-
-
点睛字串替换器 1.05
-
发表于: 2005-9-13 03:54
-
软件大小:820KB
软件语言:简体中文
软件类别:国产软件/共享版/编程工具
运行环境:Win9x/Me/NT/2000/XP
加入时间:2003-6-15 22:12:30
下载次数:1070
本软件是一个本地化工具,主要用于非资源格式的本地化工作,支持的种类包括非资源格式的 C 编译的程序中的 ASCII 字符串
和 UniCode 字符串、非资源格式的 Delphi(C++ Builder)编译的程序的字符串、VB 编译的程序的字符串、文本格式的字符串
等的提取及替换。同时它还拥有方便的版本升级功能、字典处理功能,使您在翻译新版本时事半功倍。本软件提供英文、简体中
文和繁体中文三种语言选择,并且您也可以很方便的添加对其它语言的支持.
下载地址:http://down.ls.xz.cn/soft/8717.htm
加壳方式:tElock 0.98b1 -> tE! + UPX-Scrambler RC1.x -> ┫nT?L
一、脱壳
选上“忽略在KERNEL32中的内存访问异常”、“INT3中断”、“单步中断”,OD载入
00451BD6 >^\E9 25E4FFFF jmp LocPlus.00450000//停在这里
00451BDB 0000 add byte ptr ds:[eax],al
00451BDD 00E9 add cl,ch
00451BDF B0 26 mov al,26
00451BE1 52 push edx
F9,开始异常,5下到最后一次异常
004516F1 8DC0 lea eax,eax ; 非法使用寄存器
004516F3 EB 01 jmp short LocPlus.004516F6
004516F5 EB 68 jmp short LocPlus.0045175F
堆栈:
0012FF94 0012FFE0 指针到下一个 SEH 记录
0012FF98 004516FF SE 句柄
直接去004516FF
004516FF 8B6424 08 mov esp,dword ptr ss:[esp+8]
00451703 33C0 xor eax,eax
00451705 FF6424 08 jmp dword ptr ss:[esp+8]
00451714 64:8F00 pop dword ptr fs:[eax] ; 0012FFE0
00451717 58 pop eax
00451718 EB 02 jmp short LocPlus.0045171C
0045171C 58 pop eax ; LocPlus.00451714
0045171D 5D pop ebp
0045171E 0BE4 or esp,esp
00451720 75 01 jnz short LocPlus.00451723
00451723 F9 stc
00451724 E8 7F000000 call LocPlus.004517A8 ;动态解码
00451729 8B9D 82D34000 mov ebx,dword ptr ss:[ebp+40D382]
0045172F 33F6 xor esi,esi
00451731 F7D3 not ebx
00451733 0BF3 or esi,ebx
00451735 75 08 jnz short LocPlus.0045173F
0045173F 039D 62D34000 add ebx,dword ptr ss:[ebp+40D362] ; LocPlus.00400000
00451745 895C24 F0 mov dword ptr ss:[esp-10],ebx
00451749 8DBD 84D24000 lea edi,dword ptr ss:[ebp+40D284]
0045174F 33C0 xor eax,eax
00451751 B9 9E030000 mov ecx,39E
00451756 F3:AA rep stos byte ptr es:[edi]
00451758 8DBD A2B64000 lea edi,dword ptr ss:[ebp+40B6A2]
0045175E B9 58170000 mov ecx,1758
00451763 F3:AA rep stos byte ptr es:[edi]
00451765 66:AB stos word ptr es:[edi]
00451767 8DBD A2B64000 lea edi,dword ptr ss:[ebp+40B6A2]
0045176D 85F6 test esi,esi
0045176F /75 08 jnz short LocPlus.00451779
00451779 C607 E9 mov byte ptr ds:[edi],0E9
0045177C 47 inc edi
0045177D 2BDF sub ebx,edi
0045177F 83EB 04 sub ebx,4
00451782 891F mov dword ptr ds:[edi],ebx
00451784 8DBD FACD4000 lea edi,dword ptr ss:[ebp+40CDFA]
0045178A B9 2C000000 mov ecx,2C
0045178F F3:AA rep stos byte ptr es:[edi]
00451791 66:AB stos word ptr es:[edi] ;又开始解码
00451793 EB 02 jmp short LocPlus.00451797
00451797 61 popad
00451798 FF6424 D0 jmp dword ptr ss:[esp-30]
0044E000 9C pushfd
0044E001 60 pushad
0044E002 E8 02000000 call LocPlus.0044E009
hr esp直接去第一层壳出口
0044E1A7 9D popfd
0044E1A8 68 D0734400 push LocPlus.004473D0
0044E1AD C3 retn///返回到 004473D0 (LocPlus.004473D0)
004473D0 60 pushad//第二层壳UPX入口
004473D1 BE 15604300 mov esi,LocPlus.00436015
004473D6 8DBE EBAFFCFF lea edi,dword ptr ds:[esi+FFFCAFEB]
004473DC 57 push edi
004473DD 83CD FF or ebp,FFFFFFFF
004473E0 EB 10 jmp short LocPlus.004473F2
004473E2 90 nop
004473E3 90 nop
004473E4 90 nop
004473E5 90 nop
004473E6 90 nop
004473E7 90 nop
004473E8 8A06 mov al,byte ptr ds:[esi]
004473EA 46 inc esi
004473EB 8807 mov byte ptr ds:[edi],al
004473ED 47 inc edi
004473EE 01DB add ebx,ebx
004473F0 75 07 jnz short LocPlus.004473F9
004473F2 8B1E mov ebx,dword ptr ds:[esi]
004473F4 83EE FC sub esi,-4
004473F7 11DB adc ebx,ebx
004473F9 ^ 72 ED jb short LocPlus.004473E8
004473FB B8 01000000 mov eax,1
00447400 01DB add ebx,ebx
00447402 75 07 jnz short LocPlus.0044740B
00447404 8B1E mov ebx,dword ptr ds:[esi]
00447406 83EE FC sub esi,-4
00447409 11DB adc ebx,ebx
0044740B 11C0 adc eax,eax
0044740D 01DB add ebx,ebx
0044740F 73 0B jnb short LocPlus.0044741C
00447411 75 19 jnz short LocPlus.0044742C
