-
-
[原创]简析脱 PEBundle 2.0x - 2.4x-> Jeremy Collake+SwiSHmax破解
-
发表于: 2007-9-13 19:26 5560
-
SwiSHmax是Flash编辑工具 SwiSHzone家族的新成员,假如您想要不使用Flash来制作强大或令人惊叹的动画,SwiSHmax是您最佳的选择。他采用的是PEBundle 2.0x - 2.4x-> Jeremy Collake加壳,PEBundle是一个捆绑壳用ESP定律很好脱,不过SwiSHmax采用了PEBundle的注册系统来授权,这个好办把壳脱了绕过注册系统就可以破解~
00924000 > 9C PUSHFD ;OD载入
00924001 60 PUSHAD
00924002 E8 02000000 CALL SwishMax.00924009 ;其实是一个JMP所以一定要F7
00924007 33C0 XOR EAX,EAX
00924009 8BC4 MOV EAX,ESP ;到这里~
0092400B 83C0 04 ADD EAX,4
0092400E 93 XCHG EAX,EBX
0092400F 8BE3 MOV ESP,EBX
00924011 8B5B FC MOV EBX,DWORD PTR DS:[EBX-4]
00924014 81EB 07304000 SUB EBX,SwishMax.00403007
0092401A 87DD XCHG EBP,EBX
0092401C 83BD 9C384000 0>CMP DWORD PTR SS:[EBP+40389C],1
一路F8到这个地方
009241C4 8DB5 683F4000 LEA ESI,DWORD PTR SS:[EBP+403F68]
009241CA 6A 00 PUSH 0
009241CC 68 80000000 PUSH 80
009241D1 6A 02 PUSH 2
009241D3 6A 00 PUSH 0
009241D5 6A 00 PUSH 0
009241D7 68 00000040 PUSH 40000000
009241DC 56 PUSH ESI
009241DD FF95 0A3A4000 CALL DWORD PTR SS:[EBP+403A0A] ;CreateFile 在当前用户名目录TEMP下释放文件 如C:\Documents and Settings\你的当前用户名\Local Settings\Temp
009241E3 83F8 FF CMP EAX,-1
009241E6 0F84 C5000000 JE SwishMax.009242B1
一路F8到这个地方
009243DC C785 9C384000 0>MOV DWORD PTR SS:[EBP+40389C],1
009243E6 61 POPAD
009243E7 9D POPFD
009243E8 68 00309000 PUSH SwishMax.00903000
009243ED C3 RETN ;返回到00903000
00903000 9C PUSHFD
00903001 60 PUSHAD
00903002 E8 02000000 CALL SwishMax.00903009 ;和开始一样是个JMP
00903007 33C0 XOR EAX,EAX
00903009 8BC4 MOV EAX,ESP
0090300B 83C0 04 ADD EAX,4
0090300E 93 XCHG EAX,EBX
0090300F 8BE3 MOV ESP,EBX
00903011 8B5B FC MOV EBX,DWORD PTR DS:[EBX-4]
00903014 81EB 07304000 SUB EBX,SwishMax.00403007
009031C4 8DB5 683F4000 LEA ESI,DWORD PTR SS:[EBP+403F68]
009031CA 6A 00 PUSH 0
009031CC 68 80000000 PUSH 80
009031D1 6A 02 PUSH 2
009031D3 6A 00 PUSH 0
009031D5 6A 00 PUSH 0
009031D7 68 00000040 PUSH 40000000
009031DC 56 PUSH ESI
009031DD FF95 0A3A4000 CALL DWORD PTR SS:[EBP+403A0A] CreateFile 再在当前用户名目录TEMP下释放文件 如C:\Documents and Settings\你的当前用户名\Local Settings\Temp
下来就是反复的几次释放文件和上面的一样分别在TEMP里释放了image.bmp swishmaxres6.dll swl.ini swlpi.dll 4个文件~这个是启动必须的4个配置文件~
008C7000 /EB 06 JMP SHORT SwishMax.008C7008
008C7002 |68 61462600 PUSH 264661
008C7007 |C3 RETN
008C7008 \9C PUSHFD
008C7009 60 PUSHAD
008C700A E8 02000000 CALL SwishMax.008C7011 ;和开始一样是个JMP
008C700F 33C0 XOR EAX,EAX
