edi],al
004FCB7C 43 inc ebx
004FCB7D 47 inc edi
004FCB7E ^ E2 F8 loopd short vfpexeNc.004FCB78
004FCB80 58 pop eax ;F4
004FCB81 894424 1C mov dword ptr ss:[esp+1C],eax
004FCB85 61 popad
004FCB86 ^ FFE0 jmp eax ;JUMP TO vfpexeNc.004FB001
004FCB88 C3 retn
004FCB89 55 push ebp
004FCB8A 8BEC mov ebp,esp
004FB001 60 pushad
004FB002 E8 03000000 call vfpexeNc.004FB00A ;F7
004FB007 - E9 EB045D45 jmp 45ACB4F7
004FB00C 55 push ebp
004FB00D C3 retn
004FB00E E8 01000000 call vfpexeNc.004FB014 ;F7
004FB013 EB 5D jmp short vfpexeNc.004FB072
004FB015 BB EDFFFFFF mov ebx,-13
004FB01A 03DD add ebx,ebp
004FB01C 81EB 00B00F00 sub ebx,0FB000
004FB022 83BD 22040000 0>cmp dword ptr ss:[ebp+422],0
004FB029 899D 22040000 mov dword ptr ss:[ebp+422],ebx
004FB02F 0F85 65030000 jnz vfpexeNc.004FB39A
004FB035 8D85 2E040000 lea eax,dword ptr ss:[ebp+42E]
004FB03B 50 push eax
004FB03C FF95 4D0F0000 call dword ptr ss:[ebp+F4D]
004FB042 8985 26040000 mov dword ptr ss:[ebp+426],eax
004FB048 8BF8 mov edi,eax
004FB066 8985 51050000 mov dword ptr ss:[ebp+551],eax
004FB06C 8D45 77 lea eax,dword ptr ss:[ebp+77]
004FB06F FFE0 jmp eax ; vfpexeNc.004FB08A
004FB071 56 push esi
004FB08A 8B9D 31050000 mov ebx,dword ptr ss:[ebp+531]
004FB090 0BDB or ebx,ebx
004FB092 74 0A je short vfpexeNc.004FB09E
004FB094 8B03 mov eax,dword ptr ds:[ebx]
004FB096 8785 35050000 xchg dword ptr ss:[ebp+535],eax
004FB09C 8903 mov dword ptr ds:[ebx],eax
004FB09E 8DB5 69050000 lea esi,dword ptr ss:[ebp+569]
004FB0A4 833E 00 cmp dword ptr ds:[esi],0
004FB0A7 0F84 21010000 je vfpexeNc.004FB1CE
004FB0AD 6A 04 push 4
004FB0AF 68 00100000 push 1000
004FB0B4 68 00180000 push 1800
004FB133 AC lods byte ptr ds:[esi]
004FB134 3C E8 cmp al,0E8
004FB136 74 0A je short vfpexeNc.004FB142
004FB138 EB 00 jmp short vfpexeNc.004FB13A
004FB13A 3C E9 cmp al,0E9
004FB13C 74 04 je short vfpexeNc.004FB142
004FB13E 43 inc ebx
004FB13F 49 dec ecx
004FB140 ^ EB EB jmp short vfpexeNc.004FB12D ;回跳
004FB142 8B06 mov eax,dword ptr ds:[esi] ;F4
004FB150 2BC3 sub eax,ebx
004FB152 8906 mov dword ptr ds:[esi],eax
004FB154 83C3 05 add ebx,5
004FB157 83C6 04 add esi,4
004FB15A 83E9 05 sub ecx,5
004FB15D ^ EB CE jmp short vfpexeNc.004FB12D ;回跳
004FB15F 5B pop ebx ;F4
004FB18A 68 00800000 push 8000
004FB18F 6A 00 push 0
004FB191 FFB5 52010000 push dword ptr ss:[ebp+152]
004FB197 FF95 51050000 call dword ptr ss:[ebp+551]
004FB19D 83C6 08 add esi,8
004FB1A0 833E 00 cmp dword ptr ds:[esi],0
004FB1A3 ^ 0F85 1EFFFFFF jnz vfpexeNc.004FB0C7 ;回跳
004FB1A9 68 00800000 push 8000 ;F4
004FB372 50 push eax
004FB373 57 push edi
004FB374 EB 4A jmp short vfpexeNc.004FB3C0
004FB376 8907 mov dword ptr ds:[edi],eax
004FB378 8385 49050000 0>add dword ptr ss:[ebp+549],4
004FB37F ^ E9 32FFFFFF jmp vfpexeNc.004FB2B6 ;回跳
004FB384 8906 mov dword ptr ds:[esi],eax ;F4
004FB386 8946 0C mov dword ptr ds:[esi+C],eax
004FB389 8946 10 mov dword ptr ds:[esi+10],eax
004FB38C 83C6 14 add esi,14
004FB38F 8B95 22040000 mov edx,dword ptr ss:[ebp+422]
004FB395 ^ E9 EBFEFFFF jmp vfpexeNc.004FB285 ;回跳
004FB39A B8 43F10B00 mov eax,0BF143 ;F4
004FB39F 50 push eax
004FB3A0 0385 22040000 add eax,dword ptr ss:[ebp+422]
004FB3A6 59 pop ecx
004FB3A7 0BC9 or ecx,ecx
004FB3A9 8985 A8030000 mov dword ptr ss:[ebp+3A8],eax
004FB3AF 61 popad
004FB3B0 75 08 jnz short vfpexeNc.004FB3BA
004FB3B2 B8 01000000 mov eax,1
004FB3B7 C2 0C00 retn 0C
004FB3BA 68 00000000 push 0
004FB3BF C3 retn
004FB3C0 8B85 26040000 mov eax,dword ptr ss:[ebp+426]
004FB3C6 8D8D 3B040000 lea ecx,dword ptr ss:[ebp+43B]
004BF143 60 pushad
004BF144 E8 00000000 call vfpexeNc.004BF149
004BF149 5D pop ebp
004BF14A 81ED 06104000 sub ebp,vfpexeNc.00401006
004BF150 8D85 56104000 lea eax,dword ptr ss:[ebp+401056]
004BF156 50 push eax
004BF157 64:FF35 0000000>push dword ptr fs:[0]
004BF15E 64:8925 0000000>mov dword ptr fs:[0],esp
004BF165 CC int3
004BF166 90 nop
004BF167 64:8F05 0000000>pop dword ptr fs:[0] ;F2下断,F9运行到此,取消断点
004BF16E 83C4 04 add esp,4
004BF171 74 05 je short vfpexeNc.004BF178
004BF173 75 03 jnz short vfpexeNc.004BF178
004BF180 2BFA sub edi,edx
004BF182 57 push edi
004BF183 8A03 mov al,byte ptr ds:[ebx]
004BF185 3007 xor byte ptr ds:[edi],al
004BF187 43 inc ebx
004BF188 47 inc edi
004BF189 ^ E2 F8 loopd short vfpexeNc.004BF183
004BF18B 58 pop eax ;F4
004BF18C 894424 1C mov dword ptr ss:[esp+1C],eax
004BF190 61 popad
004BF191 ^ FFE0 jmp eax ; vfpexeNc.004BF06C 跳向光明之巅
004BF193 74 60 je short vfpexeNc.004BF1F5
004BF06C 55 push ebp
004BF06D 8BEC mov ebp,esp
004BF06F 83C4 F0 add esp,-10
004BF072 B8 2CEE4B00 mov eax,vfpexeNc.004BEE2C
004BF077 E8 E878F4FF call vfpexeNc.00406964
004BF07C A1 A4234C00 mov eax,dword ptr ds:[4C23A4]
004BF081 8B00 mov eax,dword ptr ds:[eax]
004BF083 E8 DC57FAFF call vfpexeNc.00464864
004BF088 A1 A4234C00 mov eax,dword ptr ds:[4C23A4]
004BF08D 8B00 mov eax,dword ptr ds:[eax]
004BF08F BA CCF04B00 mov edx,vfpexeNc.004BF0CC ; ASCII "vfpexeNc60"
004BF094 E8 D753FAFF call vfpexeNc.00464470
004BF099 8B0D AC244C00 mov ecx,dword ptr ds:[4C24AC] ; vfpexeNc.004C56B0
在004BF06C处直接用OD插件DUMP出程序,无需修复直接运行.
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
变成垃圾箱了吧
