绿鹰PC万能精灵3.00的脱壳-加壳脱壳-看雪-安全社区|安全招聘|kanxue.com

绿鹰PC万能精灵3.00的脱壳

发表于: 2004-11-23 20:14 4620

绿鹰PC万能精灵3.00的脱壳

lee

2004-11-23 20:14

4620

【脱文标题】绿鹰PC万能精灵3.00

【脱文作者】 lee

【作者邮箱】 [email]cracker_lee@126.com[/email]

【使用工具】 Peid,Ollydbg

【脱壳平台】 WinXP

【加壳方式】 PECompact 1.68 - 1.84 -> Jeremy Collake

0045E590 s> /EB 06             jmp short system.0045E598
0045E592 |68 A2AE0200       push 2AEA2
0045E597 |C3                retn
0045E598 \9C                pushfd
0045E599    60                pushad
0045E59A    E8 02000000       call system.0045E5A1  //按F7跟进，否则程序就运行
0045E59F    33C0             xor eax,eax
0045E5A1    8BC4             mov eax,esp //跳到这里
0045E5A3    83C0 04          add eax,4
0045E5A6    93                xchg eax,ebx
0045E5A7    8BE3             mov esp,ebx
0045E5A9    8B5B FC          mov ebx,dword ptr ds:[ebx-4]
0045E5AC    81EB 3F904000    sub ebx,system.0040903F
0045E5B2    87DD             xchg ebp,ebx
0045E5B4    8B85 E6904000    mov eax,dword ptr ss:[ebp+4090E6]
0045E5BA    0185 33904000    add dword ptr ss:[ebp+409033],eax
0045E5C0    66:C785 30904000 90>mov word ptr ss:[ebp+409030],9090
0045E5C9    0185 DA904000    add dword ptr ss:[ebp+4090DA],eax
0045E5CF    0185 DE904000    add dword ptr ss:[ebp+4090DE],eax
0045E5D5    0185 E2904000    add dword ptr ss:[ebp+4090E2],eax
0045E5DB    BB 7B110000       mov ebx,117B
0045E5E0    039D EA904000    add ebx,dword ptr ss:[ebp+4090EA]
0045E5E6    039D E6904000    add ebx,dword ptr ss:[ebp+4090E6]
---------------一直向前走--------------------------------------
0056B17B    BD CF201600       mov ebp,1620CF    //返回到这里
0056B180    8BF7             mov esi,edi
0056B182    83C6 54          add esi,54
0056B185    81C7 FF100000    add edi,10FF
0056B18B    56                push esi
0056B18C    57                push edi
0056B18D    57                push edi
0056B18E    56                push esi
0056B195    8BC8             mov ecx,eax
0056B197    5E                pop esi
0056B198    5F                pop edi
0056B199    8BC1             mov eax,ecx
0056B19B    C1F9 02          sar ecx,2
0056B19E    F3:A5             rep movs dword ptr es:[edi],dword>
0056B1A0    03C8             add ecx,eax
0056B1A2    83E1 03          and ecx,3
0056B1A5    F3:A4             rep movs byte ptr es:[edi],byte p>
0056B1A7    EB 26             jmp short system.0056B1CF //按F8跳

0056B1CF    8BB5 E6904000    mov esi,dword ptr ss:[ebp+4090E6] ; //到这里
0056B1D5    56                push esi
0056B1D6    03B5 EE904000    add esi,dword ptr ss:[ebp+4090EE]
0056B1DC    83C6 14          add esi,14
-------------------一直向前走------------------
0056B20A    019D 83944000    add dword ptr ss:[ebp+409483],ebx
0056B210    8BB5 DE904000    mov esi,dword ptr ss:[ebp+4090DE]
0056B216    80BD 6B9D4000 C3 cmp byte ptr ss:[ebp+409D6B],0C3
0056B21D    74 2E             je short system.0056B24D //F8跳

0056B24D    57                push edi                   //到这里
0056B24E    AD                lods dword ptr ds:[esi]
0056B24F    85C0             test eax,eax
0056B251    0F84 9B000000    je system.0056B2F2
0056B257    8BD0             mov edx,eax
------------------一直向前走------------------------
0056B2AA /74 07             je short system.0056B2B3
0056B2AC |8BC8             mov ecx,eax
0056B2AE |5E                pop esi
0056B2AF |5F                pop edi
0056B2B0 ^|EB 9B             jmp short system.0056B24D  //F7跟进
0056B2B2    B9 E8000000       mov ecx,0E8 //不能按F4到这里，否则程序会运行

