哪位朋友能帮我脱下小壳
程序是 杨海军的 软件安装管理器由于他的UltraProtect壳现在被诺顿报为病毒 想脱了这壳
自己没玩过这些 脱了几下 没弄了
下面是我找到的OEP
就是修复不了 估计是搞错 了 谁叫俺不懂呢 所以求助大家了:$
俺会不胜感激的:victory:
[quote]
004BC034 55 push ebp
004BC035 8BEC mov ebp,esp
004BC037 83C4 E8 add esp,-18
004BC03A 33C0 xor eax,eax
004BC03C 8945 E8 mov dword ptr ss:[ebp-18],eax
004BC03F 8945 EC mov dword ptr ss:[ebp-14],eax
004BC042 B8 D4B94B00 mov eax,SoftInst.004BB9D4
004BC047 E8 8CA8F4FF call SoftInst.004068D8
004BC04C 33C0 xor eax,eax
004BC04E 55 push ebp
004BC04F 68 61F34B00 push SoftInst.004BF361
004BC054 64:FF30 push dword ptr fs:[eax]
004BC057 64:8920 mov dword ptr fs:[eax],esp
004BC05A 60 pushad
004BC05B 6A 05 push 5
004BC05D 6A 00 push 0
004BC05F 6A 00 push 0
004BC061 6A FF push -1
004BC063 E8 C0B3F4FF call SoftInst.00407428
[/quote] 就是附件这个程序 :) :L 竟然没一个人
ACProtect 1.32脱壳过程
这么长时间了,估计楼主已经搞定了吧,我注册的晚,所以前几天才看到这个帖子,还是拿来分析了一下不知道为什么我为什么不能上传附件,找了半天也没找到论坛帮助里说的 上传附件-->浏览菜单,郁闷啊
只好把过程写下来了
用OD载入,并隐藏OD,按Alt+M:
00400000 00001000 SoftInst PE header Imag R RWE
00401000 000BF000 SoftInst CODE code Imag R RWE
004C0000 00004000 SoftInst DATA code,data Imag R RWE
004C4000 00001000 SoftInst BSS code Imag R RWE
004C5000 00003000 SoftInst .idata code Imag R RWE
004C8000 00001000 SoftInst .tls code Imag R RWE
004C9000 00001000 SoftInst .rdata code Imag R RWE
004CA000 0000D000 SoftInst .reloc code Imag R RWE
004D7000 0007E000 SoftInst .rsrc code,resourc Imag R RWE
00555000 0001E000 SoftInst .perplex code,imports Imag R RWE
在.idata段按F2,[color=red]shift+F9 [Delphi和BCB的程序]
注意:VC类程序是.rdata段[/color]
程序会中断在这里:单步跟踪
0056983D 8B46 0C mov eax, dword ptr [esi+C]
00569840 0BC0 or eax, eax
00569842 0F84 25020000 je 00569A6D
00569848 8366 0C 00 and dword ptr [esi+C], 0
0056984C 03C2 add eax, edx
0056984E 8BD8 mov ebx, eax
00569850 56 push esi
00569851 57 push edi
00569852 50 push eax
00569853 8BF3 mov esi, ebx
00569855 8BFB mov edi, ebx
00569857 AC lods byte ptr [esi]
00569858 C0C0 03 rol al, 3
0056985B AA stos byte ptr es:[edi]
0056985C 803F 00 cmp byte ptr [edi], 0
0056985F ^ 75 F6 jnz short 00569857
00569861 58 pop eax
00569862 5F pop edi
00569863 5E pop esi
00569864 50 push eax
00569865 FF95 90E24100 call dword ptr [ebp+41E290]
0056986B 0BC0 or eax, eax
0056986D 75 43 jnz short 005698B2
0056986F 90 nop
00569870 90 nop
00569871 90 nop
00569872 90 nop
00569873 53 push ebx
00569874 FF95 94E24100 call dword ptr [ebp+41E294]
0056987A 0BC0 or eax, eax
0056987C 75 34 jnz short 005698B2
0056987E 90 nop
0056987F 90 nop
00569880 90 nop
00569881 90 nop
00569882 8B95 1FFC4000 mov edx, dword ptr [ebp+40FC1F]
00569888 0195 1D1F4000 add dword ptr [ebp+401F1D], edx
0056988E 0195 211F4000 add dword ptr [ebp+401F21], edx
00569894 6A 00 push 0
00569896 FFB5 1D1F4000 push dword ptr [ebp+401F1D]
0056989C FFB5 211F4000 push dword ptr [ebp+401F21]
005698A2 6A 00 push 0
005698A4 FF95 9CE24100 call dword ptr [ebp+41E29C]
005698AA 6A 00 push 0
005698AC FF95 98E24100 call dword ptr [ebp+41E298]
005698B2 60 pushad