00447413 8B1E mov ebx,dword ptr ds:[esi]
00447415 83EE FC sub esi,-4
00447418 11DB adc ebx,ebx
0044741A 72 10 jb short LocPlus.0044742C
0044741C 48 dec eax
0044741D 01DB add ebx,ebx
0044741F 75 07 jnz short LocPlus.00447428
00447421 8B1E mov ebx,dword ptr ds:[esi]
00447423 83EE FC sub esi,-4
00447426 11DB adc ebx,ebx
00447428 11C0 adc eax,eax
0044742A ^ EB D4 jmp short LocPlus.00447400
0044742C 31C9 xor ecx,ecx
0044742E 83E8 03 sub eax,3
00447431 72 11 jb short LocPlus.00447444
00447433 C1E0 08 shl eax,8
00447436 8A06 mov al,byte ptr ds:[esi]
00447438 46 inc esi
00447439 83F0 FF xor eax,FFFFFFFF
0044743C 74 78 je short LocPlus.004474B6
0044743E D1F8 sar eax,1
00447440 89C5 mov ebp,eax
00447442 EB 0B jmp short LocPlus.0044744F
00447444 01DB add ebx,ebx
00447446 75 07 jnz short LocPlus.0044744F
00447448 8B1E mov ebx,dword ptr ds:[esi]
0044744A 83EE FC sub esi,-4
0044744D 11DB adc ebx,ebx
0044744F 11C9 adc ecx,ecx
00447451 01DB add ebx,ebx
00447453 75 07 jnz short LocPlus.0044745C
00447455 8B1E mov ebx,dword ptr ds:[esi]
00447457 83EE FC sub esi,-4
0044745A 11DB adc ebx,ebx
0044745C 11C9 adc ecx,ecx
0044745E 75 20 jnz short LocPlus.00447480
00447460 41 inc ecx
00447461 01DB add ebx,ebx
00447463 75 07 jnz short LocPlus.0044746C
00447465 8B1E mov ebx,dword ptr ds:[esi]
00447467 83EE FC sub esi,-4
0044746A 11DB adc ebx,ebx
0044746C 11C9 adc ecx,ecx
0044746E 01DB add ebx,ebx
00447470 ^ 73 EF jnb short LocPlus.00447461
00447472 75 09 jnz short LocPlus.0044747D
00447474 8B1E mov ebx,dword ptr ds:[esi]
00447476 83EE FC sub esi,-4
00447479 11DB adc ebx,ebx
0044747B ^ 73 E4 jnb short LocPlus.00447461
0044747D 83C1 02 add ecx,2
00447480 81FD 00FBFFFF cmp ebp,-500
00447486 83D1 01 adc ecx,1
00447489 8D142F lea edx,dword ptr ds:[edi+ebp]
0044748C 83FD FC cmp ebp,-4
0044748F 76 0F jbe short LocPlus.004474A0
00447491 8A02 mov al,byte ptr ds:[edx]
00447493 42 inc edx
00447494 8807 mov byte ptr ds:[edi],al
00447496 47 inc edi
00447497 49 dec ecx
00447498 ^ 75 F7 jnz short LocPlus.00447491
0044749A ^ E9 4FFFFFFF jmp LocPlus.004473EE
0044749F 90 nop
004474A0 8B02 mov eax,dword ptr ds:[edx]
004474A2 83C2 04 add edx,4
004474A5 8907 mov dword ptr ds:[edi],eax
004474A7 83C7 04 add edi,4
004474AA 83E9 04 sub ecx,4
004474AD ^ 77 F1 ja short LocPlus.004474A0
004474AF 01CF add edi,ecx
004474B1 ^ E9 38FFFFFF jmp LocPlus.004473EE
004474B6 5E pop esi
004474B7 89F7 mov edi,esi
004474B9 B9 22030000 mov ecx,322
004474BE 8A07 mov al,byte ptr ds:[edi]
004474C0 47 inc edi
004474C1 2C E8 sub al,0E8
004474C3 3C 01 cmp al,1
004474C5 ^ 77 F7 ja short LocPlus.004474BE
004474C7 803F 05 cmp byte ptr ds:[edi],5
004474CA ^ 75 F2 jnz short LocPlus.004474BE
004474CC 8B07 mov eax,dword ptr ds:[edi]
004474CE 8A5F 04 mov bl,byte ptr ds:[edi+4]
004474D1 66:C1E8 08 shr ax,8
004474D5 C1C0 10 rol eax,10
004474D8 86C4 xchg ah,al
004474DA 29F8 sub eax,edi
004474DC 80EB E8 sub bl,0E8
004474DF 01F0 add eax,esi
004474E1 8907 mov dword ptr ds:[edi],eax
004474E3 83C7 05 add edi,5
004474E6 89D8 mov eax,ebx
004474E8 ^ E2 D9 loopd short LocPlus.004474C3
004474EA 8DBE 00500400 lea edi,dword ptr ds:[esi+45000]
004474F0 8B07 mov eax,dword ptr ds:[edi]
004474F2 09C0 or eax,eax
004474F4 74 45 je short LocPlus.0044753B
004474F6 8B5F 04 mov ebx,dword ptr ds:[edi+4]
004474F9 8D8430 EC7C0400 lea eax,dword ptr ds:[eax+esi+47CEC]
00447500 01F3 add ebx,esi
00447502 50 push eax
00447503 83C7 08 add edi,8
00447506 FF96 3C7D0400 call dword ptr ds:[esi+47D3C]
0044750C 95 xchg eax,ebp
0044750D 8A07 mov al,byte ptr ds:[edi]
0044750F 47 inc edi
00447510 08C0 or al,al
00447512 ^ 74 DC je short LocPlus.004474F0
00447514 89F9 mov ecx,edi
00447516 79 07 jns short LocPlus.0044751F
00447518 0FB707 movzx eax,word ptr ds:[edi]
