如果你对PE结构一无所知,那么估计是看不懂。
所用工具
Uedit,Ollydbg,win98记事本,计算器,Peid,加PE脱壳知识。
'窗体代码
'btw,一直看不懂这个程序,基本拿下了。
Option Explicit
Dim mBakFileName$
Private Sub Form_Load()
Option1(0).Value = True
End Sub
Private Sub cmdBrow_Click()
CommonDialog1.Filter = "exe|*.exe|"
CommonDialog1.ShowOpen
Text1.Text = CommonDialog1.FileName
End Sub
Private Sub cmdOk_Click()
Dim bytPosition As Byte
Dim Address&
Dim PeArray(5) As Byte
Dim i&
Dim OperateFlag As Boolean
Dim Newoep&
Dim Oldoep&
Dim FreeAddressArray() As Byte
If Text1.Text = "" Then
MsgBox "请先选择需要伪装的文件!", vbInformation, "提示"
Exit Sub
Else
mBakFileName$ = Left$(Text1, Len(Text1) - 4) & ".bak"
FileCopy Text1, mBakFileName$
End If
Address& = 1
Open Text1.Text For Binary As #1
OperateFlag = False
'从文件第一个字节位置开始
Do
Get #1, Address&, bytPosition
'寻找PE头
If bytPosition = &H50 Then
For i = 0 To 5
Get #1, Address& + i, PeArray(i)
Next
'通用特制码
If PeArray(0) = &H50 And PeArray(1) = &H45 And PeArray(4) = &H4C And PeArray(5) = 1 Then
OperateFlag = True
Exit Do
End If
End If
Address& = Address& + 1
Loop While OperateFlag = False
'PE头附近40个字节就是Oep!?
Newoep& = Address& + 40
Get #1, Newoep&, Oldoep&
Oldoep& = Oldoep& + &H400000 '加上偏移量
'选择一个空地放存放伪装码,地大物博啊,有身份证就能当业主
Address& = 800
OperateFlag = False
'选择的vc++
If Option1(0).Value = True Then
ReDim FreeAddressArray(51)
Do
Address& = Address& + 4
For i = 0 To 51
'分配52个字节写伪装代码
Get #1, Address& + i, FreeAddressArray(i)
If FreeAddressArray(i) <> &H0 Then
Exit For
Else
If i = 51 Then
OperateFlag = True
End If
End If
Next
Loop While OperateFlag = False
'在原来Oep位置写新Oep
Put #1, Newoep&, Address&
Address& = Address& + 1
Address& = MaskVC(Address&)
Oldoep& = (Oldoep& - (Address& + &H400000))
'写跳转地址,伪装代码当然要跳往真正入口了
Put #1, Address&, Oldoep& - 3
End If
'选择的vc++6.0
If Option1(1).Value = True Then
ReDim FreeAddressArray(63)
Do
Address& = Address& + 4
For i = 0 To 63
Get #1, Address& + i, FreeAddressArray(i)
If FreeAddressArray(i) <> &H0 Then
Exit For
Else
If i = 63 Then OperateFlag = True
End If
Next
Loop While OperateFlag = False
Put #1, Newoep&, Address&
Address& = Address& + 1
MaskVC60 (Address&)
Oldoep& = (Oldoep& - (Address& + 54 + &H400000))
Put #1, Address& + 54, Oldoep& - 3
End If
'选择的delphi 6.0-7.0
If Option1(2).Value = True Then
ReDim FreeAddressArray(16)
Do
Address& = Address& + 4
For i = 0 To 16
Get #1, Address& + i, FreeAddressArray(i)
If FreeAddressArray(i) <> &H0 Then
Exit For
Else
If i = 16 Then OperateFlag = True
End If
Next
Loop While OperateFlag = False
Put #1, Newoep&, Address&
Address& = Address& + 1
MaskDelphi60 (Address&)
Oldoep& = (Oldoep& - (Address& + 11 + &H400000))
Put #1, Address& + 11, Oldoep& - 3
End If
MsgBox "恭喜,伪装成功!", vbInformation
Close #1
cmdOk.Enabled = False
cmdTest.Enabled = True
End Sub
Private Sub cmdTest_Click()
ShellWait (Text1)
If vbNo = MsgBox("程序正常运行没?", vbQuestion + vbYesNo, "提问") Then
