【使用工具】 FLYODBG1.1 PEID0.93
【破解平台】 WinXP
【软件名称】 XXXXXXXXXXXXX
【加壳方式】 幻影2.33、UPX
本人是菜鸟,初学破解,希望能得到大家的帮助,下面有个问题想请教。。。
幻影2.33的壳对我来说不可能了,直接用脱壳机Unpacker v1.06 脱掉,PEID查看:
UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
载入OD,弹出“是压缩代码――要继续进行分析吗?”,点“否”。
00450750 u> 60 pushad ; 程序入口
00450751 BE 00104200 mov esi,unpacked.00421000 ; F8单步走
00450756 8DBE 0000FEFF lea edi,dword ptr ds:[esi+FFFE0000]
0045075C 57 push edi
0045075D 83CD FF or ebp,FFFFFFFF
00450760 EB 10 jmp short unpacked.00450772 ; 跳
00450762 90 nop
00450763 90 nop
00450764 90 nop
00450765 90 nop
00450766 90 nop
00450767 90 nop
00450768 8A06 mov al,byte ptr ds:[esi]
0045076A 46 inc esi
0045076B 8807 mov byte ptr ds:[edi],al
0045076D 47 inc edi
0045076E 01DB add ebx,ebx
00450770 75 07 jnz short unpacked.00450779
00450772 8B1E mov ebx,dword ptr ds:[esi]
00450774 83EE FC sub esi,-4
00450777 11DB adc ebx,ebx
00450779 ^ 72 ED jb short unpacked.00450768 ; 循环
0045077B B8 01000000 mov eax,1
00450780 01DB add ebx,ebx
00450782 75 07 jnz short unpacked.0045078B
00450784 8B1E mov ebx,dword ptr ds:[esi] ; F4跳过
00450786 83EE FC sub esi,-4
00450789 11DB adc ebx,ebx
0045078B 11C0 adc eax,eax
0045078D 01DB add ebx,ebx
0045078F 73 0B jnb short unpacked.0045079C
00450791 75 28 jnz short unpacked.004507BB
00450793 8B1E mov ebx,dword ptr ds:[esi] ; F4
00450795 83EE FC sub esi,-4
00450798 11DB adc ebx,ebx
0045079A 72 1F jb short unpacked.004507BB
0045079C 48 dec eax ; F4
0045079D 01DB add ebx,ebx
0045079F 75 07 jnz short unpacked.004507A8
004507A1 8B1E mov ebx,dword ptr ds:[esi] ; F4跳过。。往下走。。。
004507A3 83EE FC sub esi,-4
004507A6 11DB adc ebx,ebx
004507A8 11C0 adc eax,eax
004507AA ^ EB D4 jmp short unpacked.00450780
004507AC 01DB add ebx,ebx
004507AE 75 07 jnz short unpacked.004507B7
004507B0 8B1E mov ebx,dword ptr ds:[esi]
004507B2 83EE FC sub esi,-4
004507B5 11DB adc ebx,ebx
004507B7 11C9 adc ecx,ecx
004507B9 EB 52 jmp short unpacked.0045080D
004507BB 31C9 xor ecx,ecx
004507BD 83E8 03 sub eax,3
004507C0 72 11 jb short unpacked.004507D3
004507C2 C1E0 08 shl eax,8
004507C5 8A06 mov al,byte ptr ds:[esi]
004507C7 46 inc esi
004507C8 83F0 FF xor eax,FFFFFFFF
004507CB 74 75 je short unpacked.00450842
004507CD D1F8 sar eax,1
004507CF 89C5 mov ebp,eax
004507D1 EB 0B jmp short unpacked.004507DE
004507D3 01DB add ebx,ebx
004507D5 75 07 jnz short unpacked.004507DE
004507D7 8B1E mov ebx,dword ptr ds:[esi]
004507D9 83EE FC sub esi,-4
004507DC 11DB adc ebx,ebx
004507DE ^ 72 CC jb short unpacked.004507AC
004507E0 41 inc ecx
004507E1 01DB add ebx,ebx
004507E3 75 07 jnz short unpacked.004507EC
004507E5 8B1E mov ebx,dword ptr ds:[esi]
004507E7 83EE FC sub esi,-4
004507EA 11DB adc ebx,ebx
004507EC ^ 72 BE jb short unpacked.004507AC
004507EE 01DB add ebx,ebx
004507F0 75 07 jnz short unpacked.004507F9
004507F2 8B1E mov ebx,dword ptr ds:[esi]
004507F4 83EE FC sub esi,-4
004507F7 11DB adc ebx,ebx
004507F9 11C9 adc ecx,ecx
004507FB 01DB add ebx,ebx
004507FD ^ 73 EF jnb short unpacked.004507EE
004507FF 75 09 jnz short unpacked.0045080A
00450801 8B1E mov ebx,dword ptr ds:[esi]
00450803 83EE FC sub esi,-4
00450806 11DB adc ebx,ebx
00450808 ^ 73 E4 jnb short unpacked.004507EE
0045080A 83C1 02 add ecx,2
0045080D 81FD 00FBFFFF cmp ebp,-500
00450813 83D1 02 adc ecx,2
