弱壳---PECompact2.06主程序pec2gui脱壳-加壳脱壳-看雪-安全社区|安全招聘|kanxue.com

弱壳---PECompact2.06主程序pec2gui脱壳

发表于: 2004-5-3 21:50 11967

弱壳---PECompact2.06主程序pec2gui脱壳

lajiaolz

2004-5-3 21:50

11967

PECompact2.06主程序pec2gui脱壳
1.用od载入pec2gui.exe
00401000 > B8 B4F14100      MOV EAX,pec2gui.0041F1B4
00401005   50               PUSH EAX
00401006   64:FF35 00000000 PUSH DWORD PTR FS:[0]
0040100D   64:8925 00000000 MOV DWORD PTR FS:[0],ESP
00401014   33C0             XOR EAX,EAX
2.用插件IsDebugPresent隐藏od

3.ctrl+G    41f1b4
0041F1B4   B8 5DE141F0      MOV EAX,F041E15D
0041F1B9   8D88 7A100010    LEA ECX,DWORD PTR DS:[EAX+1000107A]
0041F1BF   8941 01          MOV DWORD PTR DS:[ECX+1],EAX
0041F1C2   8B5424 04        MOV EDX,DWORD PTR SS:[ESP+4]
0041F1C6   8B52 0C          MOV EDX,DWORD PTR DS:[EDX+C]
0041F1C9   C602 E9          MOV BYTE PTR DS:[EDX],0E9
0041F1CC   83C2 05          ADD EDX,5
0041F1CF   2BCA             SUB ECX,EDX
0041F1D1   894A FC          MOV DWORD PTR DS:[EDX-4],ECX
0041F1D4   33C0             XOR EAX,EAX
0041F1D6   C3               RETN
0041F1D7   B8 78563412      MOV EAX,12345678
0041F1DC   64:8F05 00000000 POP DWORD PTR FS:[0]
0041F1E3   83C4 04          ADD ESP,4
0041F1E6   55               PUSH EBP
0041F1E7   53               PUSH EBX
0041F1E8   51               PUSH ECX
0041F1E9   57               PUSH EDI
0041F1EA   56               PUSH ESI
0041F1EB   8D98 33100010    LEA EBX,DWORD PTR DS:[EAX+10001033]
0041F1F1   8B53 18          MOV EDX,DWORD PTR DS:[EBX+18]
0041F1F4   8BE8             MOV EBP,EAX
0041F1F6   6A 40            PUSH 40
0041F1F8   68 00100000      PUSH 1000
0041F1FD   FF73 04          PUSH DWORD PTR DS:[EBX+4]
0041F200   6A 00            PUSH 0
0041F202   8B4B 10          MOV ECX,DWORD PTR DS:[EBX+10]
0041F205   03CA             ADD ECX,EDX
0041F207   8B01             MOV EAX,DWORD PTR DS:[ECX]
0041F209   FFD0             CALL EAX
0041F20B   8BF8             MOV EDI,EAX
0041F20D   50               PUSH EAX
0041F20E   8B33             MOV ESI,DWORD PTR DS:[EBX]
0041F210   8B53 18          MOV EDX,DWORD PTR DS:[EBX+18]
0041F213   8B43 20          MOV EAX,DWORD PTR DS:[EBX+20]
0041F216   03C2             ADD EAX,EDX
0041F218   8B08             MOV ECX,DWORD PTR DS:[EAX]
0041F21A   894B 20          MOV DWORD PTR DS:[EBX+20],ECX
0041F21D   8B43 1C          MOV EAX,DWORD PTR DS:[EBX+1C]
0041F220   03C2             ADD EAX,EDX
0041F222   8B08             MOV ECX,DWORD PTR DS:[EAX]
0041F224   894B 1C          MOV DWORD PTR DS:[EBX+1C],ECX
0041F227   03F2             ADD ESI,EDX
0041F229   8B4B 0C          MOV ECX,DWORD PTR DS:[EBX+C]
0041F22C   03CA             ADD ECX,EDX
0041F22E   8D43 1C          LEA EAX,DWORD PTR DS:[EBX+1C]
0041F231   50               PUSH EAX
0041F232   8D85 29110010    LEA EAX,DWORD PTR SS:[EBP+10001129]
0041F238   FF73 04          PUSH DWORD PTR DS:[EBX+4]
0041F23B   8F00             POP DWORD PTR DS:[EAX]
0041F23D   50               PUSH EAX
0041F23E   57               PUSH EDI
0041F23F   56               PUSH ESI
0041F240   FFD1             CALL ECX
0041F242   58               POP EAX
0041F243   0343 08          ADD EAX,DWORD PTR DS:[EBX+8]
0041F246   8BF8             MOV EDI,EAX
0041F248   8B53 18          MOV EDX,DWORD PTR DS:[EBX+18]
0041F24B   8BF0             MOV ESI,EAX
0041F24D   8B46 FC          MOV EAX,DWORD PTR DS:[ESI-4]
0041F250   83C0 04          ADD EAX,4
0041F253   2BF0             SUB ESI,EAX
0041F255   8956 08          MOV DWORD PTR DS:[ESI+8],EDX
0041F258   8B4B 10          MOV ECX,DWORD PTR DS:[EBX+10]
0041F25B   894E 24          MOV DWORD PTR DS:[ESI+24],ECX
0041F25E   8B4B 14          MOV ECX,DWORD PTR DS:[EBX+14]
0041F261   51               PUSH ECX
0041F262   894E 28          MOV DWORD PTR DS:[ESI+28],ECX
0041F265   FFD7             CALL EDI
0041F267   8985 2D110010    MOV DWORD PTR SS:[EBP+1000112D],EAX
0041F26D   8BF0             MOV ESI,EAX
0041F26F   59               POP ECX
0041F270   034B 18          ADD ECX,DWORD PTR DS:[EBX+18]
0041F273   68 00800000      PUSH 8000
0041F278   6A 00            PUSH 0
0041F27A   57               PUSH EDI
0041F27B   FF11             CALL DWORD PTR DS:[ECX]
0041F27D   8BC6             MOV EAX,ESI
0041F27F   5E               POP ESI
0041F280   5F               POP EDI
0041F281   59               POP ECX
0041F282   5B               POP EBX
0041F283   5D               POP EBP
0041F284   FFE0             JMP EAX   ;40d077-->oep