0056B24D    57                push edi //到这里
0056B24E    AD                lods dword ptr ds:[esi]
0056B24F    85C0             test eax,eax
0056B251    0F84 9B000000    je system.0056B2F2  //仔细观察后。。。直接回车到

0056B2F2    5F                pop edi//到这里，按F2下中断，按F9运行，然后取消中断
0056B2F3    8BB5 E2904000    mov esi,dword ptr ss:[ebp+4090E2]
0056B2F9    AD                lods dword ptr ds:[esi]
-------------------一直向前走-----------------------------
0056B363    C1F9 02          sar ecx,2
0056B366    F3:AB             rep stos dword ptr es:[edi]
0056B368    03CA             add ecx,edx
0056B36A    83E1 03          and ecx,3
0056B36D    F3:AA             rep stos byte ptr es:[edi]
0056B36F    5F                pop edi
0056B370 ^ EB 87             jmp short system.0056B2F9 //F7跟进
0056B372    0F6800             punpckhbw mm0,qword ptr ds:[eax]//不能按F4，否则程序会运行

0056B2F9    AD                lods dword ptr ds:[esi]  //到这里
0056B2FA    83F8 FF          cmp eax,-1
0056B2FD    74 74             je short system.0056B373  //直接回车
0056B2FF    0385 E6904000    add eax,dword ptr ss:[ebp+4090E6]
0056B305    8BD8             mov ebx,eax

0056B373    68 00400000       push 4000  //到这里，按F2下中断，按F9运行，然后取消中断
0056B378    6A 00             push 0
0056B37A    57                push edi
0056B37B    FF95 45974000    call dword ptr ss:[ebp+409745]
0056B381    8BBD 3C964000    mov edi,dword ptr ss:[ebp+40963C]
0056B387    03BD E6904000    add edi,dword ptr ss:[ebp+4090E6]
0056B38D    8B8D 40964000    mov ecx,dword ptr ss:[ebp+409640]
------------------------一直向前走----------------------------------
0056B3AB /76 38             jbe short system.0056B3E5
0056B3AD |66:3D 1725       cmp ax,2517
0056B3B1 |74 51             je short system.0056B404
0056B3B3 |3C 27             cmp al,27
0056B3B5 |75 0A             jnz short system.0056B3C1 //F8跳
0056B3B7 |80FC 80          cmp ah,80
0056B3BA    72 05             jb short system.0056B3C1
0056B3BC    80FC 8F          cmp ah,8F
0056B3BF    76 05             jbe short system.0056B3C6
0056B3C1    47                inc edi
0056B3C2    43                inc ebx
0056B3C3 ^ EB DA             jmp short system.0056B39F//按F7跟进
0056B3C5    B8 8B47023C       mov eax,3C02478B//不能按F4，否则程序会运行

0056B3A0 /74 72             je short system.0056B414//到这里
0056B3A2 |78 70             js short system.0056B414//直接回车
0056B3A4 |66:8B07          mov ax,word ptr ds:[edi]
0056B3A7 |2C E8             sub al,0E8

0056B414    5F                pop edi//到这里，按F2下中断，按F9运行，然后取消中断
0056B415    59                pop ecx
0056B416    33C0             xor eax,eax
0056B418    85C9             test ecx,ecx
------------------------一直向前走--------------------------------
0056B438    33C3             xor eax,ebx
0056B43A    83C6 04          add esi,4
0056B43D    83E9 04          sub ecx,4
0056B440    74 15             je short system.0056B457
0056B442    83F9 04          cmp ecx,4
0056B445 ^ 73 E8             jnb short system.0056B42F
0056B447    BA 04000000       mov edx,4          //F4到这里
0056B44C    2BD1             sub edx,ecx
0056B44E    2BF2             sub esi,edx
0056B450    B9 04000000       mov ecx,4
0056B455 ^ EB D8             jmp short system.0056B42F
0056B457    3B85 67974000    cmp eax,dword ptr ss:[ebp+409767]//F4到这里
0056B45D    74 4D             je short system.0056B4AC  //F8跳

