-
-
[旧帖] PE.sedata带壳破解请求思路 0.00雪花
-
发表于: 2013-2-26 15:40
-
PE.sedata带壳破解请求思路
入口点:0021302A
软件下载地址附上,希望大神们看下,我是做补丁的,没脱壳了http://pan.baidu.com/share/link?shareid=380150&uk=3995814774
用OD直接载入
0061302A > $ E8 1C000000 call 百度贴吧.0061304B ; PUSH ASCII "Safengine Shielden v2.1.9.0"
0061302F . 53 61 66 65 6>ascii "Safengine Shield"
0061303F . 65 6E 20 76 3>ascii "en v2.1.9.0",0
0061304B >^ EB C0 jmp short 百度贴吧.0061300D
0061304D . 15 84371E69 adc eax,0x691E3784
00613052 > 810424 E60900>add dword ptr ss:[esp],0x9E6
00613059 . E8 3207ECFF call 百度贴吧.004D3790
0061305E . 61 popad
0061305F .^ E9 C2CCFFFF jmp 百度贴吧.0060FD26
运行后,程序中输入用户名和密码,会提示密码错误
然后暂停,执行到用户代码点确定程序到达
0048CE5C 94 xchg eax,esp
0048CE5D 894D AC mov dword ptr ss:[ebp-0x54],ecx
0048CE60 8945 A4 mov dword ptr ss:[ebp-0x5C],eax
0048CE63 C785 7CFFFFFF 2>mov dword ptr ss:[ebp-0x84],百度贴吧.0042142>; 密码错误
0048CE6D 8D95 74FFFFFF lea edx,dword ptr ss:[ebp-0x8C]
0048CE73 8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C]
0048CE76 C785 74FFFFFF 0>mov dword ptr ss:[ebp-0x8C],0x8
0048CE80 E8 A18A1200 call 百度贴吧.005B5926
0048CE85 D08D 45848D4D ror byte ptr ss:[ebp+0x4D8D8445],1
0048CE8B 94 xchg eax,esp
0048CE8C 50 push eax
0048CE8D 8D55 A4 lea edx,dword ptr ss:[ebp-0x5C]
0048CE90 51 push ecx
0048CE91 52 push edx
0048CE92 8D45 B4 lea eax,dword ptr ss:[ebp-0x4C]
0048CE95 6A 00 push 0x0
0048CE97 50 push eax
0048CE98 E8 BA8F1200 call 百度贴吧.005B5E57
0048CE9D AE scas byte ptr es:[edi]
0048CE9E 8D4D 84 lea ecx,dword ptr ss:[ebp-0x7C]
向上找到程序首是这样的
0048CB36 C2 1400 retn 0x14
0048CB39 90 nop
0048CB3A 90 nop
0048CB3B 90 nop
0048CB3C 90 nop
0048CB3D 90 nop
0048CB3E 90 nop
0048CB3F 90 nop
0048CB40 55 push ebp
0048CB41 8BEC mov ebp,esp
0048CB43 83EC 0C sub esp,0xC
0048CB46 68 36474000 push 百度贴吧.00404736
0048CB4B 64:A1 00000000 mov eax,dword ptr fs:[0]
0048CB51 50 push eax
0048CB52 64:8925 0000000>mov dword ptr fs:[0],esp
0048CB59 81EC C0000000 sub esp,0xC0
0048CB5F 53 push ebx
0048CB60 56 push esi
0048CB61 57 push edi
0048CB62 8965 F4 mov dword ptr ss:[ebp-0xC],esp
0048CB65 C745 F8 4032400>mov dword ptr ss:[ebp-0x8],百度贴吧.00403240
0048CB6C 8B75 08 mov esi,dword ptr ss:[ebp+0x8]
0048CB6F 8BC6 mov eax,esi
0048CB71 83E0 01 and eax,0x1
0048CB74 8945 FC mov dword ptr ss:[ebp-0x4],eax
0048CB77 83E6 FE and esi,0xFFFFFFFE
0048CB7A 56 push esi
0048CB7B 8975 08 mov dword ptr ss:[ebp+0x8],esi
0048CB7E 8B0E mov ecx,dword ptr ds:[esi]
0048CB80 FF51 04 call dword ptr ds:[ecx+0x4]
0048CB83 66:8B45 0C mov ax,word ptr ss:[ebp+0xC]
0048CB87 33FF xor edi,edi
0048CB89 66:3D 0C00 cmp ax,0xC