00450816 8D142F lea edx,dword ptr ds:[edi+ebp]
00450819 83FD FC cmp ebp,-4
0045081C 76 0E jbe short unpacked.0045082C
0045081E 8A02 mov al,byte ptr ds:[edx]
00450820 42 inc edx
00450821 8807 mov byte ptr ds:[edi],al
00450823 47 inc edi
00450824 49 dec ecx
00450825 ^ 75 F7 jnz short unpacked.0045081E
00450827 ^ E9 42FFFFFF jmp unpacked.0045076E
0045082C 8B02 mov eax,dword ptr ds:[edx]
0045082E 83C2 04 add edx,4
00450831 8907 mov dword ptr ds:[edi],eax
00450833 83C7 04 add edi,4
00450836 83E9 04 sub ecx,4
00450839 ^ 77 F1 ja short unpacked.0045082C
0045083B 01CF add edi,ecx
0045083D ^ E9 2CFFFFFF jmp unpacked.0045076E
00450842 5E pop esi ; kernel32.77E5EB69
00450843 89F7 mov edi,esi
00450845 B9 86000000 mov ecx,86
0045084A 8A07 mov al,byte ptr ds:[edi]
0045084C 47 inc edi
0045084D 2C E8 sub al,0E8
0045084F 3C 01 cmp al,1
00450851 ^ 77 F7 ja short unpacked.0045084A
00450853 803F 01 cmp byte ptr ds:[edi],1
00450856 ^ 75 F2 jnz short unpacked.0045084A
00450858 8B07 mov eax,dword ptr ds:[edi]
0045085A 8A5F 04 mov bl,byte ptr ds:[edi+4]
0045085D 66:C1E8 08 shr ax,8
00450861 C1C0 10 rol eax,10
00450864 86C4 xchg ah,al
00450866 29F8 sub eax,edi
00450868 80EB E8 sub bl,0E8
0045086B 01F0 add eax,esi
0045086D 8907 mov dword ptr ds:[edi],eax
0045086F 83C7 05 add edi,5
00450872 88D8 mov al,bl
00450874 ^ E2 D9 loopd short unpacked.0045084F
00450876 8DBE 00E00400 lea edi,dword ptr ds:[esi+4E000]
0045087C 8B07 mov eax,dword ptr ds:[edi]
0045087E 09C0 or eax,eax
00450880 74 45 je short unpacked.004508C7
00450882 8B5F 04 mov ebx,dword ptr ds:[edi+4]
00450885 8D8430 8C5A0500 lea eax,dword ptr ds:[eax+esi+55A8C]
0045088C 01F3 add ebx,esi
0045088E 50 push eax
0045088F 83C7 08 add edi,8
00450892 FF96 185B0500 call dword ptr ds:[esi+55B18]
00450898 95 xchg eax,ebp
00450899 8A07 mov al,byte ptr ds:[edi]
0045089B 47 inc edi
0045089C 08C0 or al,al
0045089E ^ 74 DC je short unpacked.0045087C
004508A0 89F9 mov ecx,edi
004508A2 79 07 jns short unpacked.004508AB
004508A4 0FB707 movzx eax,word ptr ds:[edi]
004508A7 47 inc edi
004508A8 50 push eax
004508A9 47 inc edi
004508AA B9 5748F2AE mov ecx,AEF24857
004508AF 55 push ebp
004508B0 FF96 1C5B0500 call dword ptr ds:[esi+55B1C]
004508B6 09C0 or eax,eax
004508B8 74 07 je short unpacked.004508C1
004508BA 8903 mov dword ptr ds:[ebx],eax
004508BC 83C3 04 add ebx,4
004508BF ^ EB D8 jmp short unpacked.00450899
004508C1 FF96 205B0500 call dword ptr ds:[esi+55B20] ; 到这里CALL程序运行。进程中止
004508C7 61 popad
004508C8 - E9 3137FBFF jmp unpacked.00403FFE ; 下断,000403FFE为OEP??
004508CD 0000 add byte ptr ds:[eax],al
004508CF 0000 add byte ptr ds:[eax],al
004508D1 0000 add byte ptr ds:[eax],al
-----------------------------------------------------------------------------------------------
F9运行断下来到这里
00403FFE 55 push ebp ; 在这里脱壳??????
00403FFF 8BEC mov ebp,esp
00404001 6A FF push -1
00404003 68 00564000 push unpacked.00405600
00404008 68 84414000 push unpacked.00404184 ; jmp to MSVCRT._except_handler3
0040400D 64:A1 00000000 mov eax,dword ptr fs:[0]
00404013 50 push eax
00404014 64:8925 00000000 mov dword ptr fs:[0],esp
0040401B 83EC 68 sub esp,68
0040401E 53 push ebx
用插件PE Dumper 脱壳。。。
用PEID查看,为C++6.0。
程程序无法运行,请高手指点。。。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)