0056B4AC    E8 A1010000       call system.0056B652 //到这里
0056B4B1    E8 A3000000       call system.0056B559
0056B4B6    73 6B             jnb short system.0056B523 //F8跳
0056B4B8    E8 56020000       call system.0056B713

0056B523    80BD 6B9F4000 C3 cmp byte ptr ss:[ebp+409F6B],0C3 //到这里
0056B52A    74 22             je short system.0056B54E    //F8跳
0056B52C    8D95 6BA14000    lea edx,dword ptr ss:[ebp+40A16B]
0056B532    6A 40             push 40
0056B534    52                push edx
0056B535    FFB5 3D974000    push dword ptr ss:[ebp+40973D]
0056B53B    FFB5 39974000    push dword ptr ss:[ebp+409739]
0056B541    E8 F40A0000       call system.0056C03A
0056B546    85C0             test eax,eax
0056B548 ^ 0F85 9DFDFFFF    jnz system.0056B2EB
0056B54E    61                popad //到这里
0056B54F    9D                popfd //入口点就在附近
0056B550    50                push eax
0056B551    68 A2AE4200       push system.0042AEA2
0056B556    C2 0400          retn 4 //返回
0056B559    8BB5 5B974000    mov esi,dword ptr ss:[ebp+40975B]

0042AEA2    55                push ebp  //到这里，点击右键，选择脱壳当前进程
0042AEA3    8BEC             mov ebp,esp
0042AEA5    6A FF             push -1
0042AEA7    68 885D4300       push system.00435D88
0042AEAC    68 0CB04200       push system.0042B00C             ; jmp to MSVCRT._except_handler3