Kill Text1
Name mBakFileName$ As Left$(Text1, Len(Text1) - 4) & ".exe"
cmdOk.Enabled = True
cmdTest.Enabled = False
Else
Kill mBakFileName$
cmdOk.Enabled = True
cmdTest.Enabled = False
End If
End Sub
'mod1
Option Explicit
Public Function MaskVC(Code As Long) As Long
'写入vc入口特征码
Put #1, Code, &H55: Code = Code + 1
Put #1, Code, &H8B: Code = Code + 1
Put #1, Code, &HEC: Code = Code + 1
Put #1, Code, &H6A: Code = Code + 1
Put #1, Code, &HFF: Code = Code + 1
Put #1, Code, &H68: Code = Code + 1
Put #1, Code, &H66: Code = Code + 1
Put #1, Code, &H66: Code = Code + 1
Put #1, Code, &H66: Code = Code + 1
Put #1, Code, &H0: Code = Code + 1
Put #1, Code, &H68: Code = Code + 1
Put #1, Code, &H88: Code = Code + 1
Put #1, Code, &H88: Code = Code + 1
Put #1, Code, &H88: Code = Code + 1
Put #1, Code, &H0: Code = Code + 1
Put #1, Code, &H64: Code = Code + 1
Put #1, Code, &HA1: Code = Code + 1
Put #1, Code, &H0: Code = Code + 1
Put #1, Code, &H0: Code = Code + 1
Put #1, Code, &H0: Code = Code + 1
Put #1, Code, &H0: Code = Code + 1
Put #1, Code, &H50: Code = Code + 1
Put #1, Code, &H64: Code = Code + 1
Put #1, Code, &H89: Code = Code + 1
Put #1, Code, &H25: Code = Code + 1
Put #1, Code, &H0: Code = Code + 1
Put #1, Code, &H0: Code = Code + 1
Put #1, Code, &H0: Code = Code + 1
Put #1, Code, &H0: Code = Code + 1
Put #1, Code, &H58: Code = Code + 1
Put #1, Code, &H64: Code = Code + 1
Put #1, Code, &HA3: Code = Code + 1
Put #1, Code, &H0: Code = Code + 1
Put #1, Code, &H0: Code = Code + 1
Put #1, Code, &H0: Code = Code + 1
Put #1, Code, &H0: Code = Code + 1
Put #1, Code, &H58: Code = Code + 1
Put #1, Code, &H58: Code = Code + 1
Put #1, Code, &H58: Code = Code + 1
Put #1, Code, &H58: Code = Code + 1
Put #1, Code, &H8B: Code = Code + 1
Put #1, Code, &HE8: Code = Code + 1
Put #1, Code, &HE9: Code = Code + 1
MaskVC = Code '将Code的位置回送MaskVC函数
End Function
Public Sub MaskVC60(Code As Long)
'写入vc6.0入口特征码
Put #1, Code, &H55: Code = Code + 1
Put #1, Code, &H8B: Code = Code + 1
Put #1, Code, &HEC: Code = Code + 1
Put #1, Code, &H6A: Code = Code + 1
Put #1, Code, &HFF: Code = Code + 1
Put #1, Code, &H68: Code = Code + 1
Put #1, Code, &H0: Code = Code + 1
Put #1, Code, &H0: Code = Code + 1
Put #1, Code, &H0: Code = Code + 1
Put #1, Code, &H0: Code = Code + 1
Put #1, Code, &H68: Code = Code + 1
Put #1, Code, &H0: Code = Code + 1
Put #1, Code, &H0: Code = Code + 1
Put #1, Code, &H0: Code = Code + 1
Put #1, Code, &H0: Code = Code + 1
Put #1, Code, &H64: Code = Code + 1
Put #1, Code, &HA1: Code = Code + 1
Put #1, Code, &H0: Code = Code + 1
Put #1, Code, &H0: Code = Code + 1
Put #1, Code, &H0: Code = Code + 1
Put #1, Code, &H0: Code = Code + 1
Put #1, Code, &H50: Code = Code + 1
Put #1, Code, &H64: Code = Code + 1
Put #1, Code, &H89: Code = Code + 1
Put #1, Code, &H25: Code = Code + 1
Put #1, Code, &H0: Code = Code + 1