0048CB8D 897D E8 mov dword ptr ss:[ebp-0x18],edi
0048CB90 897D E4 mov dword ptr ss:[ebp-0x1C],edi
0048CB93 897D E0 mov dword ptr ss:[ebp-0x20],edi
0048CB96 897D DC mov dword ptr ss:[ebp-0x24],edi
0048CB99 897D D8 mov dword ptr ss:[ebp-0x28],edi
0048CB9C 897D D4 mov dword ptr ss:[ebp-0x2C],edi
0048CB9F 897D D0 mov dword ptr ss:[ebp-0x30],edi
0048CBA2 897D CC mov dword ptr ss:[ebp-0x34],edi
0048CBA5 897D C8 mov dword ptr ss:[ebp-0x38],edi
0048CBA8 897D C4 mov dword ptr ss:[ebp-0x3C],edi
0048CBAB 897D B4 mov dword ptr ss:[ebp-0x4C],edi
0048CBAE 897D A4 mov dword ptr ss:[ebp-0x5C],edi
0048CBB1 897D 94 mov dword ptr ss:[ebp-0x6C],edi
0048CBB4 897D 84 mov dword ptr ss:[ebp-0x7C],edi
0048CBB7 89BD 74FFFFFF mov dword ptr ss:[ebp-0x8C],edi
0048CBBD 89BD 64FFFFFF mov dword ptr ss:[ebp-0x9C],edi
0048CBC3 89BD 40FFFFFF mov dword ptr ss:[ebp-0xC0],edi
0048CBC9 0F85 70080000 jnz 百度贴吧.0048D43F 这个是跳到网络那块
0048D43A /E9 E5000000 jmp 百度贴吧.0048D524
0048D43F |66:3D 0B00 cmp ax,0xB
0048D443 |0F85 DB000000 jnz 百度贴吧.0048D524
0048D449 |B9 04000280 mov ecx,0x80020004
0048D44E |B8 0A000000 mov eax,0xA
0048D453 |894D 8C mov dword ptr ss:[ebp-0x74],ecx
0048D456 |894D 9C mov dword ptr ss:[ebp-0x64],ecx
0048D459 |894D AC mov dword ptr ss:[ebp-0x54],ecx
0048D45C |8D95 74FFFFFF lea edx,dword ptr ss:[ebp-0x8C]
0048D462 |8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C]
0048D465 |8945 84 mov dword ptr ss:[ebp-0x7C],eax
0048D468 |8945 94 mov dword ptr ss:[ebp-0x6C],eax
0048D46B |8945 A4 mov dword ptr ss:[ebp-0x5C],eax
0048D46E |C785 7CFFFFFF 6>mov dword ptr ss:[ebp-0x84],百度贴吧.0042156>; 连接超时,请检查网络
0048CBCF BA D4134200 mov edx,百度贴吧.004213D4 ; VM_START
0048CBD4 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
0048CBD7 E8 DA991200 call 百度贴吧.005B65B6
0048CBDC 878D 55E452E8 xchg dword ptr ss:[ebp+0xE852E455],ecx
0048CBE2 DC9D 1200CD8D fcomp qword ptr ss:[ebp+0x8DCD0012]
0048CBE8 4D dec ebp
有这几处我修改了,虽然可以登录了,当是软件还是用不了,希望有大神们帮我看下,怎么来操作,以下是我的几个修改点
0048CD23 /0F85 0F010000 jnz 百度贴吧.0048CE38 //这处直接JMP是跳过注册提示
0048CD29 |B9 04000280 mov ecx,0x80020004
0048CD2E |B8 0A000000 mov eax,0xA
0048CD33 |894D 8C mov dword ptr ss:[ebp-0x74],ecx
0048CD36 |894D 9C mov dword ptr ss:[ebp-0x64],ecx
0048CD39 |894D AC mov dword ptr ss:[ebp-0x54],ecx
0048CD3C |8D95 74FFFFFF lea edx,dword ptr ss:[ebp-0x8C]
0048CD42 |8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C]
0048CD45 |8945 84 mov dword ptr ss:[ebp-0x7C],eax
0048CD48 |8945 94 mov dword ptr ss:[ebp-0x6C],eax
0048CD4B |8945 A4 mov dword ptr ss:[ebp-0x5C],eax
0048CD4E |C785 7CFFFFFF F>mov dword ptr ss:[ebp-0x84],百度贴吧.004213F>; 请先注册