008C7011 8BC4 MOV EAX,ESP
008C7013 83C0 04 ADD EAX,4
008C7016 93 XCHG EAX,EBX
一路F8到这个地方
008C81FF 6A 00 PUSH 0
008C8201 FF95 41974000 CALL DWORD PTR SS:[EBP+409741]
008C8207 8BF8 MOV EDI,EAX
008C8209 5B POP EBX
008C820A 019D 83944000 ADD DWORD PTR SS:[EBP+409483],EBX
008C8210 8BB5 DE904000 MOV ESI,DWORD PTR SS:[EBP+4090DE]
008C8216 80BD 6B9D4000 C>CMP BYTE PTR SS:[EBP+409D6B],0C3
008C821D 74 2E JE SHORT SwishMax.008C824D ;注意这个JE把他改成JMP可以跳过注册系统
008C821F 60 PUSHAD ; (Initial CPU selection)
008C8220 8B9D 39974000 MOV EBX,DWORD PTR SS:[EBP+409739]
008C8226 8B8D 3D974000 MOV ECX,DWORD PTR SS:[EBP+40973D]
008C822C 8B95 E6904000 MOV EDX,DWORD PTR SS:[EBP+4090E6]
008C8232 8DBD 6BA14000 LEA EDI,DWORD PTR SS:[EBP+40A16B]
008C8238 56 PUSH ESI
008C8239 52 PUSH EDX
008C823A 6A 40 PUSH 40
008C823C 57 PUSH EDI
008C823D 51 PUSH ECX
008C823E 53 PUSH EBX
008C823F E8 F60B0000 CALL SwishMax.008C8E3A ;注册系统函数~
008C8244 85C0 TEST EAX,EAX
008C8246 0F85 9F000000 JNZ SwishMax.008C82EB
008C824C 61 POPAD
008C824D 57 PUSH EDI
008C824E AD LODS DWORD PTR DS:[ESI]
008C824F 85C0 TEST EAX,EAX
008C8251 0F84 9B000000 JE SwishMax.008C82F2
008C8257 8BD0 MOV EDX,EAX
008C8259 0395 E6904000 ADD EDX,DWORD PTR SS:[EBP+4090E6]
008C825F AD LODS DWORD PTR DS:[ESI]
008C8260 56 PUSH ESI
008C8261 8BC8 MOV ECX,EAX
008C8216 80BD 6B9D4000 C>CMP BYTE PTR SS:[EBP+409D6B],0C3
008C821D 74 2E JE SHORT SwishMax.008C824D ; 再这回车到008C824D按F4
008C821F 60 PUSHAD ; (Initial CPU selection)
008C8220 8B9D 39974000 MOV EBX,DWORD PTR SS:[EBP+409739]
008C8226 8B8D 3D974000 MOV ECX,DWORD PTR SS:[EBP+40973D]
008C822C 8B95 E6904000 MOV EDX,DWORD PTR SS:[EBP+4090E6]
008C8232 8DBD 6BA14000 LEA EDI,DWORD PTR SS:[EBP+40A16B]
008C8238 56 PUSH ESI
008C8239 52 PUSH EDX
008C823A 6A 40 PUSH 40
008C823C 57 PUSH EDI
008C823D 51 PUSH ECX
008C823E 53 PUSH EBX
008C823F E8 F60B0000 CALL SwishMax.008C8E3A
008C8244 85C0 TEST EAX,EAX
008C8246 0F85 9F000000 JNZ SwishMax.008C82EB
008C824C 61 POPAD
008C824D 57 PUSH EDI
008C824E AD LODS DWORD PTR DS:[ESI]
008C824F 85C0 TEST EAX,EAX
008C8251 0F84 9B000000 JE SwishMax.008C82F2
008C8257 8BD0 MOV EDX,EAX
008C8259 0395 E6904000 ADD EDX,DWORD PTR SS:[EBP+4090E6]
008C825F AD LODS DWORD PTR DS:[ESI]
008C8260 56 PUSH ESI
008C8261 8BC8 MOV ECX,EAX
008C8263 57 PUSH EDI
008C8264 52 PUSH EDX
008C8265 8DB5 6BA14000 LEA ESI,DWORD PTR SS:[EBP+40A16B]