0044751B 47 inc edi
0044751C 50 push eax
0044751D 47 inc edi
0044751E B9 5748F2AE mov ecx,AEF24857
00447523 55 push ebp
00447524 FF96 407D0400 call dword ptr ds:[esi+47D40]
0044752A 09C0 or eax,eax
0044752C 74 07 je short LocPlus.00447535
0044752E 8903 mov dword ptr ds:[ebx],eax
00447530 83C3 04 add ebx,4
00447533 ^ EB D8 jmp short LocPlus.0044750D
00447535 FF96 447D0400 call dword ptr ds:[esi+47D44]
0044753B 61 popad
0044753C - E9 BBB2FBFF jmp LocPlus.004027FC
//F4来这里之前,先用Anti-UPX scramble Restore一下,即可完美脱壳。
004027FC 68 FC594000 push 1.004059FC
00402801 E8 EEFFFFFF call 1.004027F4 ; jmp to
MSVBVM50.ThunRTMain //看来又是一个VB程序
二、寻找算法
输入注册信息,提示重新启动。注册信息保存在
HKEY_USERS\S-1-5-21-1547161642-308236825-682003330-1003\Software\OverNimble\LocPlus
UserName:pendan2001
RegCode:007FE15EE171F14E0B48373E3B
BP RegQueryValueExA
00432A28 FF15 9CC44300 call dword ptr ds:[<&MSVBVM50.__vbaSetSyst>; MSVBVM50.__vbaSetSystemError
00432A2E 8B4D C0 mov ecx,dword ptr ss:[ebp-40]
00432A31 51 push ecx
00432A32 68 54934300 push 2.00439354
00432A37 FF15 10C64300 call dword ptr ds:[<&MSVBVM50.__vbaStrToUn>; MSVBVM50.__vbaStrToUnicode
00432A3D 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
00432A40 FFD7 call edi
00432A42 8B45 C8 mov eax,dword ptr ss:[ebp-38]
00432A45 48 dec eax
...
00432CF9 8BF0 mov esi,eax
00432CFB FF15 9CC44300 call dword ptr ds:[<&MSVBVM50.__vbaSetSyst>; MSVBVM50.__vbaSetSystemError
00432D01 8B45 C0 mov eax,dword ptr ss:[ebp-40]
00432D04 50 push eax
00432D05 68 54934300 push 2.00439354
00432D0A FF15 10C64300 call dword ptr ds:[<&MSVBVM50.__vbaStrToUn>; MSVBVM50.__vbaStrToUnicode
00432D10 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
00432D13 51 push ecx
00432D14 FF15 44C74300 call dword ptr ds:[<&MSVBVM50.__vbaAryUnlo>; MSVBVM50.__vbaAryUnlock
00432D1A 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
00432D1D FFD7 call edi
00432D1F 8D85 60FFFFFF lea eax,dword ptr ss:[ebp-A0]
00432D25 6A 40 push 40
00432D27 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
00432D2A 8D55 D0 lea edx,dword ptr ss:[ebp-30]
00432D2D 50 push eax
00432D2E 51 push ecx
00432D2F 8995 68FFFFFF mov dword ptr ss:[ebp-98],edx
00432D35 C785 60FFFFFF 1>mov dword ptr ss:[ebp-A0],6011
00432D3F FF15 64C44300 call dword ptr ds:[<&MSVBVM50.rtcStrConvVa>; MSVBVM50.rtcStrConvVar
00432D45 8B55 E8 mov edx,dword ptr ss:[ebp-18]
00432D48 8D45 A0 lea eax,dword ptr ss:[ebp-60]
00432D4B 4A dec edx
00432D4C 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
00432D4F 0F80 DA020000 jo 2.0043302F
00432D55 52 push edx
00432D56 50 push eax
00432D57 51 push ecx
00432D58 FF15 44C64300 call dword ptr ds:[<&MSVBVM50.__vbaStrVarV>; MSVBVM50.__vbaStrVarVal
00432D5E 50 push eax
//;UNICODE "EF778C83B7779A66B95D9BB269A19EBD58C848D90D36F7073CF434D07B85BD5C"
00432D5F FF15 FCC64300 call dword ptr ds:[<&MSVBVM50.rtcLeftCharB>; MSVBVM50.rtcLeftCharBstr
00432D65 8D55 90 lea edx,dword ptr ss:[ebp-70]
00432D68 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
00432D6B 8945 98 mov dword ptr ss:[ebp-68],eax
00432D6E C745 90 0800000>mov dword ptr ss:[ebp-70],8
00432D75 FF15 1CC44300 call dword ptr ds:[<&MSVBVM50.__vbaVarMove>; MSVBVM50.__vbaVarMove
00432D7B 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
00432D7E FFD7 call edi
00432D80 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
00432D83 FF15 2CC44300 call dword ptr ds:[<&MSVBVM50.__vbaFreeVar>; MSVBVM50.__vbaFreeVar
00432D89 BB 0A000000 mov ebx,0A
00432D8E 8B15 48934300 mov edx,dword ptr ds:[439348]
00432D94 52 push edx
00432D95 E8 7ABBFDFF call 2.0040E914
00432D9A FF15 9CC44300 call dword ptr ds:[<&MSVBVM50.__vbaSetSyst>; MSVBVM50.__vbaSetSystemError
00432DA0 85F6 test esi,esi
00432DA2 0F84 E8010000 je 2.00432F90
.....
