【破解作者】 stasi[DCM][BCG][DFCG][FCG][OCN][CZG][D.4s]
【作者邮箱】 [email]stasi@163.com[/email]
【作者主页】 stasi.7169.com
【使用工具】 PEiD W32Dasm
【破解平台】 Win9x/NT/2000/XP
【软件名称】 File Compare32(c) Plushmm & The+Q 风飘雪汉化
【软件简介】 File Compare32是 Plushmm & The+Q 写的小工具,比较实用的。
【软件大小】 12.8k
【加壳方式】 PC PE Encryptor alpha preview -> The +Q, Plushmm & Mr. Nop
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------------------------
【破解内容】 PC PE Encryptor alpha preview -> The +Q, Plushmm & Mr. Nop 不太常见的shell,不忽略所有的异常,慢慢看...
00406000 F> 53 push ebx
00406001 51 push ecx
00406002 52 push edx
00406003 56 push esi
00406004 57 push edi
00406005 55 push ebp
00406006 E8 00000000 call FC32b.0040600B 伪装的,所以单步过
0040600B 5D pop ebp
0040600C 8BCD mov ecx,ebp
0040600E 81ED 33304000 sub ebp,FC32b.00403033
00406014 2B8D EE324000 sub ecx,dword ptr ss:[ebp+4032>
0040601A 83E9 0B sub ecx,0B
0040601D 898D F2324000 mov dword ptr ss:[ebp+4032F2],>
00406023 80BD D1324000 01 cmp byte ptr ss:[ebp+4032D1],1
0040602A 0F84 63020000 je FC32b.00406293
00406030 C685 D1324000 01 mov byte ptr ss:[ebp+4032D1],1
00406037 83BD FE324000 00 cmp dword ptr ss:[ebp+4032FE],>
0040603E 0F84 8F010000 je FC32b.004061D3
00406044 C785 DE324000 785>mov dword ptr ss:[ebp+4032DE],>
0040604E 83BD D2324000 00 cmp dword ptr ss:[ebp+4032D2],>
00406055 0F84 1A010000 je FC32b.00406175
0040605B C785 DA324000 FE4>mov dword ptr ss:[ebp+4032DA],>
00406065 8BB5 D2324000 mov esi,dword ptr ss:[ebp+4032>
0040606B 03B5 F2324000 add esi,dword ptr ss:[ebp+4032>
00406071 8BFE mov edi,esi
00406073 8B8D D6324000 mov ecx,dword ptr ss:[ebp+4032>
00406079 C1E9 02 shr ecx,2
0040607C 51 push ecx
0040607D AD lods dword ptr ds:[esi]
0040607E 8A5E FD mov bl,byte ptr ds:[esi-3]
00406081 3385 DA324000 xor eax,dword ptr ss:[ebp+4032>
00406087 8B8D DA324000 mov ecx,dword ptr ss:[ebp+4032>
0040608D C1E9 18 shr ecx,18
00406090 D3C0 rol eax,cl
00406092 AB stos dword ptr es:[edi]
00406093 8B85 DA324000 mov eax,dword ptr ss:[ebp+4032>
00406099 8ACB mov cl,bl
0040609B D3C0 rol eax,cl
0040609D 8985 DA324000 mov dword ptr ss:[ebp+4032DA],>
004060A3 59 pop ecx
004060A4 ^ E2 D6 loopd short FC32b.0040607C 第一个大循环
004060A6 BF 52334000 mov edi,FC32b.00403352 ; ASCII "eA"
004060AB 03FD add edi,ebp
004060AD 81C7 FC030000 add edi,3FC
004060B3 FD std
004060B4 BE 00000000 mov esi,0
004060B9 8BC6 mov eax,esi
004060BB B9 08000000 mov ecx,8
004060C0 A9 01000000 test eax,1
004060C5 75 10 jnz short FC32b.004060D7
004060C7 90 nop
004060C8 90 nop
004060C9 90 nop
004060CA 90 nop
004060CB D1E8 shr eax,1
004060CD 35 2083B8ED xor eax,EDB88320
004060D2 EB 05 jmp short FC32b.004060D9
004060D4 90 nop
004060D5 90 nop
004060D6 90 nop
004060D7 D1E8 shr eax,1
004060D9 ^ E2 E5 loopd short FC32b.004060C0
004060DB AB stos dword ptr es:[edi]
004060DC 46 inc esi
004060DD 81FE 00010000 cmp esi,100
004060E3 ^ 75 D4 jnz short FC32b.004060B9
004060E5 FC cld
004060E6 66:C785 DA324000 >mov word ptr ss:[ebp+4032DA],0>
004060EF 66:C785 DC324000 >mov word ptr ss:[ebp+4032DC],0>
004060F8 8BB5 D2324000 mov esi,dword ptr ss:[ebp+4032>
004060FE 03B5 F2324000 add esi,dword ptr ss:[ebp+4032>
00406104 33DB xor ebx,ebx
00406106 33D2 xor edx,edx
00406108 66:8B9D DA324000 mov bx,word ptr ss:[ebp+4032DA>
0040610F 66:8B95 DC324000 mov dx,word ptr ss:[ebp+4032DC>
00406116 AC lods byte ptr ds:[esi]
