[分享]脱壳svkp1.43
发表于:
2009-10-22 17:51
5512
脱壳svkp1.43
【文章标题】: 脱壳svkp1.43
【文章作者】: hxqlky
【作者邮箱】: zmunlky@gmail.com
【作者主页】: http://www.x5dj.com/hxqlky
【软件名称】: unpackme
【下载地址】: 自己搜索下载
【加壳方式】: svkp1.43
【保护方式】: svkp1.43
【编写语言】: delphi
【使用工具】: od,ImportREC
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
00464000 8> 60 PUSHAD 停在这里
00464001 E8 00000000 CALL 8.00464006
00464006 5D POP EBP ; KERNEL32.7C816FE7
00464007 81ED 06000000 SUB EBP,6
0046400D EB 05 JMP SHORT 8.00464014
0046400F B8 49DC1006 MOV EAX,610DC49
00464014 64:A0 23000000 MOV AL,BYTE PTR FS:[23]
0012E3B6 6285 1E220000 BOUND EAX,QWORD PTR SS:[EBP+221E]
0012E3BC EB 02 JMP SHORT 0012E3C0
0012E3BE 0FE88B D1EB02CD PSUBSB MM1,QWORD PTR DS:[EBX+CD02EBD1]
0012E3C5 208B C2EB02CD AND BYTE PTR DS:[EBX+CD02EBC2],CL
0012E3CB 208B 8A401600 AND BYTE PTR DS:[EBX+16408A],CL
0012E3D1 008B 89740100 ADD BYTE PTR DS:[EBX+17489],CL
go GetModuleHandleA
7C80B6B1 K> 8BFF MOV EDI,EDI
7C80B6B3 55 PUSH EBP
7C80B6B4 8BEC MOV EBP,ESP
7C80B6B6 837D 08 00 CMP DWORD PTR SS:[EBP+8],0
7C80B6BA 74 18 JE SHORT KERNEL32.7C80B6D4
7C80B6BC FF75 08 PUSH DWORD PTR SS:[EBP+8]
7C80B6BF E8 C0290000 CALL KERNEL32.7C80E084
7C80B6C4 85C0 TEST EAX,EAX ; KERNEL32.7C800000
7C80B6C6 74 08 JE SHORT KERNEL32.7C80B6D0
7C80B6C8 FF70 04 PUSH DWORD PTR DS:[EAX+4]
7C80B6CB E8 7D2D0000 CALL KERNEL32.GetModuleHandleW
7C80B6D0 5D POP EBP ; 066656B0
7C80B6D1 C2 0400 RETN 4 f2
066656B0 5B POP EBX ; 8.004546DC
066656B1 5E POP ESI ; 8.004546DC
066656B2 5F POP EDI ; 8.004546DC
066656B3 5D POP EBP ; 8.004546DC
066656B4 0BC0 OR EAX,EAX ; KERNEL32.7C800000
066656B6 75 2F JNZ SHORT 066656E7
066656B8 53 PUSH EBX
搜索0F84 62180000
06665784 813B C5B1662D CMP DWORD PTR DS:[EBX],2D66B1C5
0666578A 0F84 62180000 JE 06666FF2 》jmp 06665850
06665790 813B 9404B2D9 CMP DWORD PTR DS:[EBX],D9B20494
06665850 60 PUSHAD
06665851 8B03 MOV EAX,DWORD PTR DS:[EBX]
jmp 06665850
ctrl+s继续搜索特征码 对调这两句
mov dword ptr ds:[edi],eax
popad
go GetModuleHandleA
7C80B6D1 C2 0400 RETN 4 f2
alt+m
下断401000 f9
00450517 E8 AC56FBFF CALL 8.00405BC8 oep near
0045051C A1 04204500 MOV EAX,DWORD PTR DS:[452004]
00450521 8B00 MOV EAX,DWORD PTR DS:[EAX]
00450523 E8 24E5FFFF CALL 8.0044EA4C
00450528 8B0D E0204500 MOV ECX,DWORD PTR DS:[4520E0] ; 8.00453BD0
0045052E A1 04204500 MOV EAX,DWORD PTR DS:[452004]
00450533 8B00 MOV EAX,DWORD PTR DS:[EAX]
还原oep
0012FFA8 0045032C 8.0045032C
0012FFAC 00450517 8.00450517
0012FFB0 066EE159
0045050C > $ 55 push ebp
0045050D . 8BEC mov ebp,esp
0045050F . 83C4 F0 add esp,-10
00450512 . B8 2C034500 mov eax,9.0045032C
55 8B EC 83 C4 F0 B8 2C 03 45 00
00454118 7C93137A z搢 ntdll.RtlDeleteCriticalSection iat 0
0045411C 7C9210E0 ?抾 ntdll.RtlLeaveCriticalSection
ImportREC
00454184 >7C80EDE7 KERNEL32.FindClose
00454188 >7C81CDEA KERNEL32.ExitProcess
0045418C >7C810D97 KERNEL32.WriteFile
ImportREC 显示有一个无效函数,改过来
00454188 ExitProcess
dump 修复可以运行
关闭有两处出错的地方
004039C1 803D 28104500 0>cmp byte ptr ds:[451028],0
004039C8 77 0F ja short 8_dump_.004039D9 改jmp 1
00403C0B BE 6C104500 mov esi,8_dump_.0045106C ; ASCII "Runtime error at 00000000"
00403C10 B1 10 mov cl,10
00403CF5 803D 30104500 0>cmp byte ptr ds:[451030],0
00403CFC 75 13 jnz short 8_dump_.00403D11 改jmp 2
00403CFE 6A 00 push 0
00403D00 68 64104500 push 8_dump_.00451064 ; ASCII "Error"
00403D05 68 6C104500 push 8_dump_.0045106C ; ASCII "Runtime error at 00000000"
保存改动后,保存文件
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!