.....
00431A5B FFD3 call ebx
00431A5D 68 3C914300 push 2.0043913C
00431A62 8D55 CC lea edx,dword ptr ss:[ebp-34]
00431A65 52 push edx
00431A66 E8 C50E0000 call 2.00432930
00431A6B 8D45 CC lea eax,dword ptr ss:[ebp-34]
00431A6E 50 push eax
00431A6F FFD7 call edi
00431A71 8BD0 mov edx,eax
00431A73 8D4D DC lea ecx,dword ptr ss:[ebp-24]
00431A76 FFD6 call esi
00431A78 8D4D CC lea ecx,dword ptr ss:[ebp-34]
00431A7B FFD3 call ebx
00431A7D 8D4D DC lea ecx,dword ptr ss:[ebp-24]
00431A80 51 push ecx
00431A81 E8 0AFBFFFF call 2.00431590
00431A86 8BD0 mov edx,eax
00431A88 8D4D DC lea ecx,dword ptr ss:[ebp-24]
00431A8B FFD6 call esi
00431A8D 8B55 DC mov edx,dword ptr ss:[ebp-24]
00431A90 52 push edx
00431A91 FF15 30C44300 call dword ptr ds:[<&MSVBVM50.__vbaLenBstr>; MSVBVM50.__vbaLenBstr
00431A97 83F8 0C cmp eax,0C //比较最后运算是否为12位
00431A9A 75 6A jnz short 2.00431B06 //不相等则结束进程
00431A9C 8D45 DC lea eax,dword ptr ss:[ebp-24]
00431A9F 8945 C4 mov dword ptr ss:[ebp-3C],eax
00431AA2 C745 BC 0840000>mov dword ptr ss:[ebp-44],4008
00431AA9 8D4D BC lea ecx,dword ptr ss:[ebp-44]
00431AAC 51 push ecx
00431AAD FF15 8CC54300 call dword ptr ds:[<&MSVBVM50.rtcIsNumeric>; MSVBVM50.rtcIsNumeric
00431AB3 66:85C0 test ax,ax
00431AB6 74 4E je short 2.00431B06 //关键地
00431AB8 8B55 DC mov edx,dword ptr ss:[ebp-24]
00431ABB 52 push edx
00431ABC FF15 58C74300 call dword ptr ds:[<&MSVBVM50.rtcR8ValFrom>; MSVBVM50.rtcR8ValFromBstr
00431AC2 FF15 00C74300 call dword ptr ds:[<&MSVBVM50.__vbaFpI4>] ; MSVBVM50.__vbaFpI4
00431AC8 8945 E0 mov dword ptr ss:[ebp-20],eax
00431ACB 83F8 01 cmp eax,1
00431ACE 7C 36 jl short 2.00431B06 //关键地
00431AD0 DB45 E0 fild dword ptr ss:[ebp-20]
00431AD3 DD5D A4 fstp qword ptr ss:[ebp-5C]
00431AD6 DD45 A4 fld qword ptr ss:[ebp-5C]
00431AD9 DC1D 50204000 fcomp qword ptr ds:[402050]
00431ADF DFE0 fstsw ax
00431AE1 F6C4 41 test ah,41
00431AE4 74 20 je short 2.00431B06 //关键地
00431AE6 66:C705 2C91430>mov word ptr ds:[43912C],0FFFF
00431AEF FF15 DCC44300 call dword ptr ds:[<&MSVBVM50.__vbaExitPro>; MSVBVM50.__vbaExitProcess
00431AF5 9B wait
00431AF6 68 281B4300 push 2.00431B28
00431AFB EB 21 jmp short 2.00431B1E
00431AFD 66:C705 2C91430>mov word ptr ds:[43912C],0
00431B06 FF15 DCC44300 call dword ptr ds:[<&MSVBVM50.__vbaExitPro>; MSVBVM50.__vbaExitProcoess
这个算法有兴趣的可以跟踪一下,我想应该有点复杂,偶就不跟下去了,
看着上面那串长长的数字,就倒了,
主要是复习一下tElock 0.98脱壳,以免生疏。
软件语言:简体中文
软件类别:国产软件/共享版/编程工具
运行环境:Win9x/Me/NT/2000/XP
加入时间:2003-6-15 22:12:30
下载次数:1070
本软件是一个本地化工具,主要用于非资源格式的本地化工作,支持的种类包括非资源格式的 C 编译的程序中的 ASCII 字符串
和 UniCode 字符串、非资源格式的 Delphi(C++ Builder)编译的程序的字符串、VB 编译的程序的字符串、文本格式的字符串
等的提取及替换。同时它还拥有方便的版本升级功能、字典处理功能,使您在翻译新版本时事半功倍。本软件提供英文、简体中
文和繁体中文三种语言选择,并且您也可以很方便的添加对其它语言的支持.