008C826B 57 PUSH EDI
008C826C 51 PUSH ECX
008C826D 52 PUSH EDX
008C826E 6A 40 PUSH 40
008C8270 56 PUSH ESI
008C8271 FFB5 3D974000 PUSH DWORD PTR SS:[EBP+40973D]
008C8277 FFB5 39974000 PUSH DWORD PTR SS:[EBP+409739]
008C827D E8 B8090000 CALL SwishMax.008C8C3A
008C8282 5A POP EDX
008C8283 5F POP EDI
008C8284 8D85 E4914000 LEA EAX,DWORD PTR SS:[EBP+4091E4]
008C828A 50 PUSH EAX
008C828B 64:67:FF36 0000 PUSH DWORD PTR FS:[0]
008C8291 64:67:8926 0000 MOV DWORD PTR FS:[0],ESP
008C8297 52 PUSH EDX
008C8298 57 PUSH EDI
008C8299 FF95 DA904000 CALL DWORD PTR SS:[EBP+4090DA]
008C829F 64:67:8F06 0000 POP DWORD PTR FS:[0]
008C82A5 83C4 04 ADD ESP,4
008C82A8 85C0 TEST EAX,EAX
008C82AA 74 07 JE SHORT SwishMax.008C82B3
008C82AC 8BC8 MOV ECX,EAX
008C82AE 5E POP ESI
008C82AF 5F POP EDI
008C82B0 ^ EB 9B JMP SHORT SwishMax.008C824D
008C82F2 5F POP EDI
008C82F3 8BB5 E2904000 MOV ESI,DWORD PTR SS:[EBP+4090E2]
008C82F9 AD LODS DWORD PTR DS:[ESI]
008C82FA 83F8 FF CMP EAX,-1
008C82FD 74 74 JE SHORT SwishMax.008C8373 ; 再这回车到008C8373按F4
008C82FF 0385 E6904000 ADD EAX,DWORD PTR SS:[EBP+4090E6]
008C8305 8BD8 MOV EBX,EAX
008C8307 AD LODS DWORD PTR DS:[ESI]
008C8308 0385 E6904000 ADD EAX,DWORD PTR SS:[EBP+4090E6]
008C83A0 /74 72 JE SHORT SwishMax.008C8414 ;开始E8 E9优化~再这回车到008C8414按F4
008C83A2 |78 70 JS SHORT SwishMax.008C8414
008C83A4 |66:8B07 MOV AX,WORD PTR DS:[EDI]
008C83A7 |2C E8 SUB AL,0E8
008C83A9 |3C 01 CMP AL,1
008C83AB |76 38 JBE SHORT SwishMax.008C83E5
008C83AD |66:3D 1725 CMP AX,2517
008C83B1 |74 51 JE SHORT SwishMax.008C8404
008C83B3 |3C 27 CMP AL,27
008C83B5 |75 0A JNZ SHORT SwishMax.008C83C1
008C83B7 |80FC 80 CMP AH,80
008C83BA |72 05 JB SHORT SwishMax.008C83C1
008C83BC |80FC 8F CMP AH,8F
008C83BF |76 05 JBE SHORT SwishMax.008C83C6
008C83C1 |47 INC EDI
008C83C2 |43 INC EBX
008C83C3 ^|EB DA JMP SHORT SwishMax.008C839F
008C83C5 |B8 8B470290 MOV EAX,9002478B
008C8548 ^\0F85 9DFDFFFF JNZ SwishMax.008C82EB
008C854E 61 POPAD
008C854F 9D POPFD
008C8550 50 PUSH EAX
008C8551 68 61466600 PUSH SwishMax.00664661
008C8556 C2 0400 RETN 4 ;返回OEP 00664661
DUMP掉,修复ImportREC 因为这个程序的基地址为00400000 所以在ImportREC的OEP添00264661搜索修复即可~
这个壳还有更简单的脱法~就是不停的用ESP定律~
00924000 > 9C PUSHFD ;OD载入
00924001 60 PUSHAD
00924002 E8 02000000 CALL SwishMax.00924009 ;下硬件访问断点F9
00924007 33C0 XOR EAX,EAX
009243E7 9D POPFD ;到这
009243E8 68 00309000 PUSH SwishMax.00903000
