【破解作者】 落魄浪子
【作者邮箱】 [email]zxy223_szb@21cn.net[/email]
【使用工具】 OD
【破解平台】 XP
【软件名称】 Port Explorer
【下载地址】
http://www.diamondcs.com.au/portexplorer/
【软件简介】 一个端口查看器
【加壳方式】 PECompact 2.x -> Jeremy Collake
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------------------------
【破解内容】
脱壳很简单,这里就不多说了,脱壳之后一运行就关掉了我所有打开的程式并注消windows,在调试的过程中一不小心就关掉我的计算机
变态的软件,不过还算温柔.....
004202B8 > \E8 4806FFFF call PortExpl.00410905
004202BD . 85C0 test eax,eax
004202BF . 74 1D je short PortExpl.004202DE 检查程序是否被调戏,不跳就。。。。。
004202C1 . 53 push ebx ; /Style
004202C2 . 68 88C44400 push PortExpl.0044C488 ; |Title = "Error"
004202C7 . 68 2CC44400 push PortExpl.0044C42C ; |Text = "Port Explorer does not run under the context of a debugger.
Port Explorer will now close."
004202CC . 53 push ebx ; |hOwner
004202CD . FF15 A8334300 call dword ptr ds:[<&user32.#477>] ; \MessageBoxA
004202D3 . E8 72770000 call PortExpl.00427A4A
004202D8 . 53 push ebx
004202D9 . E8 0BB50000 call PortExpl.0042B7E9
004202DE > 8D85 10FEFFFF lea eax,dword ptr ss:[ebp-1F0]
004202E4 . 50 push eax
004202E5 . 68 BAFF4100 push PortExpl.0041FFBA ; 入口地址
004202EA . E8 CC810000 call PortExpl.004284BB 这个CALL动态生成下面的代码420300~420947,F8带过之后生成下面的代码,NOP掉
004202EF . 59 pop ecx 代码解压完之后用LordPE区域脱4202ef~420956共666字节
004202F0 . 59 pop ecx
004202F1 . 68 B0B0B0B0 push B0B0B0B0
004202F6 . 58 pop eax
004202F7 . 68 A0A0A0A0 push A0A0A0A0
。。。。。。。。。。。。。。。。。。。。。。。。。。。。
0042093A . CA 6BCD retf 0CD6B
0042093D . BE 6BE3CA6F mov esi,6FCAE36B
00420942 ? FF68 B0 jmp far fword ptr ds:[eax-50]
00420945 ? B0 B0 mov al,0B0
00420947 ? B0 58 mov al,58
00420949 . 68 A0A0A0A0 push A0A0A0A0
00420956 . 68 BAFF4100 push PortExpl.0041FFBA ; 入口地址
0042095B . E8 5B7B0000 call PortExpl.004284BB 这个CALL还会动态改变上面的代码,NOP掉
00420960 . 8B45 08 mov eax,dword ptr ss:[ebp+8]
00420963 . 59 pop ecx ; PortExpl.0041FFBA
用WINHEX 把脱下的这段代码贴上004202ef~00420956 共666字节
00420558 . FFD6 call esi ; \GetProcAddress
0042055A . 3BFB cmp edi,ebx
0042055C . 8945 EC mov dword ptr ss:[ebp-14],eax
0042055F . 0F84 95000000 je PortExpl.004205FA
00420565 . 395D A8 cmp dword ptr ss:[ebp-58],ebx
00420568 . 0F84 8C000000 je PortExpl.004205FA
0042056E . 395D F8 cmp dword ptr ss:[ebp-8],ebx
00420571 . 0F84 83000000 je PortExpl.004205FA
00420577 . 3BC3 cmp eax,ebx
00420579 . 74 7F je short PortExpl.004205FA
004205A1 . FF55 A8 call dword ptr ss:[ebp-58] ; kernel32.GetFileSize
004205A4 . 3D 801A0600 cmp eax,61A80
004205A9 . 76 1F jbe short PortExpl.004205CA ;这里必需要跳,如果不跳,你看看下面会怎样
004205AB > E8 56770000 call PortExpl.00427D06
004205B0 . 50 push eax ; /ProcessId
004205B1 . 53 push ebx ; |Inheritable
004205B2 . 6A 01 push 1 ; |Access = TERMINATE