下载地址:http://down.ls.xz.cn/soft/8717.htm
加壳方式:tElock 0.98b1 -> tE! + UPX-Scrambler RC1.x -> ┫nT?L
一、脱壳
选上“忽略在KERNEL32中的内存访问异常”、“INT3中断”、“单步中断”,OD载入
00451BD6 >^\E9 25E4FFFF jmp LocPlus.00450000//停在这里
00451BDB 0000 add byte ptr ds:[eax],al
00451BDD 00E9 add cl,ch
00451BDF B0 26 mov al,26
00451BE1 52 push edx
F9,开始异常,5下到最后一次异常
004516F1 8DC0 lea eax,eax ; 非法使用寄存器
004516F3 EB 01 jmp short LocPlus.004516F6
004516F5 EB 68 jmp short LocPlus.0045175F
堆栈:
0012FF94 0012FFE0 指针到下一个 SEH 记录
0012FF98 004516FF SE 句柄
直接去004516FF
004516FF 8B6424 08 mov esp,dword ptr ss:[esp+8]
00451703 33C0 xor eax,eax
00451705 FF6424 08 jmp dword ptr ss:[esp+8]
00451714 64:8F00 pop dword ptr fs:[eax] ; 0012FFE0
00451717 58 pop eax
00451718 EB 02 jmp short LocPlus.0045171C
0045171C 58 pop eax ; LocPlus.00451714
0045171D 5D pop ebp
0045171E 0BE4 or esp,esp
00451720 75 01 jnz short LocPlus.00451723
00451723 F9 stc
00451724 E8 7F000000 call LocPlus.004517A8 ;动态解码
00451729 8B9D 82D34000 mov ebx,dword ptr ss:[ebp+40D382]
0045172F 33F6 xor esi,esi
00451731 F7D3 not ebx
00451733 0BF3 or esi,ebx
00451735 75 08 jnz short LocPlus.0045173F
0045173F 039D 62D34000 add ebx,dword ptr ss:[ebp+40D362] ; LocPlus.00400000
00451745 895C24 F0 mov dword ptr ss:[esp-10],ebx
00451749 8DBD 84D24000 lea edi,dword ptr ss:[ebp+40D284]
0045174F 33C0 xor eax,eax
00451751 B9 9E030000 mov ecx,39E
00451756 F3:AA rep stos byte ptr es:[edi]
00451758 8DBD A2B64000 lea edi,dword ptr ss:[ebp+40B6A2]
0045175E B9 58170000 mov ecx,1758
00451763 F3:AA rep stos byte ptr es:[edi]
00451765 66:AB stos word ptr es:[edi]
00451767 8DBD A2B64000 lea edi,dword ptr ss:[ebp+40B6A2]
0045176D 85F6 test esi,esi
0045176F /75 08 jnz short LocPlus.00451779
00451779 C607 E9 mov byte ptr ds:[edi],0E9
0045177C 47 inc edi
0045177D 2BDF sub ebx,edi
0045177F 83EB 04 sub ebx,4
00451782 891F mov dword ptr ds:[edi],ebx
00451784 8DBD FACD4000 lea edi,dword ptr ss:[ebp+40CDFA]
0045178A B9 2C000000 mov ecx,2C
0045178F F3:AA rep stos byte ptr es:[edi]
00451791 66:AB stos word ptr es:[edi] ;又开始解码
00451793 EB 02 jmp short LocPlus.00451797
00451797 61 popad
00451798 FF6424 D0 jmp dword ptr ss:[esp-30]
0044E000 9C pushfd
0044E001 60 pushad
0044E002 E8 02000000 call LocPlus.0044E009
hr esp直接去第一层壳出口
0044E1A7 9D popfd
0044E1A8 68 D0734400 push LocPlus.004473D0
0044E1AD C3 retn///返回到 004473D0 (LocPlus.004473D0)
004473D0 60 pushad//第二层壳UPX入口
004473D1 BE 15604300 mov esi,LocPlus.00436015
004473D6 8DBE EBAFFCFF lea edi,dword ptr ds:[esi+FFFCAFEB]
004473DC 57 push edi
004473DD 83CD FF or ebp,FFFFFFFF
004473E0 EB 10 jmp short LocPlus.004473F2
004473E2 90 nop
004473E3 90 nop
004473E4 90 nop
004473E5 90 nop
004473E6 90 nop
004473E7 90 nop
004473E8 8A06 mov al,byte ptr ds:[esi]
004473EA 46 inc esi
004473EB 8807 mov byte ptr ds:[edi],al
004473ED 47 inc edi
004473EE 01DB add ebx,ebx
004473F0 75 07 jnz short LocPlus.004473F9
004473F2 8B1E mov ebx,dword ptr ds:[esi]
004473F4 83EE FC sub esi,-4
004473F7 11DB adc ebx,ebx
004473F9 ^ 72 ED jb short LocPlus.004473E8
004473FB B8 01000000 mov eax,1
00447400 01DB add ebx,ebx
00447402 75 07 jnz short LocPlus.0044740B
00447404 8B1E mov ebx,dword ptr ds:[esi]
00447406 83EE FC sub esi,-4
00447409 11DB adc ebx,ebx
0044740B 11C0 adc eax,eax
0044740D 01DB add ebx,ebx
0044740F 73 0B jnb short LocPlus.0044741C
00447411 75 19 jnz short LocPlus.0044742C
00447413 8B1E mov ebx,dword ptr ds:[esi]
00447415 83EE FC sub esi,-4
00447418 11DB adc ebx,ebx
0044741A 72 10 jb short LocPlus.0044742C
0044741C 48 dec eax
0044741D 01DB add ebx,ebx
0044741F 75 07 jnz short LocPlus.00447428
00447421 8B1E mov ebx,dword ptr ds:[esi]
