小生学习脱壳差不多要来一年了 最近遇到Acprotect的壳 网上看了很多教程还是搞不定 请高手们帮帮忙
谢谢各位朋友这壳已经搞定
设置Olydbg忽略所有异常选项。用IsDebug 1.4插件去掉Ollydbg的调试器标志
打开文件提示文件压缩过点NO停下 代码如下:
0045B000 > 60 PUSHAD//进入OD后停在这
0045B001 E8 01000000 CALL gameupda.0045B007
0045B006 - EB 83 JMP SHORT gameupda.0045AF8B
0045B008 04 24 ADD AL,24
0045B00A 06 PUSH ES
0045B00B C3 RETN
高人们的教程是在.idata区段设置内存写入断点 我的这个文件没有.idata区段所以就是.rdata下内存写入断点SHOFT+F9断下
0046F455 C685 A5524100 C>MOV BYTE PTR SS:[EBP+4152A5],0C3
0046F45C C785 0BF94000 0>MOV DWORD PTR SS:[EBP+40F90B],gameupda.0>
0046F466 01AD 0BF94000 ADD DWORD PTR SS:[EBP+40F90B],EBP
0046F46C 8385 0BF94000 1>ADD DWORD PTR SS:[EBP+40F90B],10
0046F473 8B95 46F84000 MOV EDX,DWORD PTR SS:[EBP+40F846]
0046F479 8BB5 07F94000 MOV ESI,DWORD PTR SS:[EBP+40F907]
0046F47F 03F2 ADD ESI,EDX
0046F481 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C]
0046F484 0BC0 OR EAX,EAX
0046F486 0F84 25020000 JE gameupda.0046F6B1
0046F48C 8366 0C 00 AND DWORD PTR DS:[ESI+C],0//断在这里,改NOP
0046F490 03C2 ADD EAX,EDX
0046F492 8BD8 MOV EBX,EAX
0046F494 56 PUSH ESI
0046F495 57 PUSH EDI
0046F496 50 PUSH EAX
0046F497 8BF3 MOV ESI,EBX
0046F499 8BFB MOV EDI,EBX
0046F49B AC LODS BYTE PTR DS:[ESI]
0046F49C C0C0 03 ROL AL,3
0046F49F AA STOS BYTE PTR ES:[EDI]
0046F4A0 803F 00 CMP BYTE PTR DS:[EDI],0
0046F4A3 ^ 75 F6 JNZ SHORT gameupda.0046F49B
0046F4A5 58 POP EAX
0046F4A6 5F POP EDI
0046F4A7 5E POP ESI
0046F4A8 50 PUSH EAX
0046F4A9 FF95 20854100 CALL DWORD PTR SS:[EBP+418520]
0046F4AF 0BC0 OR EAX,EAX
0046F4B1 75 43 JNZ SHORT gameupda.0046F4F6
0046F4B3 90 NOP
0046F4B4 90 NOP
0046F4B5 90 NOP
0046F4B6 90 NOP
0046F4B7 53 PUSH EBX
0046F4B8 FF95 24854100 CALL DWORD PTR SS:[EBP+418524]
0046F4BE 0BC0 OR EAX,EAX
0046F4C0 75 34 JNZ SHORT gameupda.0046F4F6
0046F4C2 90 NOP
0046F4C3 90 NOP
0046F4C4 90 NOP
0046F4C5 90 NOP
0046F4C6 8B95 46F84000 MOV EDX,DWORD PTR SS:[EBP+40F846]
0046F4CC 0195 351B4000 ADD DWORD PTR SS:[EBP+401B35],EDX
0046F4D2 0195 391B4000 ADD DWORD PTR SS:[EBP+401B39],EDX
0046F4D8 6A 00 PUSH 0
0046F4DA FFB5 351B4000 PUSH DWORD PTR SS:[EBP+401B35]
0046F4E0 FFB5 391B4000 PUSH DWORD PTR SS:[EBP+401B39]
0046F4E6 6A 00 PUSH 0
0046F4E8 FF95 2C854100 CALL DWORD PTR SS:[EBP+41852C]
0046F4EE 6A 00 PUSH 0
0046F4F0 FF95 28854100 CALL DWORD PTR SS:[EBP+418528]
0046F4F6 60 PUSHAD
0046F4F7 2BC0 SUB EAX,EAX//改为 jmp 0046f500
0046F4F9 8803 MOV BYTE PTR DS:[EBX],AL
0046F4FB 43 INC EBX
0046F4FC 3803 CMP BYTE PTR DS:[EBX],AL
