[求助]怎么脱Themida/WinLicense V1.8.2.0 + [Overlay]-付费问答-看雪-安全社区|安全招聘|kanxue.com

[旧帖] [求助]怎么脱Themida/WinLicense V1.8.2.0 + [Overlay] 0.00雪花

发表于: 2008-5-2 22:56 3746

[旧帖] [求助]怎么脱Themida/WinLicense V1.8.2.0 + [Overlay] 0.00雪花

fuquan

2008-5-2 22:56

3746

PEID查壳是：Themida/WinLicense V1.8.2.0 +  -> Oreans Technologies * Sign.By.fly [Overlay] *
OD载入停在这里：
0055E014 >  B8 00000000    mov    eax, 0
0055E019 60             pushad
0055E01A 0BC0          or    eax, eax
0055E01C 74 68          je    short 0055E086
0055E01E E8 00000000    call 0055E023
0055E023 58             pop    eax
0055E024 05 53000000    add    eax, 53
0055E029 8038 E9       cmp    byte ptr [eax], 0E9
0055E02C 75 13          jnz    short 0055E041
0055E02E 61             popad
0055E02F EB 45          jmp    short 0055E076
0055E031 DB2D 37E05500 fld    tbyte ptr [55E037]
0055E037 FFFF          ???                                     ; 未知命令
0055E039 FFFF          ???                                     ; 未知命令
0055E03B FFFF          ???                                     ; 未知命令
0055E03D FFFF          ???                                     ; 未知命令
0055E03F 3D 40E80000    cmp    eax, 0E840
0055E044 0000          add    byte ptr [eax], al
0055E046 58             pop    eax

用okdodo 兄的脱壳脚本..程序运行在这里就没任何反应了.....：
00653228 0F3F          ???                                     ; 未知命令
0065322A 07             pop    es
0065322B 0B648F 05    or    esp, dword ptr [edi+ecx*4+5]
0065322F 0000          add    byte ptr [eax], al
00653231 0000          add    byte ptr [eax], al
00653233 83C4 04       add    esp, 4
00653236 31B5 251CE905 xor    dword ptr [ebp+5E91C25], esi    ; (initial cpu selection)
0065323C 56             push esi
0065323D 31B5 C105E905 xor    dword ptr [ebp+5E905C1], esi
00653243 59             pop    ecx
00653244 83FB FF       cmp    ebx, -1
00653247 0F84 21000000 je    0065326E
0065324D 81C9 5876934F or    ecx, 4F937658
00653253 E9 E8000000    jmp    00653340
00653258 E9 0D000000    jmp    0065326A
0065325D C8 39D866    enter 0D839, 66
00653261 AB             stos dword ptr es:[edi]
00653262 D6             salc
00653263 216473 DA    and    dword ptr [ebx+esi*2-26], esp
00653267 AF             scas dword ptr es:[edi]
00653268 DB3F          fstp tbyte ptr [edi]
0065326A 66:B9 C1F0    mov    cx, 0F0C1
0065326E E9 54000000    jmp    006532C7
00653273 0B8D 7908E905 or    ecx, dword ptr [ebp+5E90879]
00653279 8B4C24 0C    mov    ecx, dword ptr [esp+C]
0065327D C781 A4000000 F>mov    dword ptr [ecx+A4], -1
00653287 8381 B8000000 0>add    dword ptr [ecx+B8], 4
0065328E 33C0          xor    eax, eax
00653290 C3             retn

在第2次运行脱壳脚本到这
00653A09 CD 01          int    1
00653A0B EB 00          jmp    short 00653A0D
00653A0D 6A 00          push 0
00653A0F 57             push edi
00653A10 E8 03000000    call 00653A18
00653A15 205F C3       and    byte ptr [edi-3D], bl
00653A18 5F             pop    edi
00653A19 897C24 04    mov    dword ptr [esp+4], edi
00653A1D 814424 04 1B000>add    dword ptr [esp+4], 1B
00653A25 47             inc    edi
00653A26 57             push edi
00653A27 C3             retn

