本人qyc--->小Q,昨天等了一年注册时间的我终以在看雪注册到了ID,心里有说不出的高兴,以前写了很多文章都没个机会来这里发表,今天终以梦想成真了,第一帖发表我第一次脱壳,来个开门礼,算自己的原创,说个先:识我的老兄就别看了.
现在拿了AQ的Alexa排名速查工具来脱,总算成功了,在这里谢AQ的Alexa排名速查工具的无名Nothing found *壳,这里请AQ不要生气,我只是练习脱无名Nothing found *壳,,没有纯心要改斑主的程序,我是绝对没改啊!请你原谅我,脱你程序.
程序用PEIND还是看到的是Nothing found *(一般PEID查不出来的就显示:Nothing found *),但是用OD是可正常反编译的?为了破解软件就查到这就可以了.
工具:PEID OD
目标程序:Nothing found *壳程序(我这里用AQ的Alexa排名速查工具)
upack加壳软件介绍:用它加的程序,字符串全看不到?压缩率很高,用PEID查壳显示:Nothing found *我也不怎么说它了,还正就这样了?
我们开始脱衣服吧?(要做这种事不脱衣服那行啊?)
用PEID查得程序壳提示为:Nothing found *"壳"不知是不是壳.(是了,很多加壳软件PEID都给你这样黑脸看,不怕世上无难事,只怕你不动脑子),E,用PEID插件搞到OEP为:0046A5A0 其实不用找到也可以的..但找了心里也有个底.还正有用吗?.
脱壳方法1:
OD载入程序.
004B0C89 A> BE 48014000 mov esi,Alexa排?00400148 ---------->停在这里.我们走.....
004B0C8E AD lods dword ptr ds:[esi]
004B0C8F 8BF8 mov edi,eax
004B0C91 95 xchg eax,ebp
004B0C92 A5 movs dword ptr es:[edi],d>
004B0C93 33C0 xor eax,eax
004B0C95 33C9 xor ecx,ecx
004B0C97 AB stos dword ptr es:[edi]
004B0C98 48 dec eax
004B0C99 AB stos dword ptr es:[edi]
004B0C9A F7D8 neg eax
004B0C9C B1 04 mov cl,4
004B0C9E F3:AB rep stos dword ptr es:[ed>
004B0CA0 C1E0 0A shl eax,0A
004B0CA3 B5 1C mov ch,1C
004B0CA5 F3:AB rep stos dword ptr es:[ed>
004B0CA7 AD lods dword ptr ds:[esi]
004B0CA8 50 push eax
004B0CA9 97 xchg eax,edi
004B0CAA 51 push ecx
004B0CAB AD lods dword ptr ds:[esi]
004B0CAC 87F5 xchg ebp,esi
004B0CAE 58 pop eax
004B0CAF 8D5486 5C lea edx,dword ptr ds:[esi>
004B0CB3 FFD5 call ebp
004B0CB5 72 5A jb short Alexa排?004B0D11
004B0CB7 2C 03 sub al,3
004B0CB9 73 02 jnb short Alexa排?004B0CBD
004B0CBB B0 00 mov al,0
004B0CBD 3C 07 cmp al,7
004B0CBF 72 02 jb short Alexa排?004B0CC3
004B0CC1 2C 03 sub al,3
004B0CC3 50 push eax
004B0CC4 0FB65F FF movzx ebx,byte ptr ds:[ed>
004B0CC8 C1E3 03 shl ebx,3
004B0CCB B3 00 mov bl,0
004B0CCD 8D1C5B lea ebx,dword ptr ds:[ebx>
004B0CD0 8D9C9E 0C100000 lea ebx,dword ptr ds:[esi>
004B0CD7 B0 01 mov al,1
004B0CD9 67:E3 29 jcxz short Alexa排?004B0D0>
004B0CDC 8BD7 mov edx,edi
004B0CDE 2B56 0C sub edx,dword ptr ds:[esi>
004B0CE1 8A2A mov ch,byte ptr ds:[edx]
004B0CE3 33D2 xor edx,edx
004B0CE5 84E9 test cl,ch
004B0CE7 0F95C6 setne dh
004B0CEA 52 push edx
004B0CEB FEC6 inc dh
004B0CED 8AD0 mov dl,al
004B0CEF 8D1493 lea edx,dword ptr ds:[ebx>
004B0CF2 FFD5 call ebp
004B0CF4 5A pop edx
004B0CF5 9F lahf
004B0CF6 12C0 adc al,al
004B0CF8 D0E9 shr cl,1
004B0CFA 74 0E je short Alexa排?004B0D0A
004B0CFC 9E sahf
004B0CFD 1AF2 sbb dh,dl
004B0CFF ^ 74 E4 je short Alexa排?004B0CE5
004B0D01 B4 00 mov ah,0
004B0D03 33C9 xor ecx,ecx
004B0D05 B5 01 mov ch,1
004B0D07 FF55 CC call dword ptr ss:[ebp-34>
004B0D0A 33C9 xor ecx,ecx
004B0D0C E9 DF000000 jmp Alexa排?004B0DF0
004B0D11 8B5E 0C mov ebx,dword ptr ds:[esi>
004B0D14 83C2 30 add edx,30
004B0D17 FFD5 call ebp
004B0D19 73 50 jnb short Alexa排?004B0D6B
004B0D1B 83C2 30 add edx,30
004B0D1E FFD5 call ebp
004B0D20 72 1B jb short Alexa排?004B0D3D
004B0D22 83C2 30 add edx,30
004B0D25 FFD5 call ebp
004B0D27 72 2B jb short Alexa排?004B0D54