Put #1, Code, &H0: Code = Code + 1
Put #1, Code, &H0: Code = Code + 1
Put #1, Code, &H0: Code = Code + 1
Put #1, Code, &H83: Code = Code + 1
Put #1, Code, &HEC: Code = Code + 1
Put #1, Code, &H68: Code = Code + 1
Put #1, Code, &H53: Code = Code + 1
Put #1, Code, &H56: Code = Code + 1
Put #1, Code, &H57: Code = Code + 1
Put #1, Code, &H58: Code = Code + 1
Put #1, Code, &H58: Code = Code + 1
Put #1, Code, &H58: Code = Code + 1
Put #1, Code, &H83: Code = Code + 1
Put #1, Code, &HC4: Code = Code + 1
Put #1, Code, &H68: Code = Code + 1
Put #1, Code, &H58: Code = Code + 1
Put #1, Code, &H67: Code = Code + 1
Put #1, Code, &H64: Code = Code + 1
Put #1, Code, &HA3: Code = Code + 1
Put #1, Code, &H0: Code = Code + 1
Put #1, Code, &H0: Code = Code + 1
Put #1, Code, &H58: Code = Code + 1
Put #1, Code, &H58: Code = Code + 1
Put #1, Code, &H58: Code = Code + 1
Put #1, Code, &H58: Code = Code + 1
Put #1, Code, &H8B: Code = Code + 1
Put #1, Code, &HE8: Code = Code + 1
Put #1, Code, &HE9: Code = Code + 1
End Sub
Public Sub MaskDelphi60(Code As Long)
'delphi6.0
Put #1, Code, &H55: Code = Code + 1
Put #1, Code, &H8B: Code = Code + 1
Put #1, Code, &HEC: Code = Code + 1
Put #1, Code, &H83: Code = Code + 1
Put #1, Code, &HC4: Code = Code + 1
Put #1, Code, &HF0: Code = Code + 1
Put #1, Code, &H83: Code = Code + 1
Put #1, Code, &HC4: Code = Code + 1
Put #1, Code, &HC: Code = Code + 1
Put #1, Code, &H50: Code = Code + 1
Put #1, Code, &HE9: Code = Code + 1
End Sub
'mod_WaitProcess
'Option Explicit
'OpenProcess打开指定进程
'参数
'dwDesiredAccess访问标识
'bInheritHandle,//句柄是否可继承
'dwProcessId //系统进程ID
'其中dwDesiredAccess参数可以是以下常量的任意组合:
'PROCESS_ALL_ACCESS//所有可能的权限
'PROCESS_CREATE_PROCESS//内部使用
'PROCESS_CREATE_THREAD//产生线程权限
'PROCESS_DUP_HANDLE//复制句柄权限
'PROCESS_QUERY_INformATION//查询信息权限
'PROCESS_SET_INformATION//设置信息权限
'PROCESS_TERMINATE//中止进程权限
Private Declare Function OpenProcess Lib "kernel32" _
(ByVal dwDesiredaccess&, _
ByVal bInherithandle&, _
ByVal dwProcessid&) _
As Long
'GetExitCodeProcess获取一个已中断进程的退出代码
'参数 类型及说明
'hProcess Long,想获取退出代码的一个进程的句柄
'lpExitCode Long,用于装载进程退出代码的一个长整数变量。如进程尚未中止,则设为常数STILL_ACTIVE
Private Declare Function GetExitCodeProcess Lib "kernel32" _
(ByVal hProcess As Long, _
lpexitcode As Long) _
As Long
Private Const STILL_ACTIVE = &H103 '外部程序在运行
Private Const PROCESS_QUERY_INFORMATION = &H400 '查询信息权限
Public Function ShellWait(cCommandLine As String) As Boolean
Dim hShell As Long
Dim hProc As Long
Dim lExit As Long
hShell = Shell(cCommandLine, vbNormalFocus)
hProc = OpenProcess(PROCESS_QUERY_INFORMATION, False, hShell)
Do
GetExitCodeProcess hProc, lExit
DoEvents
Loop While lExit = STILL_ACTIVE
End Function
'说明
制作:aqtata,调试二哥
伪装入口的小工具,测试了几个不同的程序可以正常运行
aspack等压缩
原文
http://www.vbgood.com/viewthread.php?tid=55083&extra=page%3D1
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)