[原创]PEquake记事本脱壳-加壳脱壳-看雪-安全社区|安全招聘|kanxue.com

[原创]PEquake记事本脱壳

发表于: 2009-7-8 15:33 7566

[原创]PEquake记事本脱壳

yuansunxue 活跃值

2009-7-8 15:33

7566

【作者声明】：没什么技术含量,失误之处敬请诸位大侠赐教
【软件名称】: 程序实例见附件
【调试环境】：WinXP sp2、OD、PEiD、LordPE、ImportREC

说明：
PEquake一个很老的壳子了，闲来无聊决定练练手，没啥技术含量，大牛们就不要看了，参考了cyclotron大牛的文章，不要用修改版od，我这里会出问题，原版的不会

过程：

忽略所有异常，隐藏Olly，载入后来到这里：

0040D000 <>  E8 A5000000      call notepad9.0040D0AA
0040D005     2D D0000000      sub eax,0D0
0040D00A     0000             add byte ptr ds:[eax],al
0040D00C     0000             add byte ptr ds:[eax],al
0040D00E     0000             add byte ptr ds:[eax],al
0040D010     003D D000002D    add byte ptr ds:[2D0000D0],bh
0040D016     D000             rol byte ptr ds:[eax],1
0040D018     0000             add byte ptr ds:[eax],al
0040D01A     0000             add byte ptr ds:[eax],al

接下来有一大段SEH和花指令垃圾，我们下断点：bp CreateThread，来到下面，堆栈如下：

0012FFA8   003925CF  /CALL to CreateThread from 003925C9
0012FFAC   00000000  |pSecurity = NULL
0012FFB0   00000000  |StackSize = 0
0012FFB4   00392597  |ThreadFunction = 00392597
0012FFB8   7C816FF7  |pThreadParm = kernel32.7C816FF7
0012FFBC   00000000  |CreationFlags = 0
0012FFC0   0039265A  \pThreadId = 0039265A
0012FFC4   7C816FF7  RETURN to kernel32.7C816FF7

在入口处下断点bp 392597 F9运行来到这里：

00392597     E8 00000000      call 0039259C                                                   ;来到这里
0039259C     5D               pop ebp
0039259D     81ED A4184000    sub ebp,4018A4
003925A3     68 F4010000      push 1F4
003925A8     FF95 B1634000    call dword ptr ss:[ebp+4063B1]                                  ; kernel32.Sleep

Ctrl+F搜索指令 CMP EAX,4C505845，找到：

00392F3C     25 5F5F5F5F      and eax,5F5F5F5F
00392F41     3D 4558504C      cmp eax,4C505845                                                ;找到这里
00392F46   - 75 FE            jnz short 00392F46                                              ;如果不是EXPLORER.EXE就在这里挂起

好了，把这个跳转nop掉，disable父进程检查。后面的反跟踪都没什么用了。
然后ctrl + g GetModuleHandleA

7C80B6C1 k>  8BFF                  mov edi,edi
7C80B6C3     55                    push ebp
7C80B6C4     8BEC                  mov ebp,esp
7C80B6C6     837D 08 00            cmp dword ptr ss:[ebp+8],0
7C80B6CA     74 18                 je short kernel32.7C80B6E4
7C80B6CC     FF75 08               push dword ptr ss:[ebp+8]
7C80B6CF     E8 C0290000           call kernel32.7C80E094
7C80B6D4     85C0                  test eax,eax
7C80B6D6     74 08                 je short kernel32.7C80B6E0
7C80B6D8     FF70 04               push dword ptr ds:[eax+4]
7C80B6DB     E8 7D2D0000           call kernel32.GetModuleHandleW
7C80B6E0     5D                    pop ebp
7C80B6E1     C2 0400               retn 4                                                     ;此处F2下断

F9运行，Alt+M对code段下几次内存访问断点，

第一次，F9运行来到此处：
00383CB1     8907                  mov dword ptr ds:[edi],eax                                 ;SHELL32.DragFinish
00383CB3     5A                    pop edx
00383CB4     0FB642 FF             movzx eax,byte ptr ds:[edx-1]
00383CB8     03D0                  add edx,eax
00383CBA     42                    inc edx
00383CBB     83C7 04               add edi,4
00383CBE     59                    pop ecx
00383CBF   ^ E2 CA                 loopd short 00383C8B
00383CC1   ^ E9 EFFCFFFF           jmp 003839B5
00383CC6     64:A1 30000000        mov eax,dword ptr fs:[30]                                  ;此处F4，继续下断
00383CCC     85C0                  test eax,eax
00383CCE     78 08                 js short 00383CD8
00383CD0     0FB648 02             movzx ecx,byte ptr ds:[eax+2]

第二次，F9运行到此处：

00383FB9     8BDE                  mov ebx,esi
00383FBB     2BD8                  sub ebx,eax
00383FBD     8958 FC               mov dword ptr ds:[eax-4],ebx                               ;来到这里
00383FC0     83C7 08               add edi,8
00383FC3   ^ E9 44FDFFFF           jmp 00383D0C
00383FC8     68 9F6F56B6           push B6566F9F                                              ;这里F4，继续下断
00383FCD     50                    push eax
00383FCE     E8 5D000000           call 00384030