009243ED C3 RETN
00903000 9C PUSHFD
00903001 60 PUSHAD
00903002 E8 02000000 CALL SwishMax.00903009 ;下硬件访问断点F9
00903007 33C0 XOR EAX,EAX
00903009 8BC4 MOV EAX,ESP
009033E7 9D POPFD ;到这
009033E8 68 00108E00 PUSH SwishMax.008E1000
009033ED C3 RETN
008E1000 9C PUSHFD
008E1001 60 PUSHAD
008E1002 E8 02000000 CALL SwishMax.008E1009 ;下硬件访问断点F9
008E1007 33C0 XOR EAX,EAX
008E1009 8BC4 MOV EAX,ESP
008E13E7 9D POPFD ;到这
008E13E8 68 00E08D00 PUSH SwishMax.008DE000
008E13ED C3 RETN
008DE000 9C PUSHFD
008DE001 60 PUSHAD
008DE002 E8 02000000 CALL SwishMax.008DE009 ;下硬件访问断点F9
008DE007 33C0 XOR EAX,EAX
008DE009 8BC4 MOV EAX,ESP
008DE3E7 9D POPFD ;到这
008DE3E8 68 00708C00 PUSH SwishMax.008C7000
008DE3ED C3 RETN
008C7000 /EB 06 JMP SHORT SwishMax.008C7008
008C7002 |68 61462600 PUSH 264661
008C7007 |C3 RETN
008C7008 \9C PUSHFD
008C7009 60 PUSHAD
008C700A E8 02000000 CALL SwishMax.008C7011 ;下硬件访问断点不能F9了F7进入,找到上面说的注册系统跳过然后F9
008C700F 33C0 XOR EAX,EAX
008C7011 8BC4 MOV EAX,ESP
008C7013 83C0 04 ADD EAX,4
008C854F 9D POPFD ;到这
008C8550 50 PUSH EAX
008C8551 68 61466600 PUSH SwishMax.00664661
008C8556 C2 0400 RETN 4 ;到OEP00664661
这个程序关闭的时候会删除上面临时放的4个文件,由于脱过壳所以运行的时候不会释放文件,咱们可以用RAR作个EXE开始释放该4个文件到TEMP,然后运行主程序就可以了~~
http://hi.baidu.com/xdct/blog/item/f6e3b544f8d50c4f500ffe65.html
00924000 > 9C PUSHFD ;OD载入
00924001 60 PUSHAD
00924002 E8 02000000 CALL SwishMax.00924009 ;其实是一个JMP所以一定要F7
00924007 33C0 XOR EAX,EAX
00924009 8BC4 MOV EAX,ESP ;到这里~
0092400B 83C0 04 ADD EAX,4
0092400E 93 XCHG EAX,EBX
0092400F 8BE3 MOV ESP,EBX
00924011 8B5B FC MOV EBX,DWORD PTR DS:[EBX-4]
00924014 81EB 07304000 SUB EBX,SwishMax.00403007
0092401A 87DD XCHG EBP,EBX
0092401C 83BD 9C384000 0>CMP DWORD PTR SS:[EBP+40389C],1
一路F8到这个地方
009241C4 8DB5 683F4000 LEA ESI,DWORD PTR SS:[EBP+403F68]
009241CA 6A 00 PUSH 0
009241CC 68 80000000 PUSH 80
009241D1 6A 02 PUSH 2
009241D3 6A 00 PUSH 0
009241D5 6A 00 PUSH 0
009241D7 68 00000040 PUSH 40000000
009241DC 56 PUSH ESI
009241DD FF95 0A3A4000 CALL DWORD PTR SS:[EBP+403A0A] ;CreateFile 在当前用户名目录TEMP下释放文件 如C:\Documents and Settings\你的当前用户名\Local Settings\Temp
009241E3 83F8 FF CMP EAX,-1
009241E6 0F84 C5000000 JE SwishMax.009242B1
一路F8到这个地方
009243DC C785 9C384000 0>MOV DWORD PTR SS:[EBP+40389C],1
009243E6 61 POPAD
009243E7 9D POPFD
009243E8 68 00309000 PUSH SwishMax.00903000
009243ED C3 RETN ;返回到00903000
00903000 9C PUSHFD