4.在0041F284处按f4,shift+f7
0040D077   6A 18            PUSH 18
0040D079   68 A04C4100      PUSH pec2gui.00414CA0
0040D07E   E8 1D020000      CALL pec2gui.0040D2A0
0040D083   BF 94000000      MOV EDI,94
0040D088   8BC7             MOV EAX,EDI
0040D08A   E8 F1F3FFFF      CALL pec2gui.0040C480
0040D08F   8965 E8          MOV DWORD PTR SS:[EBP-18],ESP
0040D092   8BF4             MOV ESI,ESP
0040D094   893E             MOV DWORD PTR DS:[ESI],EDI
0040D096   56               PUSH ESI
0040D097   FF15 98414100    CALL DWORD PTR DS:[414198]               ; kernel32.GetVersionExA
0040D09D   8B4E 10          MOV ECX,DWORD PTR DS:[ESI+10]
0040D0A0   890D 809E4100    MOV DWORD PTR DS:[419E80],ECX
0040D0A6   8B46 04          MOV EAX,DWORD PTR DS:[ESI+4]
0040D0A9   A3 8C9E4100      MOV DWORD PTR DS:[419E8C],EAX
0040D0AE   8B56 08          MOV EDX,DWORD PTR DS:[ESI+8]
0040D0B1   8915 909E4100    MOV DWORD PTR DS:[419E90],EDX
0040D0B7   8B76 0C          MOV ESI,DWORD PTR DS:[ESI+C]
0040D0BA   81E6 FF7F0000    AND ESI,7FFF
0040D0C0   8935 849E4100    MOV DWORD PTR DS:[419E84],ESI
0040D0C6   83F9 02          CMP ECX,2
0040D0C9   74 0C            JE SHORT pec2gui.0040D0D7
0040D0CB   81CE 00800000    OR ESI,8000
0040D0D1   8935 849E4100    MOV DWORD PTR DS:[419E84],ESI
0040D0D7   C1E0 08          SHL EAX,8
0040D0DA   03C2             ADD EAX,EDX
0040D0DC   A3 889E4100      MOV DWORD PTR DS:[419E88],EAX
0040D0E1   33FF             XOR EDI,EDI
0040D0E3   57               PUSH EDI
0040D0E4   FF15 90414100    CALL DWORD PTR DS:[414190]               ; kernel32.GetModuleHandleA
0040D0EA   66:8138 4D5A     CMP WORD PTR DS:[EAX],5A4D
0040D0EF   75 1F            JNZ SHORT pec2gui.0040D110
0040D0F1   8B48 3C          MOV ECX,DWORD PTR DS:[EAX+3C]
0040D0F4   03C8             ADD ECX,EAX
0040D0F6   8139 50450000    CMP DWORD PTR DS:[ECX],4550
0040D0FC   75 12            JNZ SHORT pec2gui.0040D110
0040D0FE   0FB741 18        MOVZX EAX,WORD PTR DS:[ECX+18]

5.在40d077处dump

6.用Import REConstructor v1.6 FINAL修复即可

lajiaolz 2004/05/03

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)

收藏・2

免费・6

支持

最新回复 (1)
David 雪币： 411 活跃值： (1160) 能力值： ( LV9，RANK：810 ) 在线值：发帖 44 回帖 404 粉丝 4 关注私信	David 20 2 楼谢谢,我刚好学它. 2004-5-3 21:56 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

lajiaolz

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

专注于PC、移动、智能设备安全研究及逆向工程的开发者社区

最新回复 (1)
David 雪币： 411 活跃值： (1160) 能力值： ( LV9，RANK：810 ) 在线值：发帖 44 回帖 404 粉丝 4 关注私信	David 20 2 楼谢谢,我刚好学它. 2004-5-3 21:56 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复