第三次，F9运行到此处：

004010CC     55                    push ebp                                                   ;oep
004010CD     8BEC                  mov ebp,esp
004010CF     83EC 44               sub esp,44
004010D2     56                    push esi
004010D3     90                    nop
004010D4     E8 7258F8FF           call 0038694B
004010D9     8BF0                  mov esi,eax
004010DB     8A00                  mov al,byte ptr ds:[eax]
004010DD     3C 22                 cmp al,22
004010DF     75 1B                 jnz short notepad9.004010FC
004010E1     56                    push esi
004010E2     90                    nop
004010E3     E8 6358F8FF           call 0038694B
004010E8     8BF0                  mov esi,eax
004010EA     8A00                  mov al,byte ptr ds:[eax]
004010EC     84C0                  test al,al
004010EE     74 04                 je short notepad9.004010F4
004010F0     3C 22                 cmp al,22
004010F2   ^ 75 ED                 jnz short notepad9.004010E1
004010F4     803E 22               cmp byte ptr ds:[esi],22

我们可以看到程序调用都变成了call 0038694B，
找一个call跟进349B15，我们选择这个：

004010D4     E8 7258F8FF           call 0038694B

走过一段花指令以后，发现解码算法：

00386C07     8B06                  mov eax,dword ptr ds:[esi]                                 ;esi指向一张表
00386C09     33D2                  xor edx,edx
00386C0B     B9 02000000           mov ecx,2
00386C10     F7E1                  mul ecx
00386C12     D1E8                  shr eax,1
00386C14     3BF8                  cmp edi,eax
00386C16     0F85 62010000         jnz 00386D7E
00386C1C     0AD2                  or dl,dl
00386C1E     75 0A                 jnz short 00386C2A                                         ;比较是ff25还是ff15形式的调用
00386C20    /E9 61010000           jmp 00386D86