005698B3 2BC0 sub eax, eax
005698B5 8803 mov byte ptr [ebx], al
005698B7 43 inc ebx
005698B8 3803 cmp byte ptr [ebx], al
005698BA ^ 75 F9 jnz short 005698B5
005698BC 61 popad
005698BD 8985 17FC4000 mov dword ptr [ebp+40FC17], eax
005698C3 C785 1BFC4000>mov dword ptr [ebp+40FC1B], 0
005698CD 8B95 1FFC4000 mov edx, dword ptr [ebp+40FC1F]
005698D3 8B06 mov eax, dword ptr [esi]
005698D5 0BC0 or eax, eax
005698D7 75 07 jnz short 005698E0
005698D9 90 nop
005698DA 90 nop
005698DB 90 nop
005698DC 90 nop
005698DD 8B46 10 mov eax, dword ptr [esi+10]
005698E0 03C2 add eax, edx
005698E2 0385 1BFC4000 add eax, dword ptr [ebp+40FC1B]
005698E8 8B18 mov ebx, dword ptr [eax]
005698EA 8B7E 10 mov edi, dword ptr [esi+10]
005698ED 03FA add edi, edx
005698EF 03BD 1BFC4000 add edi, dword ptr [ebp+40FC1B]
005698F5 85DB test ebx, ebx
005698F7 0F84 62010000 je 00569A5F
005698FD F7C3 00000080 test ebx, 80000000
00569903 75 1D jnz short 00569922
00569905 90 nop
00569906 90 nop
00569907 90 nop
00569908 90 nop
00569909 03DA add ebx, edx
0056990B 83C3 02 add ebx, 2
0056990E 56 push esi
0056990F 57 push edi
00569910 50 push eax
00569911 8BF3 mov esi, ebx
00569913 8BFB mov edi, ebx
00569915 AC lods byte ptr [esi]
00569916 C0C0 03 rol al, 3
00569919 AA stos byte ptr es:[edi]
0056991A 803F 00 cmp byte ptr [edi], 0
0056991D ^ 75 F6 jnz short 00569915
0056991F 58 pop eax
00569920 5F pop edi
00569921 5E pop esi
00569922 3B9D 1FFC4000 cmp ebx, dword ptr [ebp+40FC1F]
00569928 7C 11 jl short 0056993B
0056992A 90 nop
0056992B 90 nop
0056992C 90 nop
0056992D 90 nop
0056992E 83BD 02244000>cmp dword ptr [ebp+402402], 0
00569935 75 0A jnz short 00569941
00569937 90 nop
00569938 90 nop
00569939 90 nop
0056993A 90 nop
0056993B 81E3 FFFFFF0F and ebx, 0FFFFFFF
00569941 53 push ebx
00569942 FFB5 17FC4000 push dword ptr [ebp+40FC17]
00569948 FF95 8CE24100 call dword ptr [ebp+41E28C]
0056994E 3B9D 1FFC4000 cmp ebx, dword ptr [ebp+40FC1F]
00569954 7C 0F jl short 00569965
00569956 90 nop
00569957 90 nop
00569958 90 nop
00569959 90 nop
0056995A 60 pushad
0056995B 2BC0 sub eax, eax
0056995D 8803 mov byte ptr [ebx], al
0056995F 43 inc ebx
00569960 3803 cmp byte ptr [ebx], al
00569962 ^ 75 F9 jnz short 0056995D
00569964 61 popad
00569965 0BC0 or eax, eax
00569967 ^ 0F84 15FFFFFF je 00569882
0056996D 3B85 9CE24100 cmp eax, dword ptr [ebp+41E29C] <==比较是否 USER32.MessageBoxA
00569973 74 20 je short 00569995 <== nop掉
00569975 90 nop
00569976 90 nop
00569977 90 nop
00569978 90 nop
00569979 3B85 9D014100 cmp eax, dword ptr [ebp+41019D] <== 比较是否 USER32.RegisterHotKey
0056997F 74 09 je short 0056998A <== nop掉
00569981 90 nop
00569982 90 nop
00569983 90 nop
00569984 90 nop
00569985 EB 14 jmp short 0056999B
00569987 90 nop
00569988 90 nop
00569989 90 nop
0056998A 8D85 0A024100 lea eax, dword ptr [ebp+41020A]
00569990 EB 09 jmp short 0056999B
00569992 90 nop
00569993 90 nop
00569994 90 nop
00569995 8D85 24024100 lea eax, dword ptr [ebp+410224]
0056999B 56 push esi