00406117 32D8 xor bl,al
00406119 32FF xor bh,bh
0040611B 66:D1E3 shl bx,1
0040611E 66:D1E3 shl bx,1
00406121 81C3 52334000 add ebx,FC32b.00403352 ; ASCII "eA"
00406127 03DD add ebx,ebp
00406129 66:8B03 mov ax,word ptr ds:[ebx]
0040612C 66:8B4B 02 mov cx,word ptr ds:[ebx+2]
00406130 66:8B9D DA324000 mov bx,word ptr ss:[ebp+4032DA>
00406137 66:8B95 DC324000 mov dx,word ptr ss:[ebp+4032DC>
0040613E 51 push ecx
0040613F B9 08000000 mov ecx,8
00406144 66:D1EA shr dx,1
00406147 66:D1DB rcr bx,1
0040614A ^ E2 F8 loopd short FC32b.00406144 循环的解套
0040614C 59 pop ecx
0040614D 66:33C3 xor ax,bx
00406150 66:33D1 xor dx,cx
00406153 66:8985 DA324000 mov word ptr ss:[ebp+4032DA],a>
0040615A 66:8995 DC324000 mov word ptr ss:[ebp+4032DC],d>
00406161 FF8D D6324000 dec dword ptr ss:[ebp+4032D6]
00406167 ^ 75 9B jnz short FC32b.00406104 跳过,就可以了
00406169 8B85 DA324000 mov eax,dword ptr ss:[ebp+4032>
0040616F 8985 DE324000 mov dword ptr ss:[ebp+4032DE],>
00406175 33DB xor ebx,ebx
00406177 53 push ebx
00406178 C1E3 03 shl ebx,3
0040617B 03DD add ebx,ebp
0040617D 81C3 02334000 add ebx,FC32b.00403302
00406183 8B33 mov esi,dword ptr ds:[ebx]
00406185 03B5 F2324000 add esi,dword ptr ss:[ebp+4032>
0040618B 8BFE mov edi,esi
0040618D 8B4B 04 mov ecx,dword ptr ds:[ebx+4]
00406190 C1E9 02 shr ecx,2
00406193 8B85 DE324000 mov eax,dword ptr ss:[ebp+4032>
00406199 8985 DA324000 mov dword ptr ss:[ebp+4032DA],>
0040619F 51 push ecx
004061A0 AD lods dword ptr ds:[esi]
004061A1 8A5E FD mov bl,byte ptr ds:[esi-3]
004061A4 3385 DA324000 xor eax,dword ptr ss:[ebp+4032>
004061AA 8B8D DA324000 mov ecx,dword ptr ss:[ebp+4032>
004061B0 C1E9 18 shr ecx,18
004061B3 D3C0 rol eax,cl
004061B5 AB stos dword ptr es:[edi]
004061B6 8B85 DA324000 mov eax,dword ptr ss:[ebp+4032>
004061BC 8ACB mov cl,bl
004061BE D3C0 rol eax,cl
004061C0 8985 DA324000 mov dword ptr ss:[ebp+4032DA],>
004061C6 59 pop ecx
004061C7 ^ E2 D6 loopd short FC32b.0040619F
004061C9 5B pop ebx
004061CA 43 inc ebx
004061CB 3B9D FE324000 cmp ebx,dword ptr ss:[ebp+4032>
004061D1 ^ 75 A4 jnz short FC32b.00406177
004061D3 8B85 F2324000 mov eax,dword ptr ss:[ebp+4032>
004061D9 8B9D F6324000 mov ebx,dword ptr ss:[ebp+4032>
004061DF 2BC3 sub eax,ebx
004061E1 0F84 AC000000 je FC32b.00406293
004061E7 C785 DA324000 000>mov dword ptr ss:[ebp+4032DA],>
004061F1 8985 EA324000 mov dword ptr ss:[ebp+4032EA],>
004061F7 8BD0 mov edx,eax
004061F9 8BB5 E2324000 mov esi,dword ptr ss:[ebp+4032>
004061FF 03B5 F2324000 add esi,dword ptr ss:[ebp+4032>
00406205 8B3E mov edi,dword ptr ds:[esi]
00406207 03BD F2324000 add edi,dword ptr ss:[ebp+4032>
0040620D 8B4E 04 mov ecx,dword ptr ds:[esi+4]
00406210 018D DA324000 add dword ptr ss:[ebp+4032DA],>
00406216 83C6 08 add esi,8
00406219 66:AD lods word ptr ds:[esi]
0040621B 0FB7C0 movzx eax,ax
0040621E 57 push edi
0040621F 8BD8 mov ebx,eax
00406221 66:C1EB 0C shr bx,0C
00406225 25 FF0F0000 and eax,0FFF
0040622A 03F8 add edi,eax
0040622C 8B07 mov eax,dword ptr ds:[edi]
0040622E 80FB 00 cmp bl,0
00406231 74 48 je short FC32b.0040627B
00406233 90 nop
00406234 90 nop
00406235 90 nop
00406236 90 nop
00406237 80FB 01 cmp bl,1
0040623A 75 1A jnz short FC32b.00406256
0040623C 90 nop
0040623D 90 nop
0040623E 90 nop
0040623F 90 nop
00406240 C1C8 10 ror eax,10