表如下：
00387E03  5C 1A 40 00 F8 63 40 00  \@.鴆@.
00387E0B  23 15 40 00 FC 63 40 00  #@.點@.
00387E13  6F 34 40 00 00 64 40 00  o4@..d@.
00387E1B  64 2D 40 00 04 64 40 00  d-@.d@.
00387E23  A3 30 40 00 08 64 40 00  ?@.d@.
00387E2B  2F 1A 40 00 0C 64 40 00  /@..d@.
00387E33  46 1A 40 00 0C 64 40 00  F@..d@.
00387E3B  02 33 40 00 5C 63 40 00  3@.\c@.
00387E43  59 33 40 00 5C 63 40 00  Y3@.\c@.
00387E4B  2C 33 40 00 60 63 40 00  ,3@.`c@.
00387E53  1F 33 40 00 64 63 40 00  3@.dc@.
00387E5B  86 33 40 00 64 63 40 00  ?@.dc@.
00387E63  82 35 40 00 64 63 40 00  ?@.dc@.
00387E6B  0D 37 40 00 64 63 40 00  .7@.dc@.
00387E73  21 32 40 00 68 63 40 00  !2@.hc@.
00387E7B  13 33 40 00 6C 63 40 00  3@.lc@.
00387E83  AB 33 40 00 6C 63 40 00  ?@.lc@.
00387E8B  B9 35 40 00 6C 63 40 00  ?@.lc@.
00387E93  18 36 40 00 6C 63 40 00  6@.lc@.
00387E9B  88 36 40 00 6C 63 40 00  ?@.lc@.
00387EA3  77 39 40 00 6C 63 40 00  w9@.lc@.
00387EAB  E0 3A 40 00 6C 63 40 00  ?@.lc@.
00387EB3  0C 3B 40 00 6C 63 40 00  .;@.lc@.
00387EBB  21 3B 40 00 6C 63 40 00  !;@.lc@.
00387EC3  7A 41 40 00 6C 63 40 00  zA@.lc@.
00387ECB  DA 43 40 00 6C 63 40 00  贑@.lc@.
00387ED3  3A 32 40 00 70 63 40 00  :2@.pc@.
00387EDB  FB 34 40 00 74 63 40 00  ?@.tc@.
00387EE3  0B 35 40 00 74 63 40 00  5@.tc@.
00387EEB  CE 29 40 00 78 63 40 00  ?@.xc@.
00387EF3  AB 32 40 00 78 63 40 00  ?@.xc@.
00387EFB  29 35 40 00 78 63 40 00  )5@.xc@.
00387F03  C6 37 40 00 78 63 40 00  ?@.xc@.
00387F0B  30 29 40 00 7C 63 40 00  0)@.|c@.
00387F13  5A 2E 40 00 7C 63 40 00  Z.@.|c@.
00387F1B  7B 38 40 00 7C 63 40 00  {8@.|c@.
00387F23  54 3A 40 00 7C 63 40 00  T:@.|c@.
00387F2B  3B 41 40 00 7C 63 40 00  ;A@.|c@.
00387F33  3B 29 40 00 80 63 40 00  ;)@.€c@.
00387F3B  E0 32 40 00 80 63 40 00  ?@.€c@.
00387F43  66 35 40 00 80 63 40 00  f5@.€c@.
00387F4B  66 36 40 00 80 63 40 00  f6@.€c@.
00387F53  8D 38 40 00 80 63 40 00  ?@.€c@.
00387F5B  8D 3A 40 00 80 63 40 00  ?@.€c@.
00387F63  4F 41 40 00 80 63 40 00  OA@.€c@.
00387F6B  E8 41 40 00 80 63 40 00  鐰@.€c@.
00387F73  AB 41 40 00 84 63 40 00  獳@.刢@.
00387F7B  BD 41 40 00 84 63 40 00  紸@.刢@.
00387F83  5F 47 40 00 88 63 40 00  _G@.坈@.
00387F8B  82 4B 40 00 88 63 40 00  侹@.坈@.
00387F93  B2 4B 40 00 8C 63 40 00  睰@.宑@.
00387F9B  9B 4B 40 00 90 63 40 00  汯@.恈@.
00387FA3  3B 4D 40 00 94 63 40 00  ;M@.攃@.
00387FAB  F7 4D 40 00 94 63 40 00  鱉@.攃@.
00387FB3  37 11 40 00 98 63 40 00  7@.榗@.
00387FBB  D4 33 40 00 98 63 40 00  ?@.榗@.
00387FC3  52 11 40 00 9C 63 40 00  R@.渃@.
00387FCB  61 11 40 00 A0 63 40 00  a@.燾@.
00387FD3  6F 24 40 00 A4 63 40 00  o$@.@.
00387FDB  A6 35 40 00 A4 63 40 00  ?@.@.
00387FE3  E3 37 40 00 A4 63 40 00  ?@.@.
00387FEB  C9 39 40 00 A4 63 40 00  ?@.@.
00387FF3  75 49 40 00 A4 63 40 00  uI@.@.
00387FFB  FE 49 40 00 A4 63 40 00  蘒@.@.
00388003  C5 4A 40 00 A4 63 40 00  臞@.@.
0038800B  16 4E 40 00 A4 63 40 00  N@.@.
00388013  61 4E 40 00 A4 63 40 00  aN@.@.
0038801B  7B 4E 40 00 A4 63 40 00  {N@.@.
00388023  F4 4E 40 00 A4 63 40 00  鬘@.@.
0038802B  4D 4F 40 00 A4 63 40 00  MO@.@.
00388033  66 4F 40 00 A4 63 40 00  fO@.@.
0038803B  C3 28 40 00 A8 63 40 00  ?@.╟@.
00388043  21 25 40 00 AC 63 40 00  !%@.琧@.
0038804B  8B 21 40 00 B0 63 40 00  ?@.癱@.
00388053  7E 4D 40 00 B0 63 40 00  ~M@.癱@.
0038805B  C2 23 40 00 B4 63 40 00  ?@.碿@.
00388063  6F 3D 40 00 B4 63 40 00  o=@.碿@.
0038806B  80 3D 40 00 B4 63 40 00  €=@.碿@.
00388073  7E 4C 40 00 B4 63 40 00  ~L@.碿@.
0038807B  B1 4C 40 00 B4 63 40 00  盠@.碿@.