00903001 60 PUSHAD
00903002 E8 02000000 CALL SwishMax.00903009 ;和开始一样是个JMP
00903007 33C0 XOR EAX,EAX
00903009 8BC4 MOV EAX,ESP
0090300B 83C0 04 ADD EAX,4
0090300E 93 XCHG EAX,EBX
0090300F 8BE3 MOV ESP,EBX
00903011 8B5B FC MOV EBX,DWORD PTR DS:[EBX-4]
00903014 81EB 07304000 SUB EBX,SwishMax.00403007
009031C4 8DB5 683F4000 LEA ESI,DWORD PTR SS:[EBP+403F68]
009031CA 6A 00 PUSH 0
009031CC 68 80000000 PUSH 80
009031D1 6A 02 PUSH 2
009031D3 6A 00 PUSH 0
009031D5 6A 00 PUSH 0
009031D7 68 00000040 PUSH 40000000
009031DC 56 PUSH ESI
009031DD FF95 0A3A4000 CALL DWORD PTR SS:[EBP+403A0A] CreateFile 再在当前用户名目录TEMP下释放文件 如C:\Documents and Settings\你的当前用户名\Local Settings\Temp
下来就是反复的几次释放文件和上面的一样分别在TEMP里释放了image.bmp swishmaxres6.dll swl.ini swlpi.dll 4个文件~这个是启动必须的4个配置文件~
008C7000 /EB 06 JMP SHORT SwishMax.008C7008
008C7002 |68 61462600 PUSH 264661
008C7007 |C3 RETN
008C7008 \9C PUSHFD
008C7009 60 PUSHAD
008C700A E8 02000000 CALL SwishMax.008C7011 ;和开始一样是个JMP
008C700F 33C0 XOR EAX,EAX
008C7011 8BC4 MOV EAX,ESP
008C7013 83C0 04 ADD EAX,4
008C7016 93 XCHG EAX,EBX
一路F8到这个地方
008C81FF 6A 00 PUSH 0
008C8201 FF95 41974000 CALL DWORD PTR SS:[EBP+409741]
008C8207 8BF8 MOV EDI,EAX
008C8209 5B POP EBX
008C820A 019D 83944000 ADD DWORD PTR SS:[EBP+409483],EBX
008C8210 8BB5 DE904000 MOV ESI,DWORD PTR SS:[EBP+4090DE]
008C8216 80BD 6B9D4000 C>CMP BYTE PTR SS:[EBP+409D6B],0C3
008C821D 74 2E JE SHORT SwishMax.008C824D ;注意这个JE把他改成JMP可以跳过注册系统
008C821F 60 PUSHAD ; (Initial CPU selection)
008C8220 8B9D 39974000 MOV EBX,DWORD PTR SS:[EBP+409739]
008C8226 8B8D 3D974000 MOV ECX,DWORD PTR SS:[EBP+40973D]
008C822C 8B95 E6904000 MOV EDX,DWORD PTR SS:[EBP+4090E6]
008C8232 8DBD 6BA14000 LEA EDI,DWORD PTR SS:[EBP+40A16B]
008C8238 56 PUSH ESI
008C8239 52 PUSH EDX
008C823A 6A 40 PUSH 40
008C823C 57 PUSH EDI
008C823D 51 PUSH ECX
008C823E 53 PUSH EBX
008C823F E8 F60B0000 CALL SwishMax.008C8E3A ;注册系统函数~
008C8244 85C0 TEST EAX,EAX
008C8246 0F85 9F000000 JNZ SwishMax.008C82EB
008C824C 61 POPAD
008C824D 57 PUSH EDI
008C824E AD LODS DWORD PTR DS:[ESI]
008C824F 85C0 TEST EAX,EAX
008C8251 0F84 9B000000 JE SwishMax.008C82F2
008C8257 8BD0 MOV EDX,EAX
008C8259 0395 E6904000 ADD EDX,DWORD PTR SS:[EBP+4090E6]
008C825F AD LODS DWORD PTR DS:[ESI]
008C8260 56 PUSH ESI
008C8261 8BC8 MOV ECX,EAX
008C8216 80BD 6B9D4000 C>CMP BYTE PTR SS:[EBP+409D6B],0C3
