脱壳ExeCryptor 2.4.1
【文章标题】: 脱壳ExeCryptor 2.4.1
【文章作者】: hxqlky
【作者邮箱】: zmunlky@gmail.com
【作者主页】: http://www.x5dj.com/hxqlky
【软件名称】: ecryptor 2.4.1
【下载地址】: 自己搜索下载
【使用工具】: od,ImpREC 1.7c
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
脱壳工具,和脚本早有了,自己找
载入程序
01078146 E8 2FFFFFFF call UnPackMe.0107807A
0107814B 05 04060000 add eax,604
01078150 FFE0 jmp eax
01078152 E8 04000000 call UnPackMe.0107815B
01078157 FFFF ??? ; Unknown command
01078159 FFFF ??? ; Unknown command
0107815B 5E pop esi
0107815C C3 retn
运行程序,f12
查看threads
Threads
Ident Entry Data block Last error Status Priority User time System time
000004DC 0107813A 7FFDE000 ERROR_SUCCESS (000 Paused 32 + 0 0.2500 s 0.2968 s
000008D4 7C810669 7FFDC000 ERROR_SUCCESS (000 Paused 32 - 15 0.0000 s 0.0000 s
00000C3C 7C810669 7FFDD000 ERROR_SUCCESS (000 Paused 32 - 15 0.0000 s 0.0000 s
00000ECC 7C810669 7FFDB000 ERROR_NO_TOKEN (00 Paused 32 + 0 0.0000 s 0.0000 s
000004DC 0107813A go
0006FF20 |01007511 RETURN to UnPackMe.01007511 from UnPackMe.01002936
0006FF24 |01000000 UnPackMe.01000000
0006FF28 |00000000
0006FF2C |000B235C
01007511 8BF0 MOV ESI,EAX 向上找api MSVCRT.__set_app_type
01007513 8975 C4 MOV DWORD PTR SS:[EBP-3C],ESI
01007516 395D E4 CMP DWORD PTR SS:[EBP-1C],EBX
01007519 75 07 JNZ SHORT UnPackMe.01007522
0100751B 56 PUSH ESI
0100751C FF15 18130001 CALL DWORD PTR DS:[1001318] ; MSVCRT.exit
01007522 FF15 00130001 CALL DWORD PTR DS:[1001300] ; MSVCRT._cexit
010073C0 8139 50450000 CMP DWOTR DS:[ECX],4550 oep near
010073C6 75 12 JNZ SHORT UnPackMe.010073DA
010073C8 0FB741 18 MOVZX EAX,WORD PTR DS:[ECX+18]
010073CC 3D 0B010000 CMP EAX,10B
010073D1 74 1F JE SHORT UnPackMe.010073F2
010073D3 3D 0B020000 CMP EAX,20B
010073D8 74 05 JE SHORT UnPackMe.010073DF
010073DA 895D E4 MOV DWORD PTR SS:[EBP-1C],EBX
010073DD EB 27 JMP SHORT UnPackMe.01007406
010073DF 83B9 84000000 0E CMP DWORD PTR DS:[ECX+84],0E
010073E6 ^ 76 F2 JBE SHORT UnPackMe.010073DA
010073E8 33C0 XOR EAX,EAX
010073EA 3999 F8000000 CMP DWORD PTR DS:[ECX+F8],EBX
010073F0 EB 0E JMP SHORT UnPackMe.01007400
010073F2 8379 74 0E CMP DWORD PTR DS:[ECX+74],0E
010073F6 ^ 76 E2 JBE SHORT UnPackMe.010073DA
010073F8 33C0 XOR EAX,EAX
010073FA 3999 E8000000 CMP DWORD PTR DS:[ECX+E8],EBX
01007400 0F95C0 SETNE AL
01007403 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
01007406 895D FC MOV DWORD PTR SS:[EBP-4],EBX
01007409 6A 02 PUSH 2
0100740B FF15 38130001 CALL DWORD PTR DS:[1001338] ; MSVCRT.__set_app_type
01007411 59 POP ECX ; USER32.77D191BE
01007412 830D 9CAB0001 FF OR DWORD PTR DS:[100AB9C],FFFFFFFF
0100739D - E9 2FB80100 JMP UnPackMe.01022BD1 oep
010073A2 - 0F84 2C520200 JE UnPackMe.0102C5D4
010073A8 - E9 70780200 JMP UnPackMe.0102EC1D
010073AD - E9 4ECC0000 JMP UnPackMe.01014000
010073B2 1E PUSH DS
010073B3 27 DAA
010073B4 FE ??? ; Unknown command
010073B5 9F LAHF
010073B6 3C A9 CMP AL,0A9
010073B8 16 PUSH SS
010073B9 91 XCHG EAX,ECX ; UnPackMe.01000100
010073BA 3F AAS
010073BB 8B48 3C MOV ECX,DWORD PTR DS:[EAX+3C]
010073BE 03C8 ADD ECX,EAX ; UnPackMe.01000000
010073C0 8139 50450000 CMP DWORD PTR DS:[ECX],4550
0006FF04 01028161 UnPackMe.01028161
0006FF08 010073BB UnPackMe.010073BB
0006FF0C 0101E833 UnPackMe.0101E833
0006FF10 01035B5D UnPackMe.01035B5D
0006FF14 01035B66 UnPackMe.01035B66
0006FF18 7C80B6D1 KERNEL32.7C80B6D1
0006FF1C 67542EC1
0006FF20 00000000
0006FF24 0101872E UnPackMe.0101872E
0006FF28 01041418 UnPackMe.01041418
0006FFB0 0006FFE0 Pointer to next SEH record
0006FFB4 010075BA SE handler push
0006FFB8 01001898 UnPackMe.01001898 push
还原6A 70 68 98 18 00 01 E8 BF 01 00 00 33 DB 53 8B 3D CC 10 00 01 FF D7 oep
dump
[培训]《安卓高级研修班(网课)》月薪三万计划,掌
握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