00388083  0E 4D 40 00 B4 63 40 00  M@.碿@.
0038808B  89 23 40 00 B8 63 40 00  ?@.竎@.
00388093  0A 22 40 00 BC 63 40 00  ."@.糲@.
0038809B  1C 38 40 00 BC 63 40 00  8@.糲@.
003880A3  AD 21 40 00 C0 63 40 00  ?@.纁@.
003880AB  EC 28 40 00 C0 63 40 00  ?@.纁@.
003880B3  03 29 40 00 C0 63 40 00  )@.纁@.
003880BB  CF 21 40 00 C4 63 40 00  ?@.腸@.
003880C3  0F 29 40 00 C4 63 40 00  )@.腸@.
003880CB  50 16 40 00 C8 63 40 00  P@.萩@.
003880D3  1B 2E 40 00 C8 63 40 00  .@.萩@.
003880DB  D2 3E 40 00 C8 63 40 00  ?@.萩@.
003880E3  71 19 40 00 CC 63 40 00  q@.蘡@.
003880EB  D3 2A 40 00 CC 63 40 00  ?@.蘡@.
003880F3  F7 2E 40 00 CC 63 40 00  ?@.蘡@.
003880FB  D2 40 40 00 CC 63 40 00  褸@.蘡@.
00388103  6A 14 40 00 D0 63 40 00  j@.衏@.
0038810B  AB 14 40 00 D0 63 40 00  ?@.衏@.
00388113  BF 2A 40 00 D0 63 40 00  ?@.衏@.
0038811B  29 2B 40 00 D0 63 40 00  )+@.衏@.
00388123  FC 2B 40 00 D0 63 40 00  ?@.衏@.
0038812B  E3 2E 40 00 D0 63 40 00  ?@.衏@.
00388133  4D 2F 40 00 D0 63 40 00  M/@.衏@.
0038813B  14 32 40 00 D0 63 40 00  2@.衏@.
00388143  7D 11 40 00 D4 63 40 00  }@.詂@.
0038814B  92 11 40 00 D4 63 40 00  ?@.詂@.
00388153  F5 43 40 00 D4 63 40 00  魿@.詂@.
0038815B  6C 44 40 00 D4 63 40 00  lD@.詂@.
00388163  C4 44 40 00 D4 63 40 00  腄@.詂@.
0038816B  D9 44 40 00 D4 63 40 00  貲@.詂@.
00388173  10 14 40 00 D8 63 40 00  @.豤@.
0038817B  CB 17 40 00 D8 63 40 00  ?@.豤@.
00388183  DB 17 40 00 D8 63 40 00  ?@.豤@.
0038818B  4E 18 40 00 D8 63 40 00  N@.豤@.
00388193  8D 18 40 00 D8 63 40 00  ?@.豤@.
0038819B  B2 1B 40 00 D8 63 40 00  ?@.豤@.
003881A3  13 1C 40 00 D8 63 40 00  @.豤@.
003881AB  3D 1C 40 00 D8 63 40 00  =@.豤@.
003881B3  9D 21 40 00 D8 63 40 00  ?@.豤@.
003881BB  C8 21 40 00 D8 63 40 00  ?@.豤@.
003881C3  DF 21 40 00 D8 63 40 00  ?@.豤@.
003881CB  2C 36 40 00 D8 63 40 00  ,6@.豤@.
003881D3  1F 37 40 00 D8 63 40 00  7@.豤@.
003881DB  93 37 40 00 D8 63 40 00  ?@.豤@.
003881E3  B8 3C 40 00 D8 63 40 00  ?@.豤@.
003881EB  2C 3F 40 00 D8 63 40 00  ,?@.豤@.
003881F3  35 45 40 00 D8 63 40 00  5E@.豤@.
003881FB  BA 45 40 00 D8 63 40 00  篍@.豤@.
00388203  CA 48 40 00 D8 63 40 00  蔋@.豤@.
0038820B  FA 48 40 00 D8 63 40 00  鶫@.豤@.
00388213  67 49 40 00 D8 63 40 00  gI@.豤@.
0038821B  AF 49 40 00 D8 63 40 00  疘@.豤@.
00388223  BE 11 40 00 DC 63 40 00  ?@.躢@.
0038822B  9C 38 40 00 E0 63 40 00  ?@.郼@.
00388233  E7 3A 40 00 E0 63 40 00  ?@.郼@.
0038823B  13 3B 40 00 E0 63 40 00  ;@.郼@.
00388243  5C 41 40 00 E0 63 40 00  \A@.郼@.
0038824B  E3 43 40 00 E0 63 40 00  鉉@.郼@.
00388253  D9 10 40 00 E4 63 40 00  ?@.鋍@.
0038825B  4A 3D 40 00 E8 63 40 00  J=@.鑓@.
00388263  EC 43 40 00 E8 63 40 00  霤@.鑓@.
0038826B  51 4B 40 00 E8 63 40 00  QK@.鑓@.
00388273  66 4B 40 00 E8 63 40 00  fK@.鑓@.
0038827B  76 35 40 00 EC 63 40 00  v5@.靋@.
00388283  C4 3C 40 00 F0 63 40 00  ?@.餭@.
0038828B  DC 41 40 00 F0 63 40 00  蹵@.餭@.
00388293  0C 4B 40 00 F0 63 40 00  .K@.餭@.
0038829B  28 4B 40 00 F0 63 40 00  (K@.餭@.
003882A3  80 47 40 00 14 64 40 00  €G@.d@.
003882AB  A4 47 40 00 14 64 40 00  @.d@.
003882B3  3F 49 40 00 14 64 40 00  ?I@.d@.
003882BB  E0 22 40 00 18 64 40 00  ?@.d@.
003882C3  D7 22 40 00 1C 64 40 00  ?@.d@.
003882CB  CB 22 40 00 20 64 40 00  ?@. d@.
003882D3  6F 22 40 00 24 64 40 00  o"@.$d@.
003882DB  68 29 40 00 28 64 40 00  h)@.(d@.
003882E3  B2 29 40 00 28 64 40 00  ?@.(d@.
003882EB  12 34 40 00 28 64 40 00  4@.(d@.
003882F3  30 34 40 00 28 64 40 00  04@.(d@.
003882FB  18 3F 40 00 28 64 40 00  ?@.(d@.
00388303  AA 3F 40 00 28 64 40 00  ?@.(d@.