008C821D 74 2E JE SHORT SwishMax.008C824D ; 再这回车到008C824D按F4
008C821F 60 PUSHAD ; (Initial CPU selection)
008C8220 8B9D 39974000 MOV EBX,DWORD PTR SS:[EBP+409739]
008C8226 8B8D 3D974000 MOV ECX,DWORD PTR SS:[EBP+40973D]
008C822C 8B95 E6904000 MOV EDX,DWORD PTR SS:[EBP+4090E6]
008C8232 8DBD 6BA14000 LEA EDI,DWORD PTR SS:[EBP+40A16B]
008C8238 56 PUSH ESI
008C8239 52 PUSH EDX
008C823A 6A 40 PUSH 40
008C823C 57 PUSH EDI
008C823D 51 PUSH ECX
008C823E 53 PUSH EBX
008C823F E8 F60B0000 CALL SwishMax.008C8E3A
008C8244 85C0 TEST EAX,EAX
008C8246 0F85 9F000000 JNZ SwishMax.008C82EB
008C824C 61 POPAD
008C824D 57 PUSH EDI
008C824E AD LODS DWORD PTR DS:[ESI]
008C824F 85C0 TEST EAX,EAX
008C8251 0F84 9B000000 JE SwishMax.008C82F2
008C8257 8BD0 MOV EDX,EAX
008C8259 0395 E6904000 ADD EDX,DWORD PTR SS:[EBP+4090E6]
008C825F AD LODS DWORD PTR DS:[ESI]
008C8260 56 PUSH ESI
008C8261 8BC8 MOV ECX,EAX
008C8263 57 PUSH EDI
008C8264 52 PUSH EDX
008C8265 8DB5 6BA14000 LEA ESI,DWORD PTR SS:[EBP+40A16B]
008C826B 57 PUSH EDI
008C826C 51 PUSH ECX
008C826D 52 PUSH EDX
008C826E 6A 40 PUSH 40
008C8270 56 PUSH ESI
008C8271 FFB5 3D974000 PUSH DWORD PTR SS:[EBP+40973D]
008C8277 FFB5 39974000 PUSH DWORD PTR SS:[EBP+409739]
008C827D E8 B8090000 CALL SwishMax.008C8C3A
008C8282 5A POP EDX
008C8283 5F POP EDI
008C8284 8D85 E4914000 LEA EAX,DWORD PTR SS:[EBP+4091E4]
008C828A 50 PUSH EAX
008C828B 64:67:FF36 0000 PUSH DWORD PTR FS:[0]
008C8291 64:67:8926 0000 MOV DWORD PTR FS:[0],ESP
008C8297 52 PUSH EDX
008C8298 57 PUSH EDI
008C8299 FF95 DA904000 CALL DWORD PTR SS:[EBP+4090DA]
008C829F 64:67:8F06 0000 POP DWORD PTR FS:[0]
008C82A5 83C4 04 ADD ESP,4
008C82A8 85C0 TEST EAX,EAX
008C82AA 74 07 JE SHORT SwishMax.008C82B3
008C82AC 8BC8 MOV ECX,EAX
008C82AE 5E POP ESI
008C82AF 5F POP EDI
008C82B0 ^ EB 9B JMP SHORT SwishMax.008C824D
008C82F2 5F POP EDI
008C82F3 8BB5 E2904000 MOV ESI,DWORD PTR SS:[EBP+4090E2]
008C82F9 AD LODS DWORD PTR DS:[ESI]
008C82FA 83F8 FF CMP EAX,-1
008C82FD 74 74 JE SHORT SwishMax.008C8373 ; 再这回车到008C8373按F4
008C82FF 0385 E6904000 ADD EAX,DWORD PTR SS:[EBP+4090E6]
008C8305 8BD8 MOV EBX,EAX
008C8307 AD LODS DWORD PTR DS:[ESI]
008C8308 0385 E6904000 ADD EAX,DWORD PTR SS:[EBP+4090E6]
008C83A0 /74 72 JE SHORT SwishMax.008C8414 ;开始E8 E9优化~再这回车到008C8414按F4
008C83A2 |78 70 JS SHORT SwishMax.008C8414
008C83A4 |66:8B07 MOV AX,WORD PTR DS:[EDI]