004B0D29 3C 07 cmp al,7
004B0D2B B0 09 mov al,9
004B0D2D 72 02 jb short Alexa排?004B0D31
004B0D2F B0 0B mov al,0B
004B0D31 50 push eax
004B0D32 8BC7 mov eax,edi
004B0D34 2B46 0C sub eax,dword ptr ds:[esi>
004B0D37 B1 80 mov cl,80
004B0D39 8A00 mov al,byte ptr ds:[eax]
004B0D3B ^ EB CF jmp short Alexa排?004B0D0C
004B0D3D 83C2 60 add edx,60
004B0D40 FFD5 call ebp
004B0D42 875E 10 xchg dword ptr ds:[esi+10>
004B0D45 73 0D jnb short Alexa排?004B0D54
004B0D47 83C2 30 add edx,30
004B0D4A FFD5 call ebp
004B0D4C 875E 14 xchg dword ptr ds:[esi+14>
004B0D4F 73 03 jnb short Alexa排?004B0D54
004B0D51 875E 18 xchg dword ptr ds:[esi+18>
004B0D54 3C 07 cmp al,7
004B0D56 B0 08 mov al,8
004B0D58 72 02 jb short Alexa排?004B0D5C
004B0D5A B0 0B mov al,0B
004B0D5C 50 push eax
004B0D5D 53 push ebx
004B0D5E 8D96 7C070000 lea edx,dword ptr ds:[esi>
004B0D64 FF55 D0 call dword ptr ss:[ebp-30>
004B0D67 5B pop ebx
004B0D68 91 xchg eax,ecx
004B0D69 EB 77 jmp short Alexa排?004B0DE2
004B0D6B 3C 07 cmp al,7
004B0D6D B0 07 mov al,7
004B0D6F 72 02 jb short Alexa排?004B0D73
004B0D71 B0 0A mov al,0A
004B0D73 50 push eax
004B0D74 875E 10 xchg dword ptr ds:[esi+10>
004B0D77 875E 14 xchg dword ptr ds:[esi+14>
004B0D7A 895E 18 mov dword ptr ds:[esi+18]>
004B0D7D 8D96 C40B0000 lea edx,dword ptr ds:[esi>
004B0D83 FF55 D0 call dword ptr ss:[ebp-30>
004B0D86 50 push eax
004B0D87 48 dec eax
004B0D88 83F8 03 cmp eax,3
004B0D8B 72 03 jb short Alexa排?004B0D90
004B0D8D 6A 03 push 3
004B0D8F 58 pop eax
004B0D90 C1E0 06 shl eax,6
004B0D93 6A 40 push 40
004B0D95 59 pop ecx
004B0D96 8D9C86 7C030000 lea ebx,dword ptr ds:[esi>
004B0D9D FF55 C8 call dword ptr ss:[ebp-38>
004B0DA0 3C 04 cmp al,4
004B0DA2 8BD8 mov ebx,eax
004B0DA4 72 3A jb short Alexa排?004B0DE0
004B0DA6 33DB xor ebx,ebx
004B0DA8 D1E8 shr eax,1
004B0DAA 13DB adc ebx,ebx
004B0DAC 48 dec eax
004B0DAD 43 inc ebx
004B0DAE 43 inc ebx
004B0DAF 91 xchg eax,ecx
004B0DB0 D3E3 shl ebx,cl
004B0DB2 80F9 05 cmp cl,5
004B0DB5 8D949E 7C010000 lea edx,dword ptr ds:[esi>
004B0DBC 76 09 jbe short Alexa排?004B0DC7
004B0DBE 80E9 04 sub cl,4
004B0DC1 FF55 DC call dword ptr ss:[ebp-24>
004B0DC4 8D56 1C lea edx,dword ptr ds:[esi>
004B0DC7 33C0 xor eax,eax
004B0DC9 53 push ebx
004B0DCA 40 inc eax
004B0DCB 51 push ecx
004B0DCC D3E0 shl eax,cl
004B0DCE 8BDA mov ebx,edx
004B0DD0 91 xchg eax,ecx
004B0DD1 FF55 C8 call dword ptr ss:[ebp-38>
004B0DD4 33D2 xor edx,edx
004B0DD6 59 pop ecx
004B0DD7 D1E8 shr eax,1
004B0DD9 13D2 adc edx,edx
004B0DDB ^ E2 FA loopd short Alexa排?004B0D>
004B0DDD 5B pop ebx
004B0DDE 03DA add ebx,edx
004B0DE0 43 inc ebx
004B0DE1 59 pop ecx
004B0DE2 895E 0C mov dword ptr ds:[esi+C],>
004B0DE5 56 push esi
004B0DE6 8BF7 mov esi,edi
004B0DE8 2BF3 sub esi,ebx
004B0DEA F3:A4 rep movs byte ptr es:[edi>
004B0DEC AC lods byte ptr ds:[esi]
004B0DED B1 80 mov cl,80
004B0DEF 5E pop esi
004B0DF0 AA stos byte ptr es:[edi]
004B0DF1 3B7D D8 cmp edi,dword ptr ss:[ebp>
004B0DF4 ^ 0F82 B4FEFFFF jb Alexa排?004B0CAE------------->要回跳.