在第3次运行脱壳脚本停在这里此时脚本有提示：
00418712  /.  55          push ebp                                  这看是OEP我就在这脱壳了..
00418713  |.  8BEC       mov    ebp, esp
00418715  |.  6A FF       push -1
00418717  |.  68 083C4600 push 00463C08
0041871C  |.  68 76884100 push 00418876                      ;  jmp 到 msvcrt._except_handler3; SE 处理程序安装
00418721  |.  64:A1 0000000>mov    eax, dword ptr fs:[0]
00418727  |.  50          push eax
00418728  |.  64:8925 00000>mov    dword ptr fs:[0], esp
0041872F  |.  83EC 68    sub    esp, 68
00418732  |.  53          push ebx
00418733  |.  56          push esi
00418734  |.  57          push edi
00418735  |.  8965 E8    mov    dword ptr [ebp-18], esp
00418738  |.  33DB       xor    ebx, ebx
0041873A  |.  895D FC    mov    dword ptr [ebp-4], ebx
0041873D  |.  6A 02       push 2
0041873F  |.  FF15 181B4600 call dword ptr [461B18]             ;  msvcrt.__set_app_type
00418745  |.  59          pop    ecx
00418746  |.  830D 0CA04700>or    dword ptr [47A00C], FFFFFFFF
0041874D  |.  830D 10A04700>or    dword ptr [47A010], FFFFFFFF
00418754  |.  FF15 141B4600 call dword ptr [461B14]             ;  msvcrt.__p__fmode
0041875A  |.  8B0D 2C9C4700 mov    ecx, dword ptr [479C2C]
00418760  |.  8908       mov    dword ptr [eax], ecx
00418762  |.  FF15 101B4600 call dword ptr [461B10]             ;  msvcrt.__p__commode
00418768  |.  8B0D 289C4700 mov    ecx, dword ptr [479C28]
0041876E  |.  8908       mov    dword ptr [eax], ecx
00418770  |.  A1 0C1B4600 mov    eax, dword ptr [461B0C]
00418775  |.  8B00       mov    eax, dword ptr [eax]
00418777  |.  A3 08A04700 mov    dword ptr [47A008], eax
0041877C  |.  E8 28010000 call 004188A9
00418781  |.  391D D86B4700 cmp    dword ptr [476BD8], ebx
00418787  |.  75 0C       jnz    short 00418795
00418789  |.  68 A6884100 push 004188A6
0041878E  |.  FF15 081B4600 call dword ptr [461B08]             ;  msvcrt.__setusermatherr
00418794  |.  59          pop    ecx
00418795  |>  E8 FA000000 call 00418894
0041879A  |.  68 9C604700 push 0047609C
0041879F  |.  68 98604700 push 00476098
004187A4  |.  E8 E5000000 call 0041888E                      ;  jmp 到 msvcrt._initterm
004187A9  |.  A1 249C4700 mov    eax, dword ptr [479C24]
004187AE  |.  8945 94    mov    dword ptr [ebp-6C], eax
004187B1  |.  8D45 94    lea    eax, dword ptr [ebp-6C]
004187B4  |.  50          push eax
004187B5  |.  FF35 209C4700 push dword ptr [479C20]
004187BB  |.  8D45 9C    lea    eax, dword ptr [ebp-64]
004187BE  |.  50          push eax
004187BF  |.  8D45 90    lea    eax, dword ptr [ebp-70]
004187C2  |.  50          push eax
004187C3  |.  8D45 A0    lea    eax, dword ptr [ebp-60]
004187C6  |.  50          push eax
004187C7  |.  FF15 001B4600 call dword ptr [461B00]             ;  msvcrt.__getmainargs
004187CD  |.  68 94604700 push 00476094
004187D2  |.  68 00604700 push 00476000
004187D7  |.  E8 B2000000 call 0041888E                      ;  jmp 到 msvcrt._initterm
004187DC  |.  83C4 24    add    esp, 24
004187DF  |.  A1 FC1A4600 mov    eax, dword ptr [461AFC]
004187E4  |.  8B30       mov    esi, dword ptr [eax]
004187E6  |.  8975 8C    mov    dword ptr [ebp-74], esi
004187E9  |.  803E 22    cmp    byte ptr [esi], 22
004187EC  |.  75 3A       jnz    short 00418828
004187EE  |>  46          /inc    esi
004187EF  |.  8975 8C    |mov    dword ptr [ebp-74], esi