0038830B  BB 47 40 00 28 64 40 00  籊@.(d@.
00388313  7F 2A 40 00 2C 64 40 00  *@.,d@.
0038831B  F0 2C 40 00 2C 64 40 00  ?@.,d@.
00388323  69 2A 40 00 30 64 40 00  i*@.0d@.
0038832B  3C 3C 40 00 30 64 40 00  <<@.0d@.
00388333  F7 30 40 00 34 64 40 00  ?@.4d@.
0038833B  CA 2F 40 00 38 64 40 00  ?@.8d@.
00388343  47 2D 40 00 3C 64 40 00  G-@.<d@.
0038834B  D9 2D 40 00 3C 64 40 00  ?@.<d@.
00388353  D3 3A 40 00 3C 64 40 00  ?@.<d@.
0038835B  E2 2C 40 00 40 64 40 00  ?@.@d@.
00388363  83 31 40 00 40 64 40 00  ?@.@d@.
0038836B  CE 31 40 00 44 64 40 00  ?@.Dd@.
00388373  6E 31 40 00 48 64 40 00  n1@.Hd@.
0038837B  FA 36 40 00 4C 64 40 00  ?@.Ld@.
00388383  03 38 40 00 50 64 40 00  8@.Pd@.
0038838B  86 3A 40 00 54 64 40 00  ?@.Td@.
00388393  C7 3B 40 00 58 64 40 00  ?@.Xd@.
0038839B  5E 3C 40 00 5C 64 40 00  ^<@.\d@.
003883A3  07 47 40 00 5C 64 40 00  G@.\d@.
003883AB  36 3D 40 00 60 64 40 00  6=@.`d@.
003883B3  FC 42 40 00 60 64 40 00  麭@.`d@.
003883BB  28 43 40 00 60 64 40 00  (C@.`d@.
003883C3  67 43 40 00 60 64 40 00  gC@.`d@.
003883CB  10 41 40 00 64 64 40 00  A@.dd@.
003883D3  F6 40 40 00 68 64 40 00  鯜@.hd@.
003883DB  D4 45 40 00 68 64 40 00  訣@.hd@.
003883E3  A1 40 40 00 6C 64 40 00  @.ld@.
003883EB  F8 46 40 00 70 64 40 00  鳩@.pd@.
003883F3  23 47 40 00 70 64 40 00  #G@.pd@.
003883FB  49 46 40 00 74 64 40 00  IF@.td@.
00388403  AB 46 40 00 74 64 40 00  獸@.td@.
0038840B  9E 46 40 00 78 64 40 00  濬@.xd@.
00388413  8F 46 40 00 7C 64 40 00  廎@.|d@.
0038841B  82 46 40 00 80 64 40 00  侳@.€d@.
00388423  35 46 40 00 84 64 40 00  5F@.刣@.
0038842B  A5 22 40 00 88 64 40 00  ?@.坉@.
00388433  BB 22 40 00 88 64 40 00  ?@.坉@.
0038843B  FA 22 40 00 88 64 40 00  ?@.坉@.
00388443  11 23 40 00 88 64 40 00  #@.坉@.
0038844B  3C 23 40 00 88 64 40 00  <#@.坉@.
00388453  5F 23 40 00 88 64 40 00  _#@.坉@.
0038845B  66 23 40 00 8C 64 40 00  f#@.宒@.
00388463  1D 22 40 00 90 64 40 00  "@.恉@.
0038846B  1E 21 40 00 94 64 40 00  !@.攄@.
00388473  DF 3B 40 00 94 64 40 00  ?@.攄@.
0038847B  46 21 40 00 98 64 40 00  F!@.榙@.
00388483  ED 3B 40 00 98 64 40 00  ?@.榙@.
0038848B  50 21 40 00 9C 64 40 00  P!@.渄@.
00388493  F7 3B 40 00 9C 64 40 00  ?@.渄@.
0038849B  02 21 40 00 A0 64 40 00  !@.燿@.
003884A3  5D 21 40 00 A0 64 40 00  ]!@.燿@.
003884AB  A9 1E 40 00 A4 64 40 00  ?@.@.
003884B3  05 3B 40 00 A4 64 40 00  ;@.@.
003884BB  3E 3B 40 00 A4 64 40 00  >;@.@.
003884C3  E0 45 40 00 A4 64 40 00  郋@.@.
003884CB  CB 1E 40 00 A8 64 40 00  ?@.╠@.
003884D3  D2 1E 40 00 A8 64 40 00  ?@.╠@.
003884DB  EB 1E 40 00 AC 64 40 00  ?@.琩@.
003884E3  40 24 40 00 AC 64 40 00  @$@.琩@.
003884EB  89 29 40 00 AC 64 40 00  ?@.琩@.
003884F3  E6 33 40 00 AC 64 40 00  ?@.琩@.
003884FB  8B 34 40 00 AC 64 40 00  ?@.琩@.
00388503  94 1D 40 00 B0 64 40 00  ?@.癲@.
0038850B  DF 1D 40 00 B0 64 40 00  ?@.癲@.
00388513  16 20 40 00 B0 64 40 00   @.癲@.
0038851B  87 20 40 00 B0 64 40 00  ?@.癲@.
00388523  BA 20 40 00 B4 64 40 00  ?@.磀@.
0038852B  AC 22 40 00 B4 64 40 00  ?@.磀@.
00388533  C2 22 40 00 B4 64 40 00  ?@.磀@.
0038853B  01 23 40 00 B4 64 40 00  #@.磀@.
00388543  18 23 40 00 B4 64 40 00  #@.磀@.
0038854B  43 23 40 00 B4 64 40 00  C#@.磀@.
00388553  99 23 40 00 B4 64 40 00  ?@.磀@.
0038855B  8E 3C 40 00 B4 64 40 00  ?@.磀@.
00388563  D4 1A 40 00 B8 64 40 00  ?@.竏@.
0038856B  DF 1A 40 00 BC 64 40 00  ?@.糳@.
00388573  D7 2B 40 00 BC 64 40 00  ?@.糳@.
0038857B  D9 2F 40 00 BC 64 40 00  ?@.糳@.
00388583  58 3B 40 00 BC 64 40 00  X;@.糳@.
