【作者大名】fobnn
【作者邮箱】luoyue_2005@163.com
【作者主页】
www.hack58.com
【使用工具】OD PEID LORDPE ImportREC1.42
【操作系统】Windows XP
【软件名称】Mr.Captor 3.32
【下载地址】Google
【软件大小】1.14M
【加壳方式】Armadillo 3.78 - 4.xx -> Silicon Realms Toolworks
【软件简介】
Mr. Captor is an advanced capture software that captures anything you see on the computer screen, including the entire desktop, rectangular, elliptical
and freehand regions, single window, a group of windows, menues, cursors,
and colors. It can capture long web pages, PDFs, DOCs
and other documents using auto-scroll feature. Can record any screen action
into an AVI file
and capture on timer event. Supports capture from DirectX/Direct3D games, DVD
and Media Player. Extracts images from EXE, DLL, SCR, OCX files. Can save images
in a variety of graphical formats (BMP, JPEG, PNG, GIF, ICO
and many others). Additional features
include support for hotkeys, image editing, email support, web publishing, printing
and more. Can be useful for designers, web masters, developers, technical writers
and other people working with images.
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------------------------
【内容】
①.查看敌情,知己知彼!
1.PEiD查壳为Armadillo 3.78 - 4.xx -> Silicon Realms Toolworks
2.程序运行无注册提示。
3.程序运行只有一个进程.
②.深入
1.忽略所有异常选项,但运行程序有N多的异常.后来明白在忽略异常范围内添几个
**************************************
C0000005 (ACCESS VIOLATION)
C0000008 (INVALID HANDLE)
C000001D (ILLEGAL INSTRUCTION)
C000001E (INVALID
LOCK SEQUENCE)
C0000096 (PRIVILEGED INSTRUCTION)
**************************************
2.现在重新载入.
00534000 M> 60
pushad ;载入后停在这里.
00534001 E8 00000000
call MrCaptor.00534006
00534006 5D
pop ebp
00534007 50
push eax
00534008 51
push ecx
00534009 0FCA
bswap edx
0053400B F7D2
not edx
0053400D 9C
pushfd
0053400E F7D2
not edx
00534010 0FCA
bswap edx
00534012 EB 0F
jmp short MrCaptor.00534023
00534014 B9 EB0FB8EB
mov ecx ,EBB80FEB
00534019 07
pop es
0053401A B9 EB0F90EB
mov ecx ,EB900FEB
3.下段
BP GetModuleHandleA+5 shift+F9, run
;GetModuleHandleA+5来逃避检测!
运行中断.
7C80B52B 55
push ebp ;中断在此!
7C80B52C 8BEC
mov ebp ,
esp
7C80B52E 837D 08 00
cmp dword ptr ss :[
ebp +8],0
7C80B532 74 18
je short kernel32.7C80B54C
********************************************************************************************
1.
0013FF0C 0013FF98 返回到 0013FF98
0013FF10 0052EC18 返回到 MrCaptor.0052EC18 来自 kernel32.GetModuleHandleA
;此时堆栈,Shift+F9,run
2.
0013CEF0 |77F45BD8 返回到 77F45BD8 来自 kernel32.GetModuleHandleA
;Shift+F9,run
0013CEF4 |77F4501C ASCII
"KERNEL32.DLL"
3.
0013D71C |005198E3 返回到 MrCaptor.005198E3 来自 kernel32.GetModuleHandleA
;Shift+F9,run
0013D720 |00000000
4.
00137B70 |00C519E0 返回到 00C519E0 来自 kernel32.GetModuleHandleA
;Shift+F9,run
00137B74 |00C66364 ASCII
"kernel32.dll"
00137B78 |00C67588 ASCII
"VirtualAlloc"
5.
00137B70 |00C519FD 返回到 00C519FD 来自 kernel32.GetModuleHandleA
;Shift+F9,run
00137B74 |00C66364 ASCII
"kernel32.dll"
00137B78 |00C6757C ASCII
"VirtualFree"
6.