00406243 C1CA 10 ror edx,10
00406246 66:03C2 add ax,dx
00406249 C1C0 10 rol eax,10
0040624C C1C2 10 rol edx,10
0040624F 8907 mov dword ptr ds:[edi],eax
00406251 EB 28 jmp short FC32b.0040627B
00406253 90 nop
00406254 90 nop
00406255 90 nop
00406256 80FB 02 cmp bl,2
00406259 75 0E jnz short FC32b.00406269
0040625B 90 nop
0040625C 90 nop
0040625D 90 nop
0040625E 90 nop
0040625F 66:03C2 add ax,dx
00406262 8907 mov dword ptr ds:[edi],eax
00406264 EB 15 jmp short FC32b.0040627B
00406266 90 nop
00406267 90 nop
00406268 90 nop
00406269 80FB 03 cmp bl,3
0040626C 75 0D jnz short FC32b.0040627B
0040626E 90 nop
0040626F 90 nop
00406270 90 nop
00406271 90 nop
00406272 03C2 add eax,edx
00406274 8907 mov dword ptr ds:[edi],eax
00406276 EB 03 jmp short FC32b.0040627B
00406278 90 nop
00406279 90 nop
0040627A 90 nop
0040627B 5F pop edi
0040627C 83E9 02 sub ecx,2
0040627F ^ 75 98 jnz short FC32b.00406219
00406281 8B85 DA324000 mov eax,dword ptr ss:[ebp+4032>
00406287 3B85 E6324000 cmp eax,dword ptr ss:[ebp+4032>
0040628D ^ 0F82 72FFFFFF jb FC32b.00406205
00406293 8B85 F2324000 mov eax,dword ptr ss:[ebp+4032>
00406299 8B9D FA324000 mov ebx,dword ptr ss:[ebp+4032>
0040629F 03C3 add eax,ebx
004062A1 5D pop ebp
004062A2 5F pop edi
004062A3 5E pop esi
004062A4 5A pop edx
004062A5 59 pop ecx
004062A6 5B pop ebx
004062A7 FFE0 jmp eax 查看eax:eax=004019C0 (FC32b.004019C0)
004019C0 6A db 6A ; CHAR 'j'
004019C1 00 db 00
004019C2 E8 db E8
004019C3 DD db DD
004019C4 01 db 01
004019C5 00 db 00
004019C6 00 db 00
004019C7 A3 db A3
004019C8 10 db 10
004019C9 28 db 28 ; CHAR '('
004019CA 40 db 40 ; CHAR '@'
004019CB 00 db 00
004019CC 33 db 33 ; CHAR '3'
分析代码:
004019C0 . 6A 00 push 0 ; |/pModule = NULL
004019C2 . E8 DD010000 call ; |\GetModuleHandleA
004019C7 . A3 10284000 mov dword ptr ds:[402810],eax ; |
004019CC . 33C0 xor eax,eax ; |
004019CE . 66:B8 6400 mov ax,64 ; |
004019D2 . 6A 00 push 0 ; |/lParam = NULL
004019D4 . 68 EC194000 push FC32b.004019EC ; ||DlgProc = FC32b.004019EC
004019D9 . 6A 00 push 0 ; ||hOwner = NULL
004019DB . 50 push eax ; ||pTemplate
004019DC . FF35 10284000 push dword ptr ds:[402810] ; ||hInst = NULL
004019C0 就是ope,dump后,能正常运行。
【脱壳脚本】
/*
//////////////////////////////////////////////////
PC PE Encryptor alpha preview -> The +Q, Plushmm & Mr. Nop OEP finder
Author : stasi[DCM][BCG][DFCG][FCG][OCN][CZG][D.4s]
Email : [email]stasi@163.com[/email]
Homepage: http://stasi.7169.com
OS : Win2kADV sp4,OllyDbg 1.1c,OllyScript v0.92
Date : 2004-11-0
Config : Exceptions:uncheck all.
Note : If you have one or more question, email me please,thank you!
//////////////////////////////////////////////////
*/
var stasi
lblset:
cmp $VERSION, "0.9"
ja start
msgyn "Your ollyscript is too old,maybe have something wrong,Continue?"
cmp $RESULT,0
je end
jmp start
start:
sto
sto
sto
sto
sto
sto
mov stasi,esp
bphws stasi,"r"
run
sto
sto
sto
sto
sto
sto
BPHWC stasi
an eip
log eip
jmp lblend
lblend:
cmt eip, "here is the OEP of PC PE Encryptor alpha preview!"
msg "Script by stasi[DCM][BCG][DFCG][FCG][OCN][CZG][D.4s],Thank you for using my Scripts!"
jmp end
end:
ret
//the end! --------------------------------------------------------------------------------
【破解总结】 没什么技巧可言......发现还没有脱壳脚本,用Oscedit补上个。
--------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)