0038858B  E8 1A 40 00 C0 64 40 00  ?@.纃@.
00388593  50 1A 40 00 C4 64 40 00  P@.膁@.
0038859B  5C 13 40 00 C8 64 40 00  \@.萪@.
003885A3  7F 1E 40 00 C8 64 40 00  @.萪@.
003885AB  69 46 40 00 C8 64 40 00  iF@.萪@.
003885B3  D1 46 40 00 C8 64 40 00  袴@.萪@.
003885BB  0B 15 40 00 CC 64 40 00  @.蘢@.
003885C3  92 31 40 00 CC 64 40 00  ?@.蘢@.
003885CB  16 16 40 00 D0 64 40 00  @.衐@.
003885D3  B9 2C 40 00 D0 64 40 00  ?@.衐@.
003885DB  CC 3D 40 00 D0 64 40 00  ?@.衐@.
003885E3  84 16 40 00 D4 64 40 00  ?@.詃@.
003885EB  4A 2E 40 00 D4 64 40 00  J.@.詃@.
003885F3  E5 3D 40 00 D4 64 40 00  ?@.詃@.
003885FB  A1 16 40 00 D8 64 40 00  ?@.豥@.
00388603  ED 16 40 00 D8 64 40 00  ?@.豥@.
0038860B  F4 31 40 00 D8 64 40 00  ?@.豥@.
00388613  EC 34 40 00 D8 64 40 00  ?@.豥@.
0038861B  43 38 40 00 D8 64 40 00  C8@.豥@.
00388623  80 39 40 00 D8 64 40 00  €9@.豥@.
0038862B  BA 3D 40 00 D8 64 40 00  ?@.豥@.
00388633  96 13 40 00 DC 64 40 00  ?@.躣@.
0038863B  A9 13 40 00 DC 64 40 00  ?@.躣@.
00388643  BC 13 40 00 DC 64 40 00  ?@.躣@.
0038864B  B9 15 40 00 DC 64 40 00  ?@.躣@.
00388653  C1 16 40 00 DC 64 40 00  ?@.躣@.
0038865B  07 17 40 00 DC 64 40 00  @.躣@.
00388663  A7 1A 40 00 DC 64 40 00  ?@.躣@.
0038866B  FD 1A 40 00 DC 64 40 00  ?@.躣@.
00388673  55 1E 40 00 DC 64 40 00  U@.躣@.
0038867B  34 1F 40 00 DC 64 40 00  4@.躣@.
00388683  49 1F 40 00 DC 64 40 00  I@.躣@.
0038868B  69 1F 40 00 DC 64 40 00  i@.躣@.
00388693  A4 1F 40 00 DC 64 40 00  ?@.躣@.
0038869B  B9 1F 40 00 DC 64 40 00  ?@.躣@.
003886A3  86 22 40 00 DC 64 40 00  ?@.躣@.
003886AB  2B 23 40 00 DC 64 40 00  +#@.躣@.
003886B3  00 2E 40 00 DC 64 40 00  ..@.躣@.
003886BB  42 2E 40 00 DC 64 40 00  B.@.躣@.
003886C3  19 31 40 00 DC 64 40 00  1@.躣@.
003886CB  30 31 40 00 DC 64 40 00  01@.躣@.
003886D3  45 31 40 00 DC 64 40 00  E1@.躣@.
003886DB  83 32 40 00 DC 64 40 00  ?@.躣@.
003886E3  96 32 40 00 DC 64 40 00  ?@.躣@.
003886EB  F2 32 40 00 DC 64 40 00  ?@.躣@.
003886F3  6C 33 40 00 DC 64 40 00  l3@.躣@.
003886FB  9F 33 40 00 DC 64 40 00  ?@.躣@.
00388703  5F 38 40 00 DC 64 40 00  _8@.躣@.
0038870B  6F 38 40 00 DC 64 40 00  o8@.躣@.
00388713  B1 38 40 00 DC 64 40 00  ?@.躣@.
0038871B  D4 38 40 00 DC 64 40 00  ?@.躣@.
00388723  EB 38 40 00 DC 64 40 00  ?@.躣@.
0038872B  46 39 40 00 DC 64 40 00  F9@.躣@.
00388733  E3 39 40 00 DC 64 40 00  ?@.躣@.
0038873B  F8 39 40 00 DC 64 40 00  ?@.躣@.
00388743  34 3A 40 00 DC 64 40 00  4:@.躣@.
0038874B  44 3A 40 00 DC 64 40 00  D:@.躣@.
00388753  6F 3A 40 00 DC 64 40 00  o:@.躣@.
0038875B  A1 3A 40 00 DC 64 40 00  ?@.躣@.
00388763  FA 3A 40 00 DC 64 40 00  ?@.躣@.
0038876B  32 3B 40 00 DC 64 40 00  2;@.躣@.
00388773  8C 3B 40 00 DC 64 40 00  ?@.躣@.
0038877B  2F 41 40 00 DC 64 40 00  /A@.躣@.
00388783  71 41 40 00 DC 64 40 00  qA@.躣@.
0038878B  00 42 40 00 DC 64 40 00  .B@.躣@.
00388793  33 42 40 00 DC 64 40 00  3B@.躣@.
0038879B  49 42 40 00 DC 64 40 00  IB@.躣@.
003887A3  D0 4B 40 00 DC 64 40 00  蠯@.躣@.
003887AB  EC 4B 40 00 DC 64 40 00  霮@.躣@.
003887B3  FF 4B 40 00 DC 64 40 00  K@.躣@.
003887BB  11 4C 40 00 DC 64 40 00  L@.躣@.
003887C3  28 4C 40 00 DC 64 40 00  (L@.躣@.
003887CB  1B 17 40 00 E0 64 40 00  @.郿@.
003887D3  CB 14 40 00 E4 64 40 00  ?@.鋎@.
003887DB  3D 17 40 00 E4 64 40 00  =@.鋎@.
003887E3  1A 1A 40 00 E4 64 40 00  @.鋎@.
003887EB  84 2B 40 00 E4 64 40 00  ?@.鋎@.
003887F3  52 17 40 00 E8 64 40 00  R@.鑔@.
003887FB  18 1E 40 00 E8 64 40 00  @.鑔@.
00388803  3D 1E 40 00 E8 64 40 00  =@.鑔@.
0038880B  98 3B 40 00 E8 64 40 00  ?@.鑔@.