008C83A7 |2C E8 SUB AL,0E8
008C83A9 |3C 01 CMP AL,1
008C83AB |76 38 JBE SHORT SwishMax.008C83E5
008C83AD |66:3D 1725 CMP AX,2517
008C83B1 |74 51 JE SHORT SwishMax.008C8404
008C83B3 |3C 27 CMP AL,27
008C83B5 |75 0A JNZ SHORT SwishMax.008C83C1
008C83B7 |80FC 80 CMP AH,80
008C83BA |72 05 JB SHORT SwishMax.008C83C1
008C83BC |80FC 8F CMP AH,8F
008C83BF |76 05 JBE SHORT SwishMax.008C83C6
008C83C1 |47 INC EDI
008C83C2 |43 INC EBX
008C83C3 ^|EB DA JMP SHORT SwishMax.008C839F
008C83C5 |B8 8B470290 MOV EAX,9002478B
008C8548 ^\0F85 9DFDFFFF JNZ SwishMax.008C82EB
008C854E 61 POPAD
008C854F 9D POPFD
008C8550 50 PUSH EAX
008C8551 68 61466600 PUSH SwishMax.00664661
008C8556 C2 0400 RETN 4 ;返回OEP 00664661
DUMP掉,修复ImportREC 因为这个程序的基地址为00400000 所以在ImportREC的OEP添00264661搜索修复即可~
这个壳还有更简单的脱法~就是不停的用ESP定律~
00924000 > 9C PUSHFD ;OD载入
00924001 60 PUSHAD
00924002 E8 02000000 CALL SwishMax.00924009 ;下硬件访问断点F9
00924007 33C0 XOR EAX,EAX
009243E7 9D POPFD ;到这
009243E8 68 00309000 PUSH SwishMax.00903000
009243ED C3 RETN
00903000 9C PUSHFD
00903001 60 PUSHAD
00903002 E8 02000000 CALL SwishMax.00903009 ;下硬件访问断点F9
00903007 33C0 XOR EAX,EAX
00903009 8BC4 MOV EAX,ESP
009033E7 9D POPFD ;到这
009033E8 68 00108E00 PUSH SwishMax.008E1000
009033ED C3 RETN
008E1000 9C PUSHFD
008E1001 60 PUSHAD
008E1002 E8 02000000 CALL SwishMax.008E1009 ;下硬件访问断点F9
008E1007 33C0 XOR EAX,EAX
008E1009 8BC4 MOV EAX,ESP
008E13E7 9D POPFD ;到这
008E13E8 68 00E08D00 PUSH SwishMax.008DE000
008E13ED C3 RETN
008DE000 9C PUSHFD
008DE001 60 PUSHAD
008DE002 E8 02000000 CALL SwishMax.008DE009 ;下硬件访问断点F9
008DE007 33C0 XOR EAX,EAX
008DE009 8BC4 MOV EAX,ESP
008DE3E7 9D POPFD ;到这
008DE3E8 68 00708C00 PUSH SwishMax.008C7000
008DE3ED C3 RETN
008C7000 /EB 06 JMP SHORT SwishMax.008C7008
008C7002 |68 61462600 PUSH 264661
008C7007 |C3 RETN
008C7008 \9C PUSHFD
008C7009 60 PUSHAD
008C700A E8 02000000 CALL SwishMax.008C7011 ;下硬件访问断点不能F9了F7进入,找到上面说的注册系统跳过然后F9
008C700F 33C0 XOR EAX,EAX
008C7011 8BC4 MOV EAX,ESP
008C7013 83C0 04 ADD EAX,4
008C854F 9D POPFD ;到这
008C8550 50 PUSH EAX
008C8551 68 61466600 PUSH SwishMax.00664661
008C8556 C2 0400 RETN 4 ;到OEP00664661
这个程序关闭的时候会删除上面临时放的4个文件,由于脱过壳所以运行的时候不会释放文件,咱们可以用RAR作个EXE开始释放该4个文件到TEMP,然后运行主程序就可以了~~
http://hi.baidu.com/xdct/blog/item/f6e3b544f8d50c4f500ffe65.html
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
他的文章
看原图
赞赏
雪币:
留言: