PECompact2.06主程序pec2gui脱壳
1.用od载入pec2gui.exe
00401000 > B8 B4F14100 MOV EAX,pec2gui.0041F1B4
00401005 50 PUSH EAX
00401006 64:FF35 00000000 PUSH DWORD PTR FS:[0]
0040100D 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
00401014 33C0 XOR EAX,EAX
2.用插件IsDebugPresent隐藏od
3.ctrl+G 41f1b4
0041F1B4 B8 5DE141F0 MOV EAX,F041E15D
0041F1B9 8D88 7A100010 LEA ECX,DWORD PTR DS:[EAX+1000107A]
0041F1BF 8941 01 MOV DWORD PTR DS:[ECX+1],EAX
0041F1C2 8B5424 04 MOV EDX,DWORD PTR SS:[ESP+4]
0041F1C6 8B52 0C MOV EDX,DWORD PTR DS:[EDX+C]
0041F1C9 C602 E9 MOV BYTE PTR DS:[EDX],0E9
0041F1CC 83C2 05 ADD EDX,5
0041F1CF 2BCA SUB ECX,EDX
0041F1D1 894A FC MOV DWORD PTR DS:[EDX-4],ECX
0041F1D4 33C0 XOR EAX,EAX
0041F1D6 C3 RETN
0041F1D7 B8 78563412 MOV EAX,12345678
0041F1DC 64:8F05 00000000 POP DWORD PTR FS:[0]
0041F1E3 83C4 04 ADD ESP,4
0041F1E6 55 PUSH EBP
0041F1E7 53 PUSH EBX
0041F1E8 51 PUSH ECX
0041F1E9 57 PUSH EDI
0041F1EA 56 PUSH ESI
0041F1EB 8D98 33100010 LEA EBX,DWORD PTR DS:[EAX+10001033]
0041F1F1 8B53 18 MOV EDX,DWORD PTR DS:[EBX+18]
0041F1F4 8BE8 MOV EBP,EAX
0041F1F6 6A 40 PUSH 40
0041F1F8 68 00100000 PUSH 1000
0041F1FD FF73 04 PUSH DWORD PTR DS:[EBX+4]
0041F200 6A 00 PUSH 0
0041F202 8B4B 10 MOV ECX,DWORD PTR DS:[EBX+10]
0041F205 03CA ADD ECX,EDX
0041F207 8B01 MOV EAX,DWORD PTR DS:[ECX]
0041F209 FFD0 CALL EAX
0041F20B 8BF8 MOV EDI,EAX
0041F20D 50 PUSH EAX
0041F20E 8B33 MOV ESI,DWORD PTR DS:[EBX]
0041F210 8B53 18 MOV EDX,DWORD PTR DS:[EBX+18]
0041F213 8B43 20 MOV EAX,DWORD PTR DS:[EBX+20]
0041F216 03C2 ADD EAX,EDX
0041F218 8B08 MOV ECX,DWORD PTR DS:[EAX]
0041F21A 894B 20 MOV DWORD PTR DS:[EBX+20],ECX
0041F21D 8B43 1C MOV EAX,DWORD PTR DS:[EBX+1C]
0041F220 03C2 ADD EAX,EDX
0041F222 8B08 MOV ECX,DWORD PTR DS:[EAX]
0041F224 894B 1C MOV DWORD PTR DS:[EBX+1C],ECX
0041F227 03F2 ADD ESI,EDX
0041F229 8B4B 0C MOV ECX,DWORD PTR DS:[EBX+C]
0041F22C 03CA ADD ECX,EDX
0041F22E 8D43 1C LEA EAX,DWORD PTR DS:[EBX+1C]
0041F231 50 PUSH EAX
0041F232 8D85 29110010 LEA EAX,DWORD PTR SS:[EBP+10001129]
0041F238 FF73 04 PUSH DWORD PTR DS:[EBX+4]
0041F23B 8F00 POP DWORD PTR DS:[EAX]
0041F23D 50 PUSH EAX
0041F23E 57 PUSH EDI
0041F23F 56 PUSH ESI
0041F240 FFD1 CALL ECX
0041F242 58 POP EAX
0041F243 0343 08 ADD EAX,DWORD PTR DS:[EBX+8]
0041F246 8BF8 MOV EDI,EAX
0041F248 8B53 18 MOV EDX,DWORD PTR DS:[EBX+18]
0041F24B 8BF0 MOV ESI,EAX
0041F24D 8B46 FC MOV EAX,DWORD PTR DS:[ESI-4]
0041F250 83C0 04 ADD EAX,4
0041F253 2BF0 SUB ESI,EAX