0046F4FE ^ 75 F9 JNZ SHORT gameupda.0046F4F9
0046F500 61 POPAD
0046F501 8985 3EF84000 MOV DWORD PTR SS:[EBP+40F83E],EAX
0046F507 C785 42F84000 0>MOV DWORD PTR SS:[EBP+40F842],0
0046F511 8B95 46F84000 MOV EDX,DWORD PTR SS:[EBP+40F846]
0046F517 8B06 MOV EAX,DWORD PTR DS:[ESI]
0046F519 0BC0 OR EAX,EAX
0046F51B 75 07 JNZ SHORT gameupda.0046F524
0046F51D 90 NOP
0046F51E 90 NOP
0046F51F 90 NOP
0046F520 90 NOP
0046F521 8B46 10 MOV EAX,DWORD PTR DS:[ESI+10]
0046F524 03C2 ADD EAX,EDX
0046F526 0385 42F84000 ADD EAX,DWORD PTR SS:[EBP+40F842]
0046F52C 8B18 MOV EBX,DWORD PTR DS:[EAX]
0046F52E 8B7E 10 MOV EDI,DWORD PTR DS:[ESI+10]
0046F531 03FA ADD EDI,EDX
0046F533 03BD 42F84000 ADD EDI,DWORD PTR SS:[EBP+40F842]
0046F539 85DB TEST EBX,EBX
0046F53B 0F84 62010000 JE gameupda.0046F6A3
0046F541 F7C3 00000080 TEST EBX,80000000
0046F547 75 1D JNZ SHORT gameupda.0046F566
0046F549 90 NOP
0046F54A 90 NOP
0046F54B 90 NOP
0046F54C 90 NOP
0046F54D 03DA ADD EBX,EDX
0046F54F 83C3 02 ADD EBX,2
0046F552 56 PUSH ESI
0046F553 57 PUSH EDI
0046F554 50 PUSH EAX
0046F555 8BF3 MOV ESI,EBX
0046F557 8BFB MOV EDI,EBX
0046F559 AC LODS BYTE PTR DS:[ESI]
0046F55A C0C0 03 ROL AL,3
0046F55D AA STOS BYTE PTR ES:[EDI]
0046F55E 803F 00 CMP BYTE PTR DS:[EDI],0
0046F561 ^ 75 F6 JNZ SHORT gameupda.0046F559
0046F563 58 POP EAX
0046F564 5F POP EDI
0046F565 5E POP ESI
0046F566 3B9D 46F84000 CMP EBX,DWORD PTR SS:[EBP+40F846]
0046F56C 7C 11 JL SHORT gameupda.0046F57F
0046F56E 90 NOP
0046F56F 90 NOP
0046F570 90 NOP
0046F571 90 NOP
0046F572 83BD 1A204000 0>CMP DWORD PTR SS:[EBP+40201A],0
0046F579 75 0A JNZ SHORT gameupda.0046F585
0046F57B 90 NOP
0046F57C 90 NOP
0046F57D 90 NOP
0046F57E 90 NOP
0046F57F 81E3 FFFFFF0F AND EBX,0FFFFFFF
0046F585 53 PUSH EBX
0046F586 FFB5 3EF84000 PUSH DWORD PTR SS:[EBP+40F83E]
0046F58C FF95 1C854100 CALL DWORD PTR SS:[EBP+41851C]
0046F592 3B9D 46F84000 CMP EBX,DWORD PTR SS:[EBP+40F846]
0046F598 7C 0F JL SHORT gameupda.0046F5A9
0046F59A 90 NOP
0046F59B 90 NOP
0046F59C 90 NOP
0046F59D 90 NOP
0046F59E 60 PUSHAD
0046F59F 2BC0 SUB EAX,EAX//改为 JPM 0046F5A8
0046F5A1 8803 MOV BYTE PTR DS:[EBX],AL
0046F5A3 43 INC EBX
0046F5A4 3803 CMP BYTE PTR DS:[EBX],AL
0046F5A6 ^ 75 F9 JNZ SHORT gameupda.0046F5A1
0046F5A8 61 POPAD
0046F5A9 0BC0 OR EAX,EAX
0046F5AB ^ 0F84 15FFFFFF JE gameupda.0046F4C6
0046F5B1 3B85 2C854100 CMP EAX,DWORD PTR SS:[EBP+41852C]
0046F5B7 74 20 JE SHORT gameupda.0046F5D9
0046F5B9 90 NOP
0046F5BA 90 NOP
0046F5BB 90 NOP