004205B4 . FF15 80314300 call dword ptr ds:[<&kernel32.#629>>; \OpenProcess
004205BA . 53 push ebx
004205BB . 50 push eax
004205BC . FF55 EC call dword ptr ss:[ebp-14]
004205BF . F645 FD 08 test byte ptr ss:[ebp-3],8
004205C3 . 53 push ebx
004205C4 . 74 1E je short PortExpl.004205E4
004205C6 . 6A 05 push 5
004205C8 . EB 1C jmp short PortExpl.004205E6
004205CA > 53 push ebx
004205CB . 57 push edi
004205CC . FF55 A8 call dword ptr ss:[ebp-58]
004205CF . 3D 7F1A0600 cmp eax,61A7F
004205D4 .^ 77 D5 ja short PortExpl.004205AB
004205D6 . 53 push ebx
004205D7 . 57 push edi
004205D8 . FF55 A8 call dword ptr ss:[ebp-58]
004205DB . 3D 70F30500 cmp eax,5F370
004205E0 . 76 0C jbe short PortExpl.004205EE
004205E2 .^ EB C7 jmp short PortExpl.004205AB
004205E4 > 6A 0C push 0C
004205E6 > FF55 F8 call dword ptr ss:[ebp-8] ; USER32.ExitWindowsEx 看到没有,嘿嘿帮你关机
。。。。。。。。。。。。
004205CC . FF55 A8 call dword ptr ss:[ebp-58] ; kernel32.GetFileSize
004205CF . 3D 7F1A0600 cmp eax,61A7F
004205D4 .^ 77 D5 ja short PortExpl.004205AB 不能跳
004205D6 . 53 push ebx
004205D7 . 57 push edi
004205D8 . FF55 A8 call dword ptr ss:[ebp-58] ; kernel32.GetFileSize
004205DB . 3D 70F30500 cmp eax,5F370
004205E0 . 76 0C jbe short PortExpl.004205EE 这里改跳
。。。。。。。。
004207AA . E8 2A490000 call PortExpl.004250D9
004207AF . 3B45 EC cmp eax,dword ptr ss:[ebp-14]
004207B2 . 59 pop ecx
004207B3 . 59 pop ecx
004207B4 . 8945 E0 mov dword ptr ss:[ebp-20],eax
004207B7 . 74 18 je short PortExpl.004207D1 改跳
004207B9 . 53 push ebx ; /Style
004207BA . 8D45 88 lea eax,dword ptr ss:[ebp-78] ; |
004207BD . 53 push ebx ; |Title
004207BE . 50 push eax ; |Text
004207BF . 53 push ebx ; |hOwner
004207C0 . FF15 A8334300 call dword ptr ds:[<&user32.#477>] ; \MessageBoxA
004207C6 . 53 push ebx
004207C7 . B8 00E3FD7F mov eax,7FFDE300
004207CC . FF75 F8 push dword ptr ss:[ebp-8]
004207CF . FFD0 call eax
004207D1 > 8B7D EC mov edi,dword ptr ss:[ebp-14]
004207D4 . 397D E0 cmp dword ptr ss:[ebp-20],edi
004207D7 . 73 1B jnb short PortExpl.004207F4 改跳
004207D9 . 53 push ebx ; /Style
004207DA . 8D45 88 lea eax,dword ptr ss:[ebp-78] ; |
004207DD . 53 push ebx ; |Title
004207DE . 50 push eax ; |Text
004207DF . 53 push ebx ; |hOwner
004207E0 . FF15 A8334300 call dword ptr ds:[<&user32.#477>] ; \MessageBoxA
004207E6 . 53 push ebx
004207E7 . B8 10400080 mov eax,80004010
004207EC . FF75 F8 push dword ptr ss:[ebp-8]
004207EF . FFD0 call eax
004207F1 . 397D E0 cmp dword ptr ss:[ebp-20],edi
004207F4 > 76 18 jbe short PortExpl.0042080E 改跳
004207F6 . 53 push ebx ; /Style
004207F7 . 8D45 88 lea eax,dword ptr ss:[ebp-78] ; |
004207FA . 53 push ebx ; |Title
004207FB . 50 push eax ; |Text
004207FC . 53 push ebx ; |hOwner