00388813  65 3C 40 00 E8 64 40 00  e<@.鑔@.
0038881B  2B 12 40 00 EC 64 40 00  +@.靌@.
00388823  EE 36 40 00 EC 64 40 00  ?@.靌@.
0038882B  45 12 40 00 F0 64 40 00  E@.餯@.
00388833  E8 10 40 00 F4 64 40 00  ?@.鬱@.
0038883B  07 11 40 00 F4 64 40 00  @.鬱@.
00388843  1F 11 40 00 F4 64 40 00  @.鬱@.
0038884B  49 22 40 00 F4 64 40 00  I"@.鬱@.
00388853  5A 4C 40 00 F4 64 40 00  ZL@.鬱@.
0038885B  E5 4C 40 00 F4 64 40 00  錖@.鬱@.
00388863  AB 4D 40 00 F4 64 40 00  玀@.鬱@.
0038886B  40 4E 40 00 F4 64 40 00  @N@.鬱@.
00388873  1E 4F 40 00 F4 64 40 00  O@.鬱@.
0038887B  93 4F 40 00 F4 64 40 00  揙@.鬱@.
00388883  04 1E 40 00 F8 64 40 00  @.鴇@.
0038888B  29 1E 40 00 F8 64 40 00  )@.鴇@.
00388893  A1 1D 40 00 FC 64 40 00  ?@.黡@.
0038889B  38 21 40 00 00 65 40 00  8!@..e@.
003888A3  DF 26 40 00 FC 62 40 00  ?@.黚@.
003888AB  43 16 40 00 00 63 40 00  C@..c@.
003888B3  0E 2E 40 00 00 63 40 00  .@..c@.
003888BB  0C 3E 40 00 00 63 40 00  .>@..c@.
003888C3  18 3E 40 00 00 63 40 00  >@..c@.
003888CB  82 3E 40 00 00 63 40 00  ?@..c@.
003888D3  AA 16 40 00 04 63 40 00  ?@.c@.
003888DB  2D 2E 40 00 04 63 40 00  -.@.c@.
003888E3  39 3F 40 00 04 63 40 00  9?@.c@.
003888EB  73 3F 40 00 04 63 40 00  s?@.c@.
003888F3  F0 3C 40 00 08 63 40 00  ?@.c@.
003888FB  3E 3D 40 00 08 63 40 00  >=@.c@.
00388903  48 3F 40 00 08 63 40 00  H?@.c@.
0038890B  82 3F 40 00 08 63 40 00  ?@.c@.
00388913  93 42 40 00 08 63 40 00  揃@.c@.
0038891B  8D 44 40 00 08 63 40 00  岲@.c@.
00388923  94 44 40 00 0C 63 40 00  擠@..c@.
0038892B  37 44 40 00 10 63 40 00  7D@.c@.
00388933  43 44 40 00 14 63 40 00  CD@.c@.
0038893B  9B 44 40 00 14 63 40 00  汥@.c@.
00388943  E5 44 40 00 14 63 40 00  錎@.c@.
0038894B  7E 42 40 00 18 63 40 00  ~B@.c@.
00388953  C5 40 40 00 1C 63 40 00  臔@.c@.
0038895B  90 43 40 00 20 63 40 00  怌@. c@.
00388963  20 44 40 00 20 63 40 00   D@. c@.
0038896B  2C 40 40 00 24 63 40 00  ,@@.$c@.
00388973  CE 3F 40 00 28 63 40 00  ?@.(c@.
0038897B  89 40 40 00 2C 63 40 00  堾@.,c@.
00388983  79 3E 40 00 30 63 40 00  y>@.0c@.
0038898B  26 3E 40 00 34 63 40 00  &>@.4c@.
00388993  70 3E 40 00 34 63 40 00  p>@.4c@.
0038899B  93 3E 40 00 38 63 40 00  ?@.8c@.
003889A3  59 3F 40 00 38 63 40 00  Y?@.8c@.
003889AB  93 3F 40 00 38 63 40 00  ?@.8c@.
003889B3  52 3E 40 00 3C 63 40 00  R>@.<c@.
003889BB  38 3E 40 00 40 63 40 00  8>@.@c@.
003889C3  67 3E 40 00 44 63 40 00  g>@.Dc@.
003889CB  43 4B 40 00 48 63 40 00  CK@.Hc@.
003889D3  D5 3D 40 00 4C 63 40 00  ?@.Lc@.
003889DB  D3 16 40 00 50 63 40 00  ?@.Pc@.
003889E3  B5 1E 40 00 50 63 40 00  ?@.Pc@.
003889EB  4C 44 40 00 50 63 40 00  LD@.Pc@.
003889F3  5A 44 40 00 50 63 40 00  ZD@.Pc@.
003889FB  A4 44 40 00 50 63 40 00  @.Pc@.
00388A03  D2 26 40 00 54 63 40 00  ?@.Tc@.
00388A0B  CE 4F 40 80 08 65 40 00  蜲@€e@.                                                ;可以看到这几个是ff25类型的调用
00388A13  C8 4F 40 80 0C 65 40 00  萇@€.e@.
00388A1B  C2 4F 40 80 10 65 40 00  翺@€e@.
00388A23  BC 4F 40 80 14 65 40 00  糘@€e@.
00388A2B  B6 4F 40 80 18 65 40 00  禣@€e@.
00388A33  B0 4F 40 80 1C 65 40 00  癘@€e@.
00388A3B  D4 4F 40 80 20 65 40 00  設@€ e@.
00388A43  BC 24 40 00 E4 62 40 00  ?@.鋌@.
00388A4B  0A 25 40 00 E4 62 40 00  .%@.鋌@.
00388A53  BF 26 40 00 E8 62 40 00  ?@.鑒@.
00388A5B  5F 24 40 00 EC 62 40 00  _$@.靊@.
00388A63  84 24 40 00 EC 62 40 00  ?@.靊@.
00388A6B  F3 26 40 00 F0 62 40 00  ?@.餬@.
00388A73  42 25 40 00 F4 62 40 00  B%@.鬮@.
00388A7B  00 00 00 00 00 00 00 00  ........
00388A83  00 00 00 00 00 00 00 00  ........