0046F5BC 90 NOP
0046F5BD 3B85 C4FD4000 CMP EAX,DWORD PTR SS:[EBP+40FDC4]
0046F5C3 74 09 JE SHORT gameupda.0046F5CE
0046F5C5 90 NOP
0046F5C6 90 NOP
0046F5C7 90 NOP
0046F5C8 90 NOP
0046F5C9 EB 14 JMP SHORT gameupda.0046F5DF
0046F5CB 90 NOP
0046F5CC 90 NOP
0046F5CD 90 NOP
0046F5CE 8D85 31FE4000 LEA EAX,DWORD PTR SS:[EBP+40FE31]
0046F5D4 EB 09 JMP SHORT gameupda.0046F5DF
0046F5D6 90 NOP
0046F5D7 90 NOP
0046F5D8 90 NOP
0046F5D9 8D85 4BFE4000 LEA EAX,DWORD PTR SS:[EBP+40FE4B]
0046F5DF 56 PUSH ESI
0046F5E0 FFB5 3EF84000 PUSH DWORD PTR SS:[EBP+40F83E]
0046F5E6 5E POP ESI
0046F5E7 39B5 12204000 CMP DWORD PTR SS:[EBP+402012],ESI
0046F5ED 74 15 JE SHORT gameupda.0046F604
0046F5EF 90 NOP
0046F5F0 90 NOP
0046F5F1 90 NOP
0046F5F2 90 NOP
0046F5F3 39B5 16204000 CMP DWORD PTR SS:[EBP+402016],ESI
0046F5F9 74 09 JE SHORT gameupda.0046F604
0046F5FB 90 NOP
0046F5FC 90 NOP
0046F5FD 90 NOP
0046F5FE 90 NOP
0046F5FF EB 63 JMP SHORT gameupda.0046F664
0046F601 90 NOP
0046F602 90 NOP
0046F603 90 NOP
0046F604 80BD 16564100 0>CMP BYTE PTR SS:[EBP+415616],0
0046F60B 74 57 JE SHORT gameupda.0046F664
0046F60D 90 NOP
0046F60E 90 NOP
0046F60F 90 NOP
0046F610 90 NOP
0046F611 EB 07 JMP SHORT gameupda.0046F61A
0046F613 90 NOP
0046F614 90 NOP
0046F615 90 NOP
0046F616 0100 ADD DWORD PTR DS:[EAX],EAX
0046F618 0000 ADD BYTE PTR DS:[EAX],AL
0046F61A 8BB5 0BF94000 MOV ESI,DWORD PTR SS:[EBP+40F90B]
0046F620 83C6 0D ADD ESI,0D
0046F623 81EE 02184000 SUB ESI,gameupda.00401802
0046F629 2BF5 SUB ESI,EBP
0046F62B 83FE 00 CMP ESI,0
0046F62E 7F 34 JG SHORT gameupda.0046F664
0046F630 90 NOP
0046F631 90 NOP
0046F632 90 NOP
0046F633 90 NOP
0046F634 8BB5 0BF94000 MOV ESI,DWORD PTR SS:[EBP+40F90B]
0046F63A 53 PUSH EBX
0046F63B 50 PUSH EAX
0046F63C E8 8DB2FFFF CALL gameupda.0046A8CE
0046F641 8BD8 MOV EBX,EAX
0046F643 58 POP EAX
0046F644 33C3 XOR EAX,EBX
0046F646 C606 68 MOV BYTE PTR DS:[ESI],68
0046F649 8946 01 MOV DWORD PTR DS:[ESI+1],EAX
0046F64C C746 05 8134240>MOV DWORD PTR DS:[ESI+5],243481
0046F653 895E 08 MOV DWORD PTR DS:[ESI+8],EBX
0046F656 C646 0C C3 MOV BYTE PTR DS:[ESI+C],0C3
0046F65A 5B POP EBX
0046F65B 8BC6 MOV EAX,ESI
0046F65D 8385 0BF94000 0>ADD DWORD PTR SS:[EBP+40F90B],0D
0046F664 5E POP ESI
0046F665 60 PUSHAD
0046F666 8BD0 MOV EDX,EAX
0046F668 2BBD 46F84000 SUB EDI,DWORD PTR SS:[EBP+40F846]
0046F66E 8BC7 MOV EAX,EDI
0046F670 B9 01010000 MOV ECX,101
0046F675 8DBD EBEC4000 LEA EDI,DWORD PTR SS:[EBP+40ECEB]