脱壳完后发现是用VC++写的。。。小弟第一次学手动脱壳。。。今天学了一天。。。晚上才做出这个。。

请高手指教！！！

[培训]《安卓高级研修班(网课)》月薪三万计划，掌握调试、分析还原ollvm、vmp的方法，定制art虚拟机自动化脱壳的方法

收藏・0

免费・1

支持

最新回复 (3)
fly 雪币： 898 活跃值： (4039) 能力值： ( LV9，RANK：3410 ) 在线值：发帖 294 回帖 7686 粉丝 32 关注私信	fly 85 2 楼鼓励一下 :D 《看雪论坛精华5》里面有DiKeN老大写的旧版PECompact相关教程 2004-11-23 20:25 0
kyc 雪币： 389 活跃值： (912) 能力值： ( LV9，RANK：770 ) 在线值：发帖 43 回帖 550 粉丝 2 关注私信	kyc 19 3 楼绿鹰PC万能精灵3.5 00424D32 svi>/$ B8 1C3B5600 mov eax,svi.00563B1C 00424D37 \|. 50 push eax 00424D38 \|? 64:FF35 00000000 push dword ptr fs:[0] 00424D3F \|? 64:8925 00000000 mov dword ptr fs:[0],esp 00424D3F----> f8到这后 d 0012ffbc 0012FFBC E0 FF 12 00 硬件写入断点DWORD F9 00563B4B 83C4 04 add esp,4 00563B4E 55 push ebp 00563B4F 53 push ebx 00563B50 51 push ecx 00563B51 57 push edi 00563B52 56 push esi 00563B53 52 push edx 00563B54 8D98 32113E00 lea ebx,dword ptr ds:[eax+3E1132] 00563B5A 8B53 18 mov edx,dword ptr ds:[ebx+18] 00563B5D 52 push edx 00563B5E 8BE8 mov ebp,eax 00563B60 6A 40 push 40 00563B62 68 00100000 push 1000 00563B67 FF73 04 push dword ptr ds:[ebx+4] 00563B6A 6A 00 push 0 00563B6C 8B4B 10 mov ecx,dword ptr ds:[ebx+10] 00563B6F 03CA add ecx,edx 00563B71 8B01 mov eax,dword ptr ds:[ecx] 00563B73 FFD0 call eax 00563B75 5A pop edx 00563B76 8BF8 mov edi,eax 00563B78 50 push eax 00563B79 52 push edx 00563B7A 8B33 mov esi,dword ptr ds:[ebx] 00563B7C 8B43 20 mov eax,dword ptr ds:[ebx+20] 00563B7F 03C2 add eax,edx 00563B81 8B08 mov ecx,dword ptr ds:[eax] 00563B83 894B 20 mov dword ptr ds:[ebx+20],ecx 00563B86 8B43 1C mov eax,dword ptr ds:[ebx+1C] 00563B89 03C2 add eax,edx 00563B8B 8B08 mov ecx,dword ptr ds:[eax] 00563B8D 894B 1C mov dword ptr ds:[ebx+1C],ecx 00563B90 03F2 add esi,edx 00563B92 8B4B 0C mov ecx,dword ptr ds:[ebx+C] 00563B95 03CA add ecx,edx 00563B97 8D43 1C lea eax,dword ptr ds:[ebx+1C] 00563B9A 50 push eax 00563B9B 57 push edi 00563B9C 56 push esi 00563B9D FFD1 call ecx 00563B9F 5A pop edx 00563BA0 58 pop eax 00563BA1 0343 08 add eax,dword ptr ds:[ebx+8] 00563BA4 8BF8 mov edi,eax 00563BA6 52 push edx 00563BA7 8BF0 mov esi,eax 00563BA9 8B46 FC mov eax,dword ptr ds:[esi-4] 00563BAC 83C0 04 add eax,4 00563BAF 2BF0 sub esi,eax 00563BB1 8956 08 mov dword ptr ds:[esi+8],edx 00563BB4 8B4B 10 mov ecx,dword ptr ds:[ebx+10] 00563BB7 894E 24 mov dword ptr ds:[esi+24],ecx 00563BBA 8B4B 14 mov ecx,dword ptr ds:[ebx+14] 00563BBD 51 push ecx 00563BBE 894E 28 mov dword ptr ds:[esi+28],ecx 00563BC1 8B4B 0C mov ecx,dword ptr ds:[ebx+C] 00563BC4 894E 14 mov dword ptr ds:[esi+14],ecx 00563BC7 FFD7 call edi 00563BC9 8985 23123E00 mov dword ptr ss:[ebp+3E1223],eax 00563BCF 8BF0 mov esi,eax 00563BD1 59 pop ecx 00563BD2 5A pop edx 00563BD3 03CA add ecx,edx 00563BD5 68 00800000 push 8000 00563BDA 6A 00 push 0 00563BDC 57 push edi 00563BDD FF11 call dword ptr ds:[ecx] 00563BDF 8BC6 mov eax,esi 00563BE1 5A pop edx 00563BE2 5E pop esi 00563BE3 5F pop edi 00563BE4 59 pop ecx 00563BE5 5B pop ebx 00563BE6 5D pop ebp 00563BE7 FFE0 jmp eax 这里下断 F9 F8 OK 2004-12-26 20:17 0
linhanshi 雪币： 93908 活跃值： (200199) 能力值： (RANK：10 ) 在线值：发帖 9213 回帖 27805 粉丝 446 关注私信	linhanshi 4 楼支持!!! 2004-12-26 20:19 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