004B0DFA 58 pop eax------------------------->F4步过.
004B0DFB 5E pop esi
004B0DFC B9 8F330000 mov ecx,338F
004B0E01 EB 1C jmp short Alexa排?004B0E1F
004B0E03 AC lods byte ptr ds:[esi]
004B0E04 04 18 add al,18
004B0E06 3C 02 cmp al,2
004B0E08 ^ 73 F9 jnb short Alexa排?004B0E03
004B0E0A 8B06 mov eax,dword ptr ds:[esi>
004B0E0C 3C 14 cmp al,14
004B0E0E ^ 75 F3 jnz short Alexa排?004B0E03
004B0E10 B0 00 mov al,0
004B0E12 83C6 04 add esi,4
004B0E15 0FC8 bswap eax
004B0E17 0345 F8 add eax,dword ptr ss:[ebp>
004B0E1A 2BC6 sub eax,esi
004B0E1C 8946 FC mov dword ptr ds:[esi-4],>
004B0E1F ^ E2 E2 loopd short Alexa排?004B0E>----------->到这里循环回跳
004B0E21 8B5D B0 mov ebx,dword ptr ss:[ebp>------------>F4步过.
004B0E24 8B75 B4 mov esi,dword ptr ss:[ebp>
004B0E27 46 inc esi
004B0E28 AD lods dword ptr ds:[esi]
004B0E29 85C0 test eax,eax
004B0E2B - 0F84 6F97FBFF je Alexa排?0046A5A0------------------->到这里,关键,看到了吗?我们用PEID看到的OEP,分析一下,它是不跳的?要是跳了,我们不是到了OEP了吧?对了,我们JE强行JMP 不就到了OEP了吗?聪明的你到了OEP就可.....
004B0E31 56 push esi
004B0E32 97 xchg eax,edi
004B0E33 FF53 FC call dword ptr ds:[ebx-4]
004B0E36 95 xchg eax,ebp
004B0E37 AC lods byte ptr ds:[esi]
004B0E38 84C0 test al,al
004B0E3A ^ 75 FB jnz short Alexa排?004B0E37------------>上面没跳来到这是回跳
004B0E3C 3806 cmp byte ptr ds:[esi],al
004B0E3E ^ 74 E7 je short Alexa排?004B0E27
004B0E40 79 08 jns short Alexa排?004B0E4A
004B0E42 46 inc esi
004B0E43 33C0 xor eax,eax
004B0E45 66:AD lods word ptr ds:[esi]
004B0E47 50 push eax
004B0E48 EB 01 jmp short Alexa排?004B0E4B
004B0E4A 56 push esi
004B0E4B 55 push ebp
004B0E4C FF13 call dword ptr ds:[ebx]
004B0E4E AB stos dword ptr es:[edi]
004B0E4F ^ EB E6 jmp short Alexa排?004B0E37----------->回跳
004B0E51 4C dec esp------------------------------>F4下来,走向死亡..程序跑出来了..
脱壳方法2:
命令行: G 0046A5A0 直脱。。。。(那有脱衣服那么快的也,不是人来的,大及了):新方法
来到OEP
0046A5A0 55 push ebp ; OEP---------->0046A5A0
0046A5A1 8BEC mov ebp,esp
0046A5A3 83C4 F0 add esp,-10
0046A5A6 B8 60A24600 mov eax,Alexa排?0046A260
0046A5AB E8 20B8F9FF call Alexa排?00405DD0
0046A5B0 A1 D0C94600 mov eax,dword ptr ds:[46C>
0046A5B5 8B00 mov eax,dword ptr ds:[eax>
好了到了OEP了,把程序衣服脱了吧?
脱完后你还不能"干"程序,你还要修复输入表?用IRE输入表搞好后,你想对她干什么就干什么吧?(这里修复输入表不再细述).
最后提示:用我这两种方法脱完壳的程序,用PEID查还是看到的都是:Nothing found *,但脱完壳的程序的程序都是有用的.唯一不足就是看不到什么语言写的程序.
[课程]FART 脱壳王!加量不加价!FART作者讲授!