004207FD . FF15 A8334300 call dword ptr ds:[<&user32.#477>] ; \MessageBoxA
00420803 . 53 push ebx
00420804 . B8 10A01080 mov eax,8010A010
00420809 . FF75 F8 push dword ptr ss:[ebp-8]
0042080C . FFD0 call eax
0042080E > FF75 FC push dword ptr ss:[ebp-4]
。。。。。。。。。。。。
004209BA . 68 BAFF4100 push PortExpl.0041FFBA ; 入口地址
004209BF . 899D C8FEFFFF mov dword ptr ss:[ebp-138],ebx
004209C5 . 899D DCFEFFFF mov dword ptr ss:[ebp-124],ebx
004209CB . C785 B8FEFFFF FF40420>mov dword ptr ss:[ebp-148],PortExpl>
004209D5 . C785 D8FEFFFF DCC3440>mov dword ptr ss:[ebp-128],PortExpl>; ASCII "Splitter_Class_PE"
004209DF . 899D D4FEFFFF mov dword ptr ss:[ebp-12C],ebx
004209E5 . 899D B4FEFFFF mov dword ptr ss:[ebp-14C],ebx
004209EB . E8 06760000 call PortExpl.00427FF6 这个CALL动态生成下面的代码4209FE~421CB0,F8带过之后生成下面的代码,NOP掉
004209F0 . 59 pop ecx
004209F1 . 59 pop ecx
004209F2 . 68 8F408040 push 4080408F
004209F7 . 58 pop eax
004209F8 . 68 C0A0C0A0 push A0C0A0C0
004209FD . 58 pop eax
004209FE . DEEB fsubp st(3),st 代码解压完之后用LordPE区域脱4209FE~421CB0共4786字节
00420A00 ? DD ??? ; 未知命令
00420A01 ? 8EAA 8B399345 mov gs,word ptr ds:[edx+4593398B]
00420A07 ? 625A 2D bound ebx,qword ptr ds:[edx+2D]
00420A0A ?^ 74 AB je short PortExpl.004209B7
00420A0C ? 5A pop edx
00420A0D ? 67:FE ??? ; 未知命令
00420A0F ? 3A41 FE cmp al,byte ptr ds:[ecx-2]
00420A12 ? 2B8D 914C1BE4 sub ecx,dword ptr ss:[ebp+E41B4C91]
......................................
00421CB0 . 58 pop eax
00421CB1 . 68 C0A0C0A0 push A0C0A0C0
00421CB6 . 58 pop eax
00421CB7 . 8D85 28FFFFFF lea eax,dword ptr ss:[ebp-D8]
00421CBD . 50 push eax
00421CBE . 68 BAFF4100 push PortExpl.0041FFBA ; 入口地址
00421CC3 . E8 2E630000 call PortExpl.00427FF6 这个CALL还会动态改变上面的代码,NOP掉
00421CC8 . 8D85 C8FDFFFF lea eax,dword ptr ss:[ebp-238]
用WINHEX 把脱下的这段代码贴上4209FE~421CB0共4786字节 把004209EB处NOP掉
00420A1B . 8D45 D0 lea eax,dword ptr ss:[ebp-30]
00420A1E . 50 push eax
00420A1F . 8D85 58F7FFFF lea eax,dword ptr ss:[ebp-8A8]
00420A25 . FF35 308A4800 push dword ptr ds:[488A30]
00420A2B . 50 push eax
00420A2C . E8 9E3FFFFF call PortExpl.004149CF 这里是我被它关了一次机之后才知道的,嘿嘿,进入
来到这里
00414C8D |. FF55 D0 call dword ptr ss:[ebp-30] kernel32.GetFileSize
00414C90 |. 3D 801A0600 cmp eax,61A80
00414C95 |. 76 1F jbe short PortExpl.00414CB6 改跳
00414CB8 |. FF55 D0 call dword ptr ss:[ebp-30] ; kernel32.GetFileSize
00414CBB |. 3D 7F1A0600 cmp eax,61A7F
00414CC0 |.^ 77 D5 ja short PortExpl.00414C97 不能跳
00414CC4 |. FF55 D0 call dword ptr ss:[ebp-30] ; kernel32.GetFileSize
00414CC7 |. 3D 70F30500 cmp eax,5F370
00414CCC |. 76 0E jbe short PortExpl.00414CDC 改跳
00414D85 |. 8BF8 mov edi,eax ; kernel32.IsDebuggerPresent 看到没有,嘿嘿
00414D87 |. 8D45 C0 lea eax,dword ptr ss:[ebp-40]
..........................