00447423 83EE FC sub esi,-4
00447426 11DB adc ebx,ebx
00447428 11C0 adc eax,eax
0044742A ^ EB D4 jmp short LocPlus.00447400
0044742C 31C9 xor ecx,ecx
0044742E 83E8 03 sub eax,3
00447431 72 11 jb short LocPlus.00447444
00447433 C1E0 08 shl eax,8
00447436 8A06 mov al,byte ptr ds:[esi]
00447438 46 inc esi
00447439 83F0 FF xor eax,FFFFFFFF
0044743C 74 78 je short LocPlus.004474B6
0044743E D1F8 sar eax,1
00447440 89C5 mov ebp,eax
00447442 EB 0B jmp short LocPlus.0044744F
00447444 01DB add ebx,ebx
00447446 75 07 jnz short LocPlus.0044744F
00447448 8B1E mov ebx,dword ptr ds:[esi]
0044744A 83EE FC sub esi,-4
0044744D 11DB adc ebx,ebx
0044744F 11C9 adc ecx,ecx
00447451 01DB add ebx,ebx
00447453 75 07 jnz short LocPlus.0044745C
00447455 8B1E mov ebx,dword ptr ds:[esi]
00447457 83EE FC sub esi,-4
0044745A 11DB adc ebx,ebx
0044745C 11C9 adc ecx,ecx
0044745E 75 20 jnz short LocPlus.00447480
00447460 41 inc ecx
00447461 01DB add ebx,ebx
00447463 75 07 jnz short LocPlus.0044746C
00447465 8B1E mov ebx,dword ptr ds:[esi]
00447467 83EE FC sub esi,-4
0044746A 11DB adc ebx,ebx
0044746C 11C9 adc ecx,ecx
0044746E 01DB add ebx,ebx
00447470 ^ 73 EF jnb short LocPlus.00447461
00447472 75 09 jnz short LocPlus.0044747D
00447474 8B1E mov ebx,dword ptr ds:[esi]
00447476 83EE FC sub esi,-4
00447479 11DB adc ebx,ebx
0044747B ^ 73 E4 jnb short LocPlus.00447461
0044747D 83C1 02 add ecx,2
00447480 81FD 00FBFFFF cmp ebp,-500
00447486 83D1 01 adc ecx,1
00447489 8D142F lea edx,dword ptr ds:[edi+ebp]
0044748C 83FD FC cmp ebp,-4
0044748F 76 0F jbe short LocPlus.004474A0
00447491 8A02 mov al,byte ptr ds:[edx]
00447493 42 inc edx
00447494 8807 mov byte ptr ds:[edi],al
00447496 47 inc edi
00447497 49 dec ecx
00447498 ^ 75 F7 jnz short LocPlus.00447491
0044749A ^ E9 4FFFFFFF jmp LocPlus.004473EE
0044749F 90 nop
004474A0 8B02 mov eax,dword ptr ds:[edx]
004474A2 83C2 04 add edx,4
004474A5 8907 mov dword ptr ds:[edi],eax
004474A7 83C7 04 add edi,4
004474AA 83E9 04 sub ecx,4
004474AD ^ 77 F1 ja short LocPlus.004474A0
004474AF 01CF add edi,ecx
004474B1 ^ E9 38FFFFFF jmp LocPlus.004473EE
004474B6 5E pop esi
004474B7 89F7 mov edi,esi
004474B9 B9 22030000 mov ecx,322
004474BE 8A07 mov al,byte ptr ds:[edi]
004474C0 47 inc edi
004474C1 2C E8 sub al,0E8
004474C3 3C 01 cmp al,1
004474C5 ^ 77 F7 ja short LocPlus.004474BE
004474C7 803F 05 cmp byte ptr ds:[edi],5
004474CA ^ 75 F2 jnz short LocPlus.004474BE
004474CC 8B07 mov eax,dword ptr ds:[edi]
004474CE 8A5F 04 mov bl,byte ptr ds:[edi+4]
004474D1 66:C1E8 08 shr ax,8
004474D5 C1C0 10 rol eax,10
004474D8 86C4 xchg ah,al
004474DA 29F8 sub eax,edi
004474DC 80EB E8 sub bl,0E8
004474DF 01F0 add eax,esi
004474E1 8907 mov dword ptr ds:[edi],eax
004474E3 83C7 05 add edi,5
004474E6 89D8 mov eax,ebx
004474E8 ^ E2 D9 loopd short LocPlus.004474C3
004474EA 8DBE 00500400 lea edi,dword ptr ds:[esi+45000]
004474F0 8B07 mov eax,dword ptr ds:[edi]
004474F2 09C0 or eax,eax
004474F4 74 45 je short LocPlus.0044753B
004474F6 8B5F 04 mov ebx,dword ptr ds:[edi+4]
004474F9 8D8430 EC7C0400 lea eax,dword ptr ds:[eax+esi+47CEC]
00447500 01F3 add ebx,esi
00447502 50 push eax
00447503 83C7 08 add edi,8
00447506 FF96 3C7D0400 call dword ptr ds:[esi+47D3C]
0044750C 95 xchg eax,ebp
0044750D 8A07 mov al,byte ptr ds:[edi]
0044750F 47 inc edi
00447510 08C0 or al,al
00447512 ^ 74 DC je short LocPlus.004474F0
00447514 89F9 mov ecx,edi
00447516 79 07 jns short LocPlus.0044751F
00447518 0FB707 movzx eax,word ptr ds:[edi]
0044751B 47 inc edi
0044751C 50 push eax
0044751D 47 inc edi
0044751E B9 5748F2AE mov ecx,AEF24857
00447523 55 push ebp