0046F67B F2:AF REPNE SCAS DWORD PTR ES:[EDI]
0046F67D 0BC9 OR ECX,ECX
0046F67F 74 13 JE SHORT gameupda.0046F694
0046F681 90 NOP
0046F682 90 NOP
0046F683 90 NOP
0046F684 90 NOP
0046F685 81E9 01010000 SUB ECX,101
0046F68B F7D1 NOT ECX
0046F68D 89948D EBE84000 MOV DWORD PTR SS:[EBP+ECX*4+40E8EB],EDX
0046F694 61 POPAD
0046F695 8907 MOV DWORD PTR DS:[EDI],EAX//改为 NOP
0046F697 8385 42F84000 0>ADD DWORD PTR SS:[EBP+40F842],4
0046F69E ^ E9 6EFEFFFF JMP gameupda.0046F511
0046F6A3 83C6 14 ADD ESI,14
0046F6A6 8B95 46F84000 MOV EDX,DWORD PTR SS:[EBP+40F846]
0046F6AC ^ E9 D0FDFFFF JMP gameupda.0046F481
0046F6B1 8DBD EBEC4000 LEA EDI,DWORD PTR SS:[EBP+40ECEB]
0046F6B7 33C0 XOR EAX,EAX////清除内存断点,F4直接到这,DUMP出
0046F6B9 B9 00010000 MOV ECX,100
0046F6BE F3:AB REP STOS DWORD PTR ES:[EDI]
0046F6C0 60 PUSHAD
0046F6C1 E8 00000000 CALL gameupda.0046F6C6
再在.idata区段设置内存访问断点
00414716 6A 60 PUSH 60//断在这里
00414718 68 08534300 PUSH gameupda.00435308
0041471D E8 1E080000 CALL gameupda.00414F40
00414722 BF 94000000 MOV EDI,94
00414727 8BC7 MOV EAX,EDI
00414729 E8 D2F7FFFF CALL gameupda.00413F00
0041472E 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
00414731 8BF4 MOV ESI,ESP
00414733 893E MOV DWORD PTR DS:[ESI],EDI
00414735 56 PUSH ESI
00414736 FF15 8C114300 CALL DWORD PTR DS:[43118C]
0041473C 8B4E 10 MOV ECX,DWORD PTR DS:[ESI+10]
0041473F 890D 78214400 MOV DWORD PTR DS:[442178],ECX
00414745 8B46 04 MOV EAX,DWORD PTR DS:[ESI+4]
00414748 A3 84214400 MOV DWORD PTR DS:[442184],EAX
0041474D 8B56 08 MOV EDX,DWORD PTR DS:[ESI+8]
00414750 8915 88214400 MOV DWORD PTR DS:[442188],EDX
00414756 8B76 0C MOV ESI,DWORD PTR DS:[ESI+C]
00414759 81E6 FF7F0000 AND ESI,7FFF
0041475F 8935 7C214400 MOV DWORD PTR DS:[44217C],ESI
00414765 83F9 02 CMP ECX,2
00414768 74 0C JE SHORT gameupda.00414776
0041476A 81CE 00800000 OR ESI,8000
00414770 8935 7C214400 MOV DWORD PTR DS:[44217C],ESI
00414776 C1E0 08 SHL EAX,8
00414779 03C2 ADD EAX,EDX
0041477B A3 80214400 MOV DWORD PTR DS:[442180],EAX
00414780 33F6 XOR ESI,ESI
00414782 56 PUSH ESI
00414783 8B3D 7C124300 MOV EDI,DWORD PTR DS:[43127C]
00414789 FFD7 CALL EDI
根据寄存器和堆栈看好像作者在加壳时没得修改OEP 我认为这是OEP Microsoft Visual C++ 7.0
写的
重新打开加壳文件来到 00414716
用ImportREC修正dumped.exe的OEP 14716 RVA=0043B2AC 大小我没能确定
提示157个无效指针
有个可疑函数在SkinPPWTL.dll里 这个DLL文件也是壳处理的第一个DLL文件 在程解压完后就没再用到这个DLL文件了
到后面就不知道整么回事了请高手指点!!!!!
源文件下载地址
ftp://root:root@221.237.222.22/gameupdata.rar
[课程]FART 脱壳王!加量不加价!FART作者讲授!