0041F255 8956 08 MOV DWORD PTR DS:[ESI+8],EDX
0041F258 8B4B 10 MOV ECX,DWORD PTR DS:[EBX+10]
0041F25B 894E 24 MOV DWORD PTR DS:[ESI+24],ECX
0041F25E 8B4B 14 MOV ECX,DWORD PTR DS:[EBX+14]
0041F261 51 PUSH ECX
0041F262 894E 28 MOV DWORD PTR DS:[ESI+28],ECX
0041F265 FFD7 CALL EDI
0041F267 8985 2D110010 MOV DWORD PTR SS:[EBP+1000112D],EAX
0041F26D 8BF0 MOV ESI,EAX
0041F26F 59 POP ECX
0041F270 034B 18 ADD ECX,DWORD PTR DS:[EBX+18]
0041F273 68 00800000 PUSH 8000
0041F278 6A 00 PUSH 0
0041F27A 57 PUSH EDI
0041F27B FF11 CALL DWORD PTR DS:[ECX]
0041F27D 8BC6 MOV EAX,ESI
0041F27F 5E POP ESI
0041F280 5F POP EDI
0041F281 59 POP ECX
0041F282 5B POP EBX
0041F283 5D POP EBP
0041F284 FFE0 JMP EAX ;40d077-->oep
4.在0041F284处按f4,shift+f7
0040D077 6A 18 PUSH 18
0040D079 68 A04C4100 PUSH pec2gui.00414CA0
0040D07E E8 1D020000 CALL pec2gui.0040D2A0
0040D083 BF 94000000 MOV EDI,94
0040D088 8BC7 MOV EAX,EDI
0040D08A E8 F1F3FFFF CALL pec2gui.0040C480
0040D08F 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
0040D092 8BF4 MOV ESI,ESP
0040D094 893E MOV DWORD PTR DS:[ESI],EDI
0040D096 56 PUSH ESI
0040D097 FF15 98414100 CALL DWORD PTR DS:[414198] ; kernel32.GetVersionExA
0040D09D 8B4E 10 MOV ECX,DWORD PTR DS:[ESI+10]
0040D0A0 890D 809E4100 MOV DWORD PTR DS:[419E80],ECX
0040D0A6 8B46 04 MOV EAX,DWORD PTR DS:[ESI+4]
0040D0A9 A3 8C9E4100 MOV DWORD PTR DS:[419E8C],EAX
0040D0AE 8B56 08 MOV EDX,DWORD PTR DS:[ESI+8]
0040D0B1 8915 909E4100 MOV DWORD PTR DS:[419E90],EDX
0040D0B7 8B76 0C MOV ESI,DWORD PTR DS:[ESI+C]
0040D0BA 81E6 FF7F0000 AND ESI,7FFF
0040D0C0 8935 849E4100 MOV DWORD PTR DS:[419E84],ESI
0040D0C6 83F9 02 CMP ECX,2
0040D0C9 74 0C JE SHORT pec2gui.0040D0D7
0040D0CB 81CE 00800000 OR ESI,8000
0040D0D1 8935 849E4100 MOV DWORD PTR DS:[419E84],ESI
0040D0D7 C1E0 08 SHL EAX,8
0040D0DA 03C2 ADD EAX,EDX
0040D0DC A3 889E4100 MOV DWORD PTR DS:[419E88],EAX
0040D0E1 33FF XOR EDI,EDI
0040D0E3 57 PUSH EDI
0040D0E4 FF15 90414100 CALL DWORD PTR DS:[414190] ; kernel32.GetModuleHandleA
0040D0EA 66:8138 4D5A CMP WORD PTR DS:[EAX],5A4D
0040D0EF 75 1F JNZ SHORT pec2gui.0040D110
0040D0F1 8B48 3C MOV ECX,DWORD PTR DS:[EAX+3C]
0040D0F4 03C8 ADD ECX,EAX
0040D0F6 8139 50450000 CMP DWORD PTR DS:[ECX],4550
0040D0FC 75 12 JNZ SHORT pec2gui.0040D110
0040D0FE 0FB741 18 MOVZX EAX,WORD PTR DS:[ECX+18]
5.在40d077处dump
6.用Import REConstructor v1.6 FINAL修复即可
lajiaolz 2004/05/03
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