00447524 FF96 407D0400 call dword ptr ds:[esi+47D40]
0044752A 09C0 or eax,eax
0044752C 74 07 je short LocPlus.00447535
0044752E 8903 mov dword ptr ds:[ebx],eax
00447530 83C3 04 add ebx,4
00447533 ^ EB D8 jmp short LocPlus.0044750D
00447535 FF96 447D0400 call dword ptr ds:[esi+47D44]
0044753B 61 popad
0044753C - E9 BBB2FBFF jmp LocPlus.004027FC
//F4来这里之前,先用Anti-UPX scramble Restore一下,即可完美脱壳。
004027FC 68 FC594000 push 1.004059FC
00402801 E8 EEFFFFFF call 1.004027F4 ; jmp to
MSVBVM50.ThunRTMain //看来又是一个VB程序
二、寻找算法
输入注册信息,提示重新启动。注册信息保存在
HKEY_USERS\S-1-5-21-1547161642-308236825-682003330-1003\Software\OverNimble\LocPlus
UserName:pendan2001
RegCode:007FE15EE171F14E0B48373E3B
BP RegQueryValueExA
00432A28 FF15 9CC44300 call dword ptr ds:[<&MSVBVM50.__vbaSetSyst>; MSVBVM50.__vbaSetSystemError
00432A2E 8B4D C0 mov ecx,dword ptr ss:[ebp-40]
00432A31 51 push ecx
00432A32 68 54934300 push 2.00439354
00432A37 FF15 10C64300 call dword ptr ds:[<&MSVBVM50.__vbaStrToUn>; MSVBVM50.__vbaStrToUnicode
00432A3D 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
00432A40 FFD7 call edi
00432A42 8B45 C8 mov eax,dword ptr ss:[ebp-38]
00432A45 48 dec eax
...
00432CF9 8BF0 mov esi,eax
00432CFB FF15 9CC44300 call dword ptr ds:[<&MSVBVM50.__vbaSetSyst>; MSVBVM50.__vbaSetSystemError
00432D01 8B45 C0 mov eax,dword ptr ss:[ebp-40]
00432D04 50 push eax
00432D05 68 54934300 push 2.00439354
00432D0A FF15 10C64300 call dword ptr ds:[<&MSVBVM50.__vbaStrToUn>; MSVBVM50.__vbaStrToUnicode
00432D10 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
00432D13 51 push ecx
00432D14 FF15 44C74300 call dword ptr ds:[<&MSVBVM50.__vbaAryUnlo>; MSVBVM50.__vbaAryUnlock
00432D1A 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
00432D1D FFD7 call edi
00432D1F 8D85 60FFFFFF lea eax,dword ptr ss:[ebp-A0]
00432D25 6A 40 push 40
00432D27 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
00432D2A 8D55 D0 lea edx,dword ptr ss:[ebp-30]
00432D2D 50 push eax
00432D2E 51 push ecx
00432D2F 8995 68FFFFFF mov dword ptr ss:[ebp-98],edx
00432D35 C785 60FFFFFF 1>mov dword ptr ss:[ebp-A0],6011
00432D3F FF15 64C44300 call dword ptr ds:[<&MSVBVM50.rtcStrConvVa>; MSVBVM50.rtcStrConvVar
00432D45 8B55 E8 mov edx,dword ptr ss:[ebp-18]
00432D48 8D45 A0 lea eax,dword ptr ss:[ebp-60]
00432D4B 4A dec edx
00432D4C 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
00432D4F 0F80 DA020000 jo 2.0043302F
00432D55 52 push edx
00432D56 50 push eax
00432D57 51 push ecx
00432D58 FF15 44C64300 call dword ptr ds:[<&MSVBVM50.__vbaStrVarV>; MSVBVM50.__vbaStrVarVal
00432D5E 50 push eax
//;UNICODE "EF778C83B7779A66B95D9BB269A19EBD58C848D90D36F7073CF434D07B85BD5C"
00432D5F FF15 FCC64300 call dword ptr ds:[<&MSVBVM50.rtcLeftCharB>; MSVBVM50.rtcLeftCharBstr
00432D65 8D55 90 lea edx,dword ptr ss:[ebp-70]
00432D68 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
00432D6B 8945 98 mov dword ptr ss:[ebp-68],eax
00432D6E C745 90 0800000>mov dword ptr ss:[ebp-70],8
00432D75 FF15 1CC44300 call dword ptr ds:[<&MSVBVM50.__vbaVarMove>; MSVBVM50.__vbaVarMove
00432D7B 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
00432D7E FFD7 call edi
00432D80 8D4D A0 lea ecx,dword ptr ss:[ebp-60]
00432D83 FF15 2CC44300 call dword ptr ds:[<&MSVBVM50.__vbaFreeVar>; MSVBVM50.__vbaFreeVar
00432D89 BB 0A000000 mov ebx,0A
00432D8E 8B15 48934300 mov edx,dword ptr ds:[439348]
00432D94 52 push edx
00432D95 E8 7ABBFDFF call 2.0040E914
00432D9A FF15 9CC44300 call dword ptr ds:[<&MSVBVM50.__vbaSetSyst>; MSVBVM50.__vbaSetSystemError
00432DA0 85F6 test esi,esi
00432DA2 0F84 E8010000 je 2.00432F90
.....