001378E0 |00C39BF9 返回到 00C39BF9 来自 kernel32.GetModuleHandleA
;取消断点,ALT+F9运行返回!
001378E4 |00137A24 ASCII
"kernel32.dll"
**********************************************************************************************
4.
00C39BF9 8B0D 74B7C600
mov ecx ,
dword ptr ds :[C6B774]
;返回到这里!
00C39BFF 89040E
mov dword ptr ds :[
esi +
ecx ],
eax
00C39C02 A1 74B7C600
mov eax ,
dword ptr ds :[C6B774]
00C39C07 391C06
cmp dword ptr ds :[
esi +
eax ],
ebx
00C39C0A 75 16
jnz short 00C39C22
00C39C0C 8D85 B4FEFFFF
lea eax ,
dword ptr ss :[
ebp -14C]
00C39C12 50
push eax
00C39C13 FF15 DC00C600
call dword ptr ds :[C600DC]
; kernel32.LoadLibraryA
00C39C19 8B0D 74B7C600
mov ecx ,
dword ptr ds :[C6B774]
00C39C1F 89040E
mov dword ptr ds :[
esi +
ecx ],
eax
00C39C22 A1 74B7C600
mov eax ,
dword ptr ds :[C6B774]
00C39C27 391C06
cmp dword ptr ds :[
esi +
eax ],
ebx
00C39C2A 0F84 32010000
je 00C39D62
;Magic Jump!改为 JMP
00C39C30 33C9
xor ecx ,
ecx
00C39C32 8B07
mov eax ,
dword ptr ds :[
edi ]
00C39C34 3918
cmp dword ptr ds :[
eax ],
ebx
00C39C36 74 06
je short 00C39C3E
00C39C38 41
inc ecx
00C39C39 83C0 0C
add eax ,0C
00C39C3C ^ EB F6
jmp short 00C39C34
00C39C3E 8BD9
mov ebx ,
ecx
00C39C40 C1E3 02
shl ebx ,2
00C39C43 53
push ebx
00C39C44 E8 C9520200
call 00C5EF12
; jmp to msvcrt.operator new
③.乘胜追击,直捣黄龙!
1.用内存断点法,直达OEP!
ALT+M
内存映射,项目 23
地址=00401000
;在此段F2下断点,SHIFT+F9,run
大小=00077000 (487424.)
Owner=MrCaptor 00400000
区段=.text
类型=Imag 01001002
访问=R
初始访问=RWE
*************************************************************
004425B2 55
push ebp ;成功到达OEP!
004425B3 8BEC
mov ebp ,
esp
004425B5 6A FF
push -1
004425B7 68 50EE4900
push MrCaptor.0049EE50
004425BC 68 D4194400
push MrCaptor.004419D4
004425C1 64:A1 00000000
mov eax ,
dword ptr fs :[0]
004425C7 50
push eax
004425C8 64:8925 00000000
mov dword ptr fs :[0],
esp
004425CF 83EC 58
sub esp ,58
004425D2 53
push ebx
004425D3 56
push esi
004425D4 57
push edi
004425D5 8965 E8
mov dword ptr ss :[
ebp -18],
esp
004425D8 FF15 00244900
call dword ptr ds :[492400]
004425DE 33D2
xor edx ,
edx
004425E0 8AD4
mov dl ,
ah
004425E2 8915 80FD4F00
mov dword ptr ds :[4FFD80],
edx
004425E8 8BC8
mov ecx ,
eax
***********************************************************************
2.DUmp后,用IMport1.6F抓取输入表,用LEVEL1修复后,剪掉剩下的几个无效函数,FIXDUMP!
3.Fix成功后,正常运行!用LOADPE重建PE程序从脱壳后2.31>>1.81M!
打完收工!
------------------------------------------------------------------
【总结】
明天就要开学了,初三要中考了,写这篇来纪念一下吧!不知何时才能再见!
--------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