0056999C FFB5 17FC4000 push dword ptr [ebp+40FC17]
005699A2 5E pop esi
005699A3 39B5 FA234000 cmp dword ptr [ebp+4023FA], esi
005699A9 74 15 je short 005699C0
005699AB 90 nop
005699AC 90 nop
005699AD 90 nop
005699AE 90 nop
005699AF 39B5 FE234000 cmp dword ptr [ebp+4023FE], esi
005699B5 74 09 je short 005699C0
005699B7 90 nop
005699B8 90 nop
005699B9 90 nop
005699BA 90 nop
005699BB EB 63 jmp short 00569A20
005699BD 90 nop
005699BE 90 nop
005699BF 90 nop
005699C0 80BD D2594100>cmp byte ptr [ebp+4159D2], 0
005699C7 74 57 je short 00569A20 <== Magic 跳,改为Jmp
005699C9 90 nop
005699CA 90 nop
005699CB 90 nop
005699CC 90 nop
改完以上3处,再按Alt+M: 在CODE段按F2,shift+F9,忽略一处异常后程序中断在这里:
004BC034 55 push ebp <== OEP; [color=red]此时不着急脱壳[/color],因为程序有Stolen Code
004BC035 8BEC mov ebp, esp 我们先找到Stolen Code处再脱壳
004BC037 83C4 E8 add esp, -18
004BC03A 33C0 xor eax, eax
004BC03C 8945 E8 mov dword ptr [ebp-18], eax
004BC03F 8945 EC mov dword ptr [ebp-14], eax
004BC042 B8 D4B94B00 mov eax, 004BB9D4
004BC047 E8 8CA8F4FF call 004068D8 <== F7进入
004BC04C 33C0 xor eax, eax
来到这里:
004068D8 53 push ebx
004068D9 8BD8 mov ebx, eax
004068DB 33C0 xor eax, eax
004068DD A3 9C004C00 mov dword ptr [4C009C], eax
004068E2 6A 00 push 0
004068E4 E8 2BFFFFFF call 00406814
004068E9 A3 68464C00 mov dword ptr [4C4668], eax
004068EE A1 68464C00 mov eax, dword ptr [4C4668]
004068F3 A3 A8004C00 mov dword ptr [4C00A8], eax
004068F8 33C0 xor eax, eax
004068FA A3 AC004C00 mov dword ptr [4C00AC], eax
004068FF 33C0 xor eax, eax
00406901 A3 B0004C00 mov dword ptr [4C00B0], eax
00406906 E8 C1FFFFFF call 004068CC
0040690B BA A4004C00 mov edx, 004C00A4
00406910 8BC3 mov eax, ebx
00406912 E8 89DAFFFF call 004043A0 <== F7进入
00406917 5B pop ebx
00406918 C3 retn
来到这里:
004043A0 C705 14404C00>mov dword ptr [4C4014], 0040129C
004043AA C705 18404C00>mov dword ptr [4C4018], 004012A4
004043B4 A3 40464C00 mov dword ptr [4C4640], eax
004043B9 33C0 xor eax, eax
004043BB A3 44464C00 mov dword ptr [4C4644], eax
004043C0 8915 48464C00 mov dword ptr [4C4648], edx
004043C6 8B42 04 mov eax, dword ptr [edx+4]
004043C9 A3 30404C00 mov dword ptr [4C4030], eax
004043CE E8 A5FEFFFF call 00404278
004043D3 C605 38404C00>mov byte ptr [4C4038], 0
004043DA E8 51FFFFFF call 00404330 <== F7进入
004043DF C3 retn
来到这里:
00404330 55 push ebp
00404331 8BEC mov ebp, esp
00404333 83C4 F8 add esp, -8
00404336 53 push ebx
00404337 56 push esi
00404338 57 push edi
00404339 BF 38464C00 mov edi, 004C4638
0040433E 8B47 08 mov eax, dword ptr [edi+8]
00404341 85C0 test eax, eax
00404343 74 54 je short 00404399
00404345 8B30 mov esi, dword ptr [eax]
00404347 E8 CA201500 call 00556416 <== Stolen Code关键Call, F7进入
0040434C E8 C5201500 call 00556416
00404351 55 push ebp
00404352 68 85434000 push 00404385
00404357 64:FF30 push dword ptr fs:[eax]
0040435A 64:8920 mov dword ptr fs:[eax], esp
0040435D 3BF3 cmp esi, ebx
0040435F 7E 1A jle short 0040437B
00404361 8B45 FC mov eax, dword ptr [ebp-4]