入口点:0021302A
软件下载地址附上,希望大神们看下,我是做补丁的,没脱壳了http://pan.baidu.com/share/link?shareid=380150&uk=3995814774
用OD直接载入
0061302A > $ E8 1C000000 call 百度贴吧.0061304B ; PUSH ASCII "Safengine Shielden v2.1.9.0"
0061302F . 53 61 66 65 6>ascii "Safengine Shield"
0061303F . 65 6E 20 76 3>ascii "en v2.1.9.0",0
0061304B >^ EB C0 jmp short 百度贴吧.0061300D
0061304D . 15 84371E69 adc eax,0x691E3784
00613052 > 810424 E60900>add dword ptr ss:[esp],0x9E6
00613059 . E8 3207ECFF call 百度贴吧.004D3790
0061305E . 61 popad
0061305F .^ E9 C2CCFFFF jmp 百度贴吧.0060FD26
运行后,程序中输入用户名和密码,会提示密码错误
然后暂停,执行到用户代码点确定程序到达
0048CE5C 94 xchg eax,esp
0048CE5D 894D AC mov dword ptr ss:[ebp-0x54],ecx
0048CE60 8945 A4 mov dword ptr ss:[ebp-0x5C],eax
0048CE63 C785 7CFFFFFF 2>mov dword ptr ss:[ebp-0x84],百度贴吧.0042142>; 密码错误
0048CE6D 8D95 74FFFFFF lea edx,dword ptr ss:[ebp-0x8C]
0048CE73 8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C]
0048CE76 C785 74FFFFFF 0>mov dword ptr ss:[ebp-0x8C],0x8
0048CE80 E8 A18A1200 call 百度贴吧.005B5926
0048CE85 D08D 45848D4D ror byte ptr ss:[ebp+0x4D8D8445],1
0048CE8B 94 xchg eax,esp
0048CE8C 50 push eax
0048CE8D 8D55 A4 lea edx,dword ptr ss:[ebp-0x5C]
0048CE90 51 push ecx
0048CE91 52 push edx
0048CE92 8D45 B4 lea eax,dword ptr ss:[ebp-0x4C]
0048CE95 6A 00 push 0x0
0048CE97 50 push eax
0048CE98 E8 BA8F1200 call 百度贴吧.005B5E57
0048CE9D AE scas byte ptr es:[edi]
0048CE9E 8D4D 84 lea ecx,dword ptr ss:[ebp-0x7C]
向上找到程序首是这样的
0048CB36 C2 1400 retn 0x14
0048CB39 90 nop
0048CB3A 90 nop
0048CB3B 90 nop
0048CB3C 90 nop
0048CB3D 90 nop
0048CB3E 90 nop
0048CB3F 90 nop
0048CB40 55 push ebp
0048CB41 8BEC mov ebp,esp
0048CB43 83EC 0C sub esp,0xC
0048CB46 68 36474000 push 百度贴吧.00404736
0048CB4B 64:A1 00000000 mov eax,dword ptr fs:[0]
0048CB51 50 push eax
0048CB52 64:8925 0000000>mov dword ptr fs:[0],esp
0048CB59 81EC C0000000 sub esp,0xC0
0048CB5F 53 push ebx
0048CB60 56 push esi
0048CB61 57 push edi
0048CB62 8965 F4 mov dword ptr ss:[ebp-0xC],esp
0048CB65 C745 F8 4032400>mov dword ptr ss:[ebp-0x8],百度贴吧.00403240
0048CB6C 8B75 08 mov esi,dword ptr ss:[ebp+0x8]
0048CB6F 8BC6 mov eax,esi
0048CB71 83E0 01 and eax,0x1
0048CB74 8945 FC mov dword ptr ss:[ebp-0x4],eax
0048CB77 83E6 FE and esi,0xFFFFFFFE
0048CB7A 56 push esi
0048CB7B 8975 08 mov dword ptr ss:[ebp+0x8],esi
0048CB7E 8B0E mov ecx,dword ptr ds:[esi]
0048CB80 FF51 04 call dword ptr ds:[ecx+0x4]
0048CB83 66:8B45 0C mov ax,word ptr ss:[ebp+0xC]
0048CB87 33FF xor edi,edi
0048CB89 66:3D 0C00 cmp ax,0xC
0048CB8D 897D E8 mov dword ptr ss:[ebp-0x18],edi
0048CB90 897D E4 mov dword ptr ss:[ebp-0x1C],edi