004187F2  |.  8A06       |mov    al, byte ptr [esi]
004187F4  |.  3AC3       |cmp    al, bl
004187F6  |.  74 04       |je    short 004187FC
004187F8  |.  3C 22       |cmp    al, 22
004187FA  |.^ 75 F2       \jnz    short 004187EE
004187FC  |>  803E 22    cmp    byte ptr [esi], 22
004187FF  |.  75 04       jnz    short 00418805
00418801  |>  46          inc    esi
00418802  |.  8975 8C    mov    dword ptr [ebp-74], esi
00418805  |>  8A06       mov    al, byte ptr [esi]
00418807  |.  3AC3       cmp    al, bl
00418809  |.  74 04       je    short 0041880F
0041880B  |.  3C 20       cmp    al, 20
0041880D  |.^ 76 F2       jbe    short 00418801
0041880F  |>  895D D0    mov    dword ptr [ebp-30], ebx
00418812  |.  8D45 A4    lea    eax, dword ptr [ebp-5C]
00418815  |.  50          push eax                            ; /pStartupinfo
00418816  |.  FF15 48124600 call dword ptr [461248]             ; \GetStartupInfoA
0041881C  |.  F645 D0 01 test byte ptr [ebp-30], 1
00418820  |.  74 11       je    short 00418833
00418822  |.  0FB745 D4    movzx eax, word ptr [ebp-2C]
00418826  |.  EB 0E       jmp    short 00418836
00418828  |>  803E 20    /cmp    byte ptr [esi], 20
0041882B  |.^ 76 D8       |jbe    short 00418805
0041882D  |.  46          |inc    esi
0041882E  |.  8975 8C    |mov    dword ptr [ebp-74], esi
00418831  |.^ EB F5       \jmp    short 00418828
00418833  |>  6A 0A       push 0A
00418835  |.  58          pop    eax
00418836  |>  50          push eax
00418837  |.  56          push esi
00418838  |.  53          push ebx
00418839  |.  53          push ebx                            ; /pModule
0041883A  |.  FF15 2C114600 call dword ptr [46112C]             ; \GetModuleHandleA
00418840  |.  50          push eax
00418841  |.  E8 56240400 call 0045AC9C
00418846  |.  8945 98    mov    dword ptr [ebp-68], eax
00418849  |.  50          push eax                            ; /status
0041884A  |.  FF15 701A4600 call dword ptr [461A70]             ; \exit
00418850  |.  8B45 EC    mov    eax, dword ptr [ebp-14]
00418853  |.  8B08       mov    ecx, dword ptr [eax]
00418855  |.  8B09       mov    ecx, dword ptr [ecx]
00418857  |.  894D 88    mov    dword ptr [ebp-78], ecx
0041885A  |.  50          push eax
0041885B  |.  51          push ecx
0041885C  |.  E8 27000000 call 00418888                      ;  jmp 到 msvcrt._XcptFilter
00418861  |.  59          pop    ecx
00418862  |.  59          pop    ecx
00418863  \.  C3          retn
脱壳后用ImpREC修复时发现有一个指针..
rva:00061D90 ptr:00401080无效..
..我就直接剪切然后转存..
用PEID查壳显示：Microsoft Visual C++ 6.0.
然后打开运行发现运行不了...那位大侠帮忙看看那里错了谢谢！！！！

由于权限不够就发在临时空间请大侠帮帮忙还请帖上脱壳过程让小弟学习学习万分感谢！！！
保证无毒...有毒我死全家...........
下载地址：http://www.live-share.com/files/320001/B03_____08___.rar.html
不能下载已修改好了可以下...

[课程]Linux pwn 探索篇！

收藏・0

免费・0

支持

最新回复 (1)
sizhaoming 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 260 粉丝 0 关注私信	sizhaoming 2 楼下载来的B03__________08______.rar文件只有5K大小，提示已经损坏。 2008-5-2 23:48 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

fuquan

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (1)
sizhaoming 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 260 粉丝 0 关注私信	sizhaoming 2 楼下载来的B03__________08______.rar文件只有5K大小，提示已经损坏。 2008-5-2 23:48 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复