-
-
[旧帖] [求助][半生不熟]Themida 脱壳求助 0.00雪花
-
发表于: 2009-7-29 17:16
-
用Themida 1.8.0.0加壳windows xp自带记事本程序notepad.exe。其他选项默认,直接protect
Themida_1.8.0.0_notepad.part1.rar
Themida_1.8.0.0_notepad.part2.rar
OD相关配置如下:
.调试选项中的异常设置:全部打勾
.HideOD插件(打勾) Auto Run HideOD
HideNtDebugBit
ZwQueryInformationProcess->method1
载入程序
01014014 > B8 00000000 mov eax, 0
01014019 60 pushad
0101401A 0BC0 or eax, eax
0101401C 74 58 je short 01014076
0101401E E8 00000000 call 01014023
01014023 58 pop eax
01014024 05 43000000 add eax, 43
01014029 8038 E9 cmp byte ptr [eax], 0E9
0101402C 75 03 jnz short 01014031
0101402E 61 popad
code段下内存写入断点,shift+F9
0124C4D1 F3:A4 rep movs byte ptr es:[edi], byte ptr>
shift+F7一次,shift+F8一次(据说好像直接按F8会长时间无反映...)
0124C4D3 C685 0D257409 5>mov byte ptr [ebp+974250D], 56
F9之后取消内存断点
F8找下面类似的代码(途中有很多跳转,F8多按几次)
mov ...,0
mov ...,0
cmp ...,0
在这了:
012549EE C785 550E7409 0>mov dword ptr [ebp+9740E55], 0 ; important
012549F8 C785 A52C7409 0>mov dword ptr [ebp+9742CA5], 0
01254A02 83BD 3A848509 0>cmp dword ptr [ebp+985843A], 0
01254A09 0F84 08000000 je 01254A17
01254A0F 8D9D BAA58409 lea ebx, dword ptr [ebp+984A5BA]
01254A15 FFD3 call ebx
01254A17 FF85 21007409 inc dword ptr [ebp+9740021]
01254A1D 83BD 21007409 6>cmp dword ptr [ebp+9740021], 64
01254A24 0F82 62000000 jb 01254A8C
走到01254A24往下看:
01254A6E /0F84 17000000 je 01254A8B ; magic jump
修改成:jmp 01254A8B
再找4处相同的je跳转
01254BB3 83BD DD227409 0>cmp dword ptr [ebp+97422DD], 1
01254BBA 0F84 39000000 je 01254BF9
01254BC0 3B8D 310E7409 cmp ecx, dword ptr [ebp+9740E31]
01254BC6 0F84 2D000000 je 01254BF9
01254BCC 3B8D 3D2A7409 cmp ecx, dword ptr [ebp+9742A3D]
01254BD2 0F84 21000000 je 01254BF9
01254BD8 3B8D 61037409 cmp ecx, dword ptr [ebp+9740361]
01254BDE 0F84 15000000 je 01254BF9
把这四处je语句全部用nop替换掉
查找函数ZwFreeVirtualMemory
7C92D38E > B8 53000000 mov eax, 53
7C92D393 BA 0003FE7F mov edx, 7FFE0300
7C92D398 FF12 call dword ptr [edx]
7C92D39A C2 1000 retn 10
在7C92D39A下断点,shift+F9重复。直到出现相同的EDI
取消CC断点,对code段下内存访问断点,shift+F9
01007568 /$ 68 BA750001 push 010075BA
0100756D |. 64:A1 0000000>mov eax, dword ptr fs:[0]
01007573 |. 50 push eax
01007574 |. 8B4424 10 mov eax, dword ptr [esp+10]
01007578 |. 896C24 10 mov dword ptr [esp+10], ebp
0100757C |. 8D6C24 10 lea ebp, dword ptr [esp+10]
01007580 |. 2BE0 sub esp, eax
01007582 |. 53 push ebx
01007583 |. 56 push esi
01007584 |. 57 push edi
01007585 |. 8B45 F8 mov eax, dword ptr [ebp-8]
01007588 |. 8965 E8 mov dword ptr [ebp-18], esp
0100758B |. 50 push eax
0100758C |. 8B45 FC mov eax, dword ptr [ebp-4]
0100758F |. C745 FC FFFFF>mov dword ptr [ebp-4], -1
01007596 |. 8945 F8 mov dword ptr [ebp-8], eax
01007599 |. 8D45 F0 lea eax, dword ptr [ebp-10]
0100759C |. 64:A3 0000000>mov dword ptr fs:[0], eax
010075A2 \. C3 retn
走出retn
code段下一次性内存访问断点,F9
009BA0AE 8B01 mov eax, dword ptr [ecx] ; kernel32.GetModuleHandleA
009BA0B0 02FF add bh, bh
009BA0B2 8B0C24 mov ecx, dword ptr [esp]
009BA0B5 57 push edi
009BA0B6 89E7 mov edi, esp
009BA0B8 80E2 09 and dl, 9
009BA0BB 81C7 04000000 add edi, 4
009BA0C1 E9 EDA40000 jmp 009C45B3
看了好多文章,看了N多动画,到这里就看不懂了。到这一步应该怎样把壳脱下来?