00414D9A |. FFD7 call edi *******IsDebuggerPresent***********
00414D9C |. 85C0 test eax,eax
00414D9E |. 74 06 je short PortExpl.00414DA6 如果检查到程式被调戏,嘿嘿看看下面就知道它又要做什么了.*****改跳
00414DA0 |. 53 push ebx
00414DA1 |. 6A 04 push 4
00414DA3 |. FF55 FC call dword ptr ss:[ebp-4] ; USER32.ExitWindowsEx 帮你关机
00420A31 . 83C4 18 add esp,18 返回到这里
00420A34 . C785 B0FEFFFF 30>mov dword ptr ss:[ebp-150],30
00420A3E . 899D DCFEFFFF mov dword ptr ss:[ebp-124],ebx
..........................
00420B46 . FFD6 call esi
00420B48 . 3BFB cmp edi,ebx
00420B4A . 8945 08 mov dword ptr ss:[ebp+8],eax ; USER32.ExitWindowsEx
00420B4D . 74 0C je short PortExpl.00420B5B
00420B4F . FFD7 call edi ;IsDebuggerPresent 真是个变态的软件,这么怕被调戏
00420B51 . 85C0 test eax,eax
00420B53 . 74 06 je short PortExpl.00420B5B 改为跳,不能就又要关你的机了
00420B58 . FF55 08 call dword ptr ss:[ebp+8] ; USER32.ExitWindowsEx
.....................
00420D6C . FF55 EC call dword ptr ss:[ebp-14] ;kernel32.GetFileSize
00420D6F . 3D 801A0600 cmp eax,61A80
00420D74 . 76 1F jbe short PortExpl.00420D95 改为跳
...................
00420D97 . FF55 EC call dword ptr ss:[ebp-14] ; kernel32.GetFileSize
00420D9A . 3D 7F1A0600 cmp eax,61A7F
00420D9F .^ 77 D5 ja short PortExpl.00420D76 不能跳
..........................
00420DA3 . FF55 EC call dword ptr ss:[ebp-14] ; kernel32.GetFileSize
00420DA6 . 3D 70F30500 cmp eax,5F370
00420DAB . 76 0C jbe short PortExpl.00420DB9 改为跳
..................................略过代码
00421CBE . 68 BAFF4100 push PortExpl.0041FFBA ; 入口地址
00421CC3 . E8 2E630000 call PortExpl.00427FF6 解压代码
00421CC8 . 8D85 C8FDFFFF lea eax,dword ptr ss:[ebp-238>
0042228F . FF55 EC call dword ptr ss:[ebp-14] ; kernel32.GetFileSize
00422292 . 3D 801A0600 cmp eax,61A80
00422297 . 76 1E jbe short PortExpl.004222B7 改为跳
004222B9 . FF55 EC call dword ptr ss:[ebp-14] ; kernel32.GetFileSize
004222BC . 3D 7F1A0600 cmp eax,61A7F
004222C1 .^ 77 D6 ja short PortExpl.00422299 不能跳
004222C5 . FF55 EC call dword ptr ss:[ebp-14] ; kernel32.GetFileSize
004222C8 . 3D 70F30500 cmp eax,5F370
004222CD . 76 0C jbe short PortExpl.004222DB 改为跳 ;这里跳过之后就已经完全解除了她的武装,任你调戏了
脱壳和修复成功,变态的软件好累啊!!!!!
--------------------------------------------------------------------------------
【破解总结】
00421B24 . E8 1F7C0000 call PortExpl.00429748 ; \PortExpl.00429748
00421B29 . 83C4 18 add esp,18
00421B2C . 395D F8 cmp dword ptr ss:[ebp-8],ebx
00421B2F . 0F84 89000000 je PortExpl.00421BBE 改这里不跳则成注册版
--------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