lee

发帖

225

回帖

130

RANK

关注

私信

他的文章

[求助]求ARM反汇编教程 10998

关于我们

联系我们

企业服务

看雪公众号

最新回复 (3)
fly 雪币： 898 活跃值： (4039) 能力值： ( LV9，RANK：3410 ) 在线值：发帖 294 回帖 7686 粉丝 32 关注私信	fly 85 2 楼鼓励一下 :D 《看雪论坛精华5》里面有DiKeN老大写的旧版PECompact相关教程 2004-11-23 20:25 0
kyc 雪币： 389 活跃值： (912) 能力值： ( LV9，RANK：770 ) 在线值：发帖 43 回帖 550 粉丝 2 关注私信	kyc 19 3 楼绿鹰PC万能精灵3.5 00424D32 svi>/$ B8 1C3B5600 mov eax,svi.00563B1C 00424D37 \|. 50 push eax 00424D38 \|? 64:FF35 00000000 push dword ptr fs:[0] 00424D3F \|? 64:8925 00000000 mov dword ptr fs:[0],esp 00424D3F----> f8到这后 d 0012ffbc 0012FFBC E0 FF 12 00 硬件写入断点DWORD F9 00563B4B 83C4 04 add esp,4 00563B4E 55 push ebp 00563B4F 53 push ebx 00563B50 51 push ecx 00563B51 57 push edi 00563B52 56 push esi 00563B53 52 push edx 00563B54 8D98 32113E00 lea ebx,dword ptr ds:[eax+3E1132] 00563B5A 8B53 18 mov edx,dword ptr ds:[ebx+18] 00563B5D 52 push edx 00563B5E 8BE8 mov ebp,eax 00563B60 6A 40 push 40 00563B62 68 00100000 push 1000 00563B67 FF73 04 push dword ptr ds:[ebx+4] 00563B6A 6A 00 push 0 00563B6C 8B4B 10 mov ecx,dword ptr ds:[ebx+10] 00563B6F 03CA add ecx,edx 00563B71 8B01 mov eax,dword ptr ds:[ecx] 00563B73 FFD0 call eax 00563B75 5A pop edx 00563B76 8BF8 mov edi,eax 00563B78 50 push eax 00563B79 52 push edx 00563B7A 8B33 mov esi,dword ptr ds:[ebx] 00563B7C 8B43 20 mov eax,dword ptr ds:[ebx+20] 00563B7F 03C2 add eax,edx 00563B81 8B08 mov ecx,dword ptr ds:[eax] 00563B83 894B 20 mov dword ptr ds:[ebx+20],ecx 00563B86 8B43 1C mov eax,dword ptr ds:[ebx+1C] 00563B89 03C2 add eax,edx 00563B8B 8B08 mov ecx,dword ptr ds:[eax] 00563B8D 894B 1C mov dword ptr ds:[ebx+1C],ecx 00563B90 03F2 add esi,edx 00563B92 8B4B 0C mov ecx,dword ptr ds:[ebx+C] 00563B95 03CA add ecx,edx 00563B97 8D43 1C lea eax,dword ptr ds:[ebx+1C] 00563B9A 50 push eax 00563B9B 57 push edi 00563B9C 56 push esi 00563B9D FFD1 call ecx 00563B9F 5A pop edx 00563BA0 58 pop eax 00563BA1 0343 08 add eax,dword ptr ds:[ebx+8] 00563BA4 8BF8 mov edi,eax 00563BA6 52 push edx 00563BA7 8BF0 mov esi,eax 00563BA9 8B46 FC mov eax,dword ptr ds:[esi-4] 00563BAC 83C0 04 add eax,4 00563BAF 2BF0 sub esi,eax 00563BB1 8956 08 mov dword ptr ds:[esi+8],edx 00563BB4 8B4B 10 mov ecx,dword ptr ds:[ebx+10] 00563BB7 894E 24 mov dword ptr ds:[esi+24],ecx 00563BBA 8B4B 14 mov ecx,dword ptr ds:[ebx+14] 00563BBD 51 push ecx 00563BBE 894E 28 mov dword ptr ds:[esi+28],ecx 00563BC1 8B4B 0C mov ecx,dword ptr ds:[ebx+C] 00563BC4 894E 14 mov dword ptr ds:[esi+14],ecx 00563BC7 FFD7 call edi 00563BC9 8985 23123E00 mov dword ptr ss:[ebp+3E1223],eax 00563BCF 8BF0 mov esi,eax 00563BD1 59 pop ecx 00563BD2 5A pop edx 00563BD3 03CA add ecx,edx 00563BD5 68 00800000 push 8000 00563BDA 6A 00 push 0 00563BDC 57 push edi 00563BDD FF11 call dword ptr ds:[ecx] 00563BDF 8BC6 mov eax,esi 00563BE1 5A pop edx 00563BE2 5E pop esi 00563BE3 5F pop edi 00563BE4 59 pop ecx 00563BE5 5B pop ebx 00563BE6 5D pop ebp 00563BE7 FFE0 jmp eax 这里下断 F9 F8 OK 2004-12-26 20:17 0
linhanshi 雪币： 93908 活跃值： (200199) 能力值： (RANK：10 ) 在线值：发帖 9213 回帖 27805 粉丝 446 关注私信	linhanshi 4 楼支持!!! 2004-12-26 20:19 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复