我们知道了他的解码算法，可以自己写代码修复，下面是我的代码：

00386C07     8B06                  mov eax,dword ptr ds:[esi]                              ;将第一个
00386C09     33D2                  xor edx,edx
00386C0B     B9 02000000           mov ecx,2
00386C10     F7E1                  mul ecx
00386C12     D1E8                  shr eax,1
00386C14     08D2                  or dl,dl                                                ;这里是比较时ff25 还是ff15类型的跳转调用
00386C16     75 16                 jnz short 00386C2E                                      ;下面几句是ff15的修复
00386C18     66:C740 FA FF15       mov word ptr ds:[eax-6],15FF
00386C1E     8B5E 04               mov ebx,dword ptr ds:[esi+4]
00386C21     8958 FC               mov dword ptr ds:[eax-4],ebx
00386C24     83C6 08               add esi,8
00386C27     833E 00               cmp dword ptr ds:[esi],0                                ;判断是否处理完毕
00386C2A   ^ 75 DB                 jnz short 00386C07                                      ;没有处理完继续
00386C2C     EB 14                 jmp short 00386C42
00386C2E     66:C740 FA FF25       mov word ptr ds:[eax-6],25FF                            ;下面几句是ff25的修复
00386C34     8B5E 04               mov ebx,dword ptr ds:[esi+4]
00386C37     8958 FC               mov dword ptr ds:[eax-4],ebx
00386C3A     83C6 08               add esi,8
00386C3D     833E 00               cmp dword ptr ds:[esi],0                                ;同样是判断是否处理完毕
00386C40   ^ 75 C5                 jnz short 00386C07                                      ;没有处理完继续
00386C42     90                    nop

二进制代码：

8B 06 33 D2 B9 02 00 00 00 F7 E1 D1 E8 08 D2 75 16 66 C7 40 FA FF 15 8B 5E 04 89 58 FC 83 C6 08
83 3E 00 75 DB EB 14 66 C7 40 FA FF 25 8B 5E 04 89 58 FC 83 C6 08 83 3E 00 75 C5 90

走到00386c07处，将上面的二进制代码粘贴到00386c07处，如果走过了可以在00386c07处新建起源粘贴，粘的时候注意多选几行。
然后在00386c42处下硬件执行断点，F9运行到这里。然后撤销上面的修改。ctrl +　g 来到004010cc处可以看到都处理好了。

LordPE选择进程，纠正映像大小，dump程序。然后用IR OEP填10cc，修复一下，程序可以正常运行。

登录后可查看完整内容

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

上传的附件：

notepad98_original.rar （26.93kb，28次下载）

收藏・0

免费・7

支持

最新回复 (2)
hcg 雪币： 350 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 145 粉丝 0 关注私信	hcg 2 楼感謝樓主分享教程學習 patch 代碼修復 2009-7-9 21:51 0
gjdzwgl 雪币： 202 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 20 粉丝 0 关注私信	gjdzwgl 3 楼学习一下.感谢楼主分享! 2009-7-10 14:02 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

yuansunxue

发帖

267

回帖

310

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (2)
hcg 雪币： 350 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 145 粉丝 0 关注私信	hcg 2 楼感謝樓主分享教程學習 patch 代碼修復 2009-7-9 21:51 0
gjdzwgl 雪币： 202 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 20 粉丝 0 关注私信	gjdzwgl 3 楼学习一下.感谢楼主分享! 2009-7-10 14:02 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复