.....
00431A5B FFD3 call ebx
00431A5D 68 3C914300 push 2.0043913C
00431A62 8D55 CC lea edx,dword ptr ss:[ebp-34]
00431A65 52 push edx
00431A66 E8 C50E0000 call 2.00432930
00431A6B 8D45 CC lea eax,dword ptr ss:[ebp-34]
00431A6E 50 push eax
00431A6F FFD7 call edi
00431A71 8BD0 mov edx,eax
00431A73 8D4D DC lea ecx,dword ptr ss:[ebp-24]
00431A76 FFD6 call esi
00431A78 8D4D CC lea ecx,dword ptr ss:[ebp-34]
00431A7B FFD3 call ebx
00431A7D 8D4D DC lea ecx,dword ptr ss:[ebp-24]
00431A80 51 push ecx
00431A81 E8 0AFBFFFF call 2.00431590
00431A86 8BD0 mov edx,eax
00431A88 8D4D DC lea ecx,dword ptr ss:[ebp-24]
00431A8B FFD6 call esi
00431A8D 8B55 DC mov edx,dword ptr ss:[ebp-24]
00431A90 52 push edx
00431A91 FF15 30C44300 call dword ptr ds:[<&MSVBVM50.__vbaLenBstr>; MSVBVM50.__vbaLenBstr
00431A97 83F8 0C cmp eax,0C //比较最后运算是否为12位
00431A9A 75 6A jnz short 2.00431B06 //不相等则结束进程
00431A9C 8D45 DC lea eax,dword ptr ss:[ebp-24]
00431A9F 8945 C4 mov dword ptr ss:[ebp-3C],eax
00431AA2 C745 BC 0840000>mov dword ptr ss:[ebp-44],4008
00431AA9 8D4D BC lea ecx,dword ptr ss:[ebp-44]
00431AAC 51 push ecx
00431AAD FF15 8CC54300 call dword ptr ds:[<&MSVBVM50.rtcIsNumeric>; MSVBVM50.rtcIsNumeric
00431AB3 66:85C0 test ax,ax
00431AB6 74 4E je short 2.00431B06 //关键地
00431AB8 8B55 DC mov edx,dword ptr ss:[ebp-24]
00431ABB 52 push edx
00431ABC FF15 58C74300 call dword ptr ds:[<&MSVBVM50.rtcR8ValFrom>; MSVBVM50.rtcR8ValFromBstr
00431AC2 FF15 00C74300 call dword ptr ds:[<&MSVBVM50.__vbaFpI4>] ; MSVBVM50.__vbaFpI4
00431AC8 8945 E0 mov dword ptr ss:[ebp-20],eax
00431ACB 83F8 01 cmp eax,1
00431ACE 7C 36 jl short 2.00431B06 //关键地
00431AD0 DB45 E0 fild dword ptr ss:[ebp-20]
00431AD3 DD5D A4 fstp qword ptr ss:[ebp-5C]
00431AD6 DD45 A4 fld qword ptr ss:[ebp-5C]
00431AD9 DC1D 50204000 fcomp qword ptr ds:[402050]
00431ADF DFE0 fstsw ax
00431AE1 F6C4 41 test ah,41
00431AE4 74 20 je short 2.00431B06 //关键地
00431AE6 66:C705 2C91430>mov word ptr ds:[43912C],0FFFF
00431AEF FF15 DCC44300 call dword ptr ds:[<&MSVBVM50.__vbaExitPro>; MSVBVM50.__vbaExitProcess
00431AF5 9B wait
00431AF6 68 281B4300 push 2.00431B28
00431AFB EB 21 jmp short 2.00431B1E
00431AFD 66:C705 2C91430>mov word ptr ds:[43912C],0
00431B06 FF15 DCC44300 call dword ptr ds:[<&MSVBVM50.__vbaExitPro>; MSVBVM50.__vbaExitProcoess
这个算法有兴趣的可以跟踪一下,我想应该有点复杂,偶就不跟下去了,
看着上面那串长长的数字,就倒了,
主要是复习一下tElock 0.98脱壳,以免生疏。
|
|
|---|---|
|
|
|
|
|
|
|
|
高产啊
|
|
|
|
|
|
最初由 lnn1123 发布 今后改正! 
|
