目标程序tElock0.99 主程序
【文章标题】: tElock0.99 脱壳
【文章作者】: hxqlky
【作者邮箱】: zmunlky@gmail.com
【作者主页】: http://www.x5dj.com/hxqlky
【软件名称】: tElock9
【下载地址】: 自己搜索下载
【加壳方式】: tElock
【保护方式】: tElock
【使用工具】: od,ImportRE
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
go VirtualProtectEx
7C801ABC 8BF8 mov edi,eax
7C801ABE 85FF test edi,edi
7C801AC0 7C 09 jl short kernel32.7C801ACB
7C801AC2 33C0 xor eax,eax
7C801AC4 40 inc eax
7C801AC5 5F pop edi
7C801AC6 5E pop esi
7C801AC7 5D pop ebp
7C801AC8 C2 1400 retn 14 f2
alt+m 401000 内存访问断点
00401000 60 pushad
00401001 E8 00000000 call tElock99.00401006
00401006 5D pop ebp
00401007 57 push edi
00401008 51 push ecx
00401009 8BD7 mov edx,edi
0040100B 56 push esi
0040100C E8 A0040000 call tElock99.004014B1
00401011 5E pop esi
00401012 B0 E8 mov al,0E8
00401014 AA stos byte ptr es:[edi]
00401015 8BC1 mov eax,ecx
00401017 6BC0 04 imul eax,eax,4
0040101A AB stos dword ptr es:[edi]
0040101B 8BC2 mov eax,edx
0040101D 2BD7 sub edx,edi
0040101F F7DA neg edx
00403F7D 60 pushad oep
00403F7E 68 FBE44000 push tElock99.0040E4FB ; ASCII "tElockv098"
00403F83 6A 00 push 0
00403F85 6A 00 push 0
00403F87 E8 425F0000 call tElock99.00409ECE 跟随
00403F8C E8 6D5F0000 call tElock99.00409EFE
00403F91 3D B7000000 cmp eax,0B7
00403F96 75 18 jnz short tElock99.00403FB0
00403F98 6A 00 push 0
00403F9A 68 06E54000 push tElock99.0040E506 ; ASCII "Reminder"
00403F9F 68 0FE54000 push tElock99.0040E50F ; ASCII "Another instance of tElock is already running!"
00403FA4 6A 00 push 0
00403FA6 E8 BD5E0000 call tElock99.00409E68
00403FAB E9 08030000 jmp tElock99.004042B8
00403FB0 68 C1424000 push tElock99.004042C1
00403FB5 E8 7A5F0000 call tElock99.00409F34
00403FBA E8 995F0000 call tElock99.00409F58 ; jmp 到 comctl32.InitCommonControls
00403FBF 6A 00 push 0
00403FC1 E8 445F0000 call tElock99.00409F0A
00920000 E8 0B000000 call 00920010
00920005 F9 stc
00920006 1BC1 sbb eax,ecx
00920008 E9 0C000000 jmp 00920019
0092000D 33C5 xor eax,ebp
0092000F 40 inc eax
00920010 FC cld
00920011 03C1 add eax,ecx
00920013 C3 retn
00920014 3D 99C65A89 cmp eax,895AC699
00920019 B8 1A009200 mov eax,92001A
0092001E EB 02 jmp short 00920022
00920020 CD20 05180000 vxdcall 1805
00920026 008B 00350000 add byte ptr ds:[ebx+3500],cl
00920029 35 00009200 xor eax,920000
0092002E 90 nop 寄存器eax ----api
EAX 7C8293AB kernel32.CreateMutexA
ECX 0012FFB0
EDX 00424C51 tElock99.00424C51
EBX 7FFD6000
ESP 0012FF94
EBP 0012FFF0
ESI 00000000
EDI 00000000
EIP 0092002E
7C8293AB
0012FF90 7C8293AB kernel32.CreateMutexA
0012FF94 00403F8C 返回到 tElock99.00403F8C 来自 tElock99.00409ECE
0012FF98 00000000
0012FF9C 00000000
0012FFA0 0040E4FB ASCII "tElockv098"
-------------------------------------------------------
0040C068 003F032D
0040C06C 00000000
0040C070 7C8293AB kernel32.CreateMutexA 改后
00409EC8 - FF25 74C04000 jmp dword ptr ds:[40C074]
00409ECE - FF25 70C04000 jmp dword ptr ds:[40C070] ; kernel32.CreateMutexA
00409ED4 - FF25 78C04000 jmp dword ptr ds:[40C078]
00409EDA - FF25 7CC04000 jmp dword ptr ds:[40C07C]
-----------------------------------------------------------------------------------------------
0040C000 77F3EBD7 advapi32.RegSetValueExA iat -----------0
0040C004 77F56D1E advapi32.RegCloseKey
0040C008 77F46A27 advapi32.RegCreateKeyExA
0040C00C 77F3A5E3 advapi32.RegDeleteKeyA
0040C010 77F4E0AE advapi32.RegOpenKeyExA
用脚本修复api
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2009年09月12日 19:11:37
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课