0048CB93 897D E0 mov dword ptr ss:[ebp-0x20],edi
0048CB96 897D DC mov dword ptr ss:[ebp-0x24],edi
0048CB99 897D D8 mov dword ptr ss:[ebp-0x28],edi
0048CB9C 897D D4 mov dword ptr ss:[ebp-0x2C],edi
0048CB9F 897D D0 mov dword ptr ss:[ebp-0x30],edi
0048CBA2 897D CC mov dword ptr ss:[ebp-0x34],edi
0048CBA5 897D C8 mov dword ptr ss:[ebp-0x38],edi
0048CBA8 897D C4 mov dword ptr ss:[ebp-0x3C],edi
0048CBAB 897D B4 mov dword ptr ss:[ebp-0x4C],edi
0048CBAE 897D A4 mov dword ptr ss:[ebp-0x5C],edi
0048CBB1 897D 94 mov dword ptr ss:[ebp-0x6C],edi
0048CBB4 897D 84 mov dword ptr ss:[ebp-0x7C],edi
0048CBB7 89BD 74FFFFFF mov dword ptr ss:[ebp-0x8C],edi
0048CBBD 89BD 64FFFFFF mov dword ptr ss:[ebp-0x9C],edi
0048CBC3 89BD 40FFFFFF mov dword ptr ss:[ebp-0xC0],edi
0048CBC9 0F85 70080000 jnz 百度贴吧.0048D43F 这个是跳到网络那块
0048D43A /E9 E5000000 jmp 百度贴吧.0048D524
0048D43F |66:3D 0B00 cmp ax,0xB
0048D443 |0F85 DB000000 jnz 百度贴吧.0048D524
0048D449 |B9 04000280 mov ecx,0x80020004
0048D44E |B8 0A000000 mov eax,0xA
0048D453 |894D 8C mov dword ptr ss:[ebp-0x74],ecx
0048D456 |894D 9C mov dword ptr ss:[ebp-0x64],ecx
0048D459 |894D AC mov dword ptr ss:[ebp-0x54],ecx
0048D45C |8D95 74FFFFFF lea edx,dword ptr ss:[ebp-0x8C]
0048D462 |8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C]
0048D465 |8945 84 mov dword ptr ss:[ebp-0x7C],eax
0048D468 |8945 94 mov dword ptr ss:[ebp-0x6C],eax
0048D46B |8945 A4 mov dword ptr ss:[ebp-0x5C],eax
0048D46E |C785 7CFFFFFF 6>mov dword ptr ss:[ebp-0x84],百度贴吧.0042156>; 连接超时,请检查网络
0048CBCF BA D4134200 mov edx,百度贴吧.004213D4 ; VM_START
0048CBD4 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
0048CBD7 E8 DA991200 call 百度贴吧.005B65B6
0048CBDC 878D 55E452E8 xchg dword ptr ss:[ebp+0xE852E455],ecx
0048CBE2 DC9D 1200CD8D fcomp qword ptr ss:[ebp+0x8DCD0012]
0048CBE8 4D dec ebp
有这几处我修改了,虽然可以登录了,当是软件还是用不了,希望有大神们帮我看下,怎么来操作,以下是我的几个修改点
0048CD23 /0F85 0F010000 jnz 百度贴吧.0048CE38 //这处直接JMP是跳过注册提示
0048CD29 |B9 04000280 mov ecx,0x80020004
0048CD2E |B8 0A000000 mov eax,0xA
0048CD33 |894D 8C mov dword ptr ss:[ebp-0x74],ecx
0048CD36 |894D 9C mov dword ptr ss:[ebp-0x64],ecx
0048CD39 |894D AC mov dword ptr ss:[ebp-0x54],ecx
0048CD3C |8D95 74FFFFFF lea edx,dword ptr ss:[ebp-0x8C]
0048CD42 |8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C]
0048CD45 |8945 84 mov dword ptr ss:[ebp-0x7C],eax
0048CD48 |8945 94 mov dword ptr ss:[ebp-0x6C],eax
0048CD4B |8945 A4 mov dword ptr ss:[ebp-0x5C],eax
0048CD4E |C785 7CFFFFFF F>mov dword ptr ss:[ebp-0x84],百度贴吧.004213F>; 请先注册
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