00404364 8B04D8 mov eax, dword ptr [eax+ebx*8]
00404367 8945 F8 mov dword ptr [ebp-8], eax
0040436A 43 inc ebx
0040436B 895F 0C mov dword ptr [edi+C], ebx
0040436E 837D F8 00 cmp dword ptr [ebp-8], 0
00404372 74 03 je short 00404377
00404374 FF55 F8 call dword ptr [ebp-8] <== 如果不修改下面556416段程序代码,而直接在OEP处脱壳,在几个
00404377 3BF3 cmp esi, ebx 循环后出错
00404379 ^ 7F E6 jg short 00404361 <== 向上跳
0040437B 33C0 xor eax, eax
下面是Stolen Code关键地方:
00556416 60 pushad
00556417 47 inc edi
00556418 66:BA B331 mov dx, 31B3
0055641C FC cld
0055641D D3DF rcr edi, cl
0055641F EB 01 jmp short 00556422
00556421 - E9 85FAE801 jmp 023E5EAB
00556426 0000 add byte ptr [eax], al
00556428 0076 83 add byte ptr [esi-7D], dh
0055642B 04 24 add al, 24
0055642D 06 push es
0055642E C3 retn
0055642F 81EA 209899C6 sub edx, C6999820
00556435 72 03 jb short 0055643A
00556437 73 01 jnb short 0055643A
00556439 9A 668BF8E8 0>call far 0001:E8F88B66
00556440 0000 add byte ptr [eax], al
00556442 ^ 77 83 ja short 005563C7
00556444 C40466 les eax, fword ptr [esi]
00556447 33FA xor edi, edx
00556449 7A 03 jpe short 0055644E
0055644B 7B 01 jpo short 0055644E
0055644D ^ 78 85 js short 005563D4
0055644F FA cli
00556450 7C 03 jl short 00556455
00556452 7D 01 jge short 00556455
00556454 ^ 72 F8 jb short 0055644E
00556456 50 push eax
00556457 E8 01000000 call 0055645D
0055645C ^ 71 83 jno short 005563E1
0055645E C40458 les eax, fword ptr [eax+ebx*2]
00556461 0F8D 01000000 jge 00556468
00556467 FC cld
00556468 E8 01000000 call 0055646E
0055646D ^ 7D 83 jge short 005563F2
0055646F 04 24 add al, 24
00556471 06 push es
00556472 C3 retn
00556473 0F89 04000000 jns 0055647D
00556479 66:BF 4ADD mov di, 0DD4A
0055647D EB 01 jmp short 00556480
0055647F 77 66 ja short 005564E7
00556481 8BFA mov edi, edx
00556483 76 03 jbe short 00556488
00556485 77 01 ja short 00556488
00556487 76 47 jbe short 005564D0
00556489 78 03 js short 0055648E
0055648B 79 01 jns short 0055648E
0055648D EB 66 jmp short 005564F5
0055648F B8 7B4E7203 mov eax, 3724E7B
00556494 73 01 jnb short 00556497
00556496 7D 0F jge short 005564A7
00556498 8105 00000066>add dword ptr [66000000], 663DE781
005564A2 E8 01000000 call 005564A8
005564A7 - E9 83C40447 jmp 475A292F
005564AC 72 03 jb short 005564B1
005564AE 73 01 jnb short 005564B1
005564B0 E8 0F820100 call 0056E6C4
005564B5 0000 add byte ptr [eax], al
005564B7 F8 clc
005564B8 E8 01000000 call 005564BE
005564BD ^ 74 83 je short 00556442
005564BF C40442 les eax, fword ptr [edx+eax*2]
005564C2 E8 01000000 call 005564C8
005564C7 ^ 76 83 jbe short 0055644C
005564C9 04 24 add al, 24
005564CB 06 push es
005564CC C3 retn
005564CD 47 inc edi
005564CE E8 00000000 call 005564D3
005564D3 5D pop ebp
005564D4 8BC5 mov eax, ebp
005564D6 3B45 17 cmp eax, dword ptr [ebp+17]
005564D9 7C 06 jl short 005564E1
005564DB 0345 17 add eax, dword ptr [ebp+17]
005564DE 8945 17 mov dword ptr [ebp+17], eax
005564E1 EB 01 jmp short 005564E4
005564E3 73 66 jnb short 0055654B
005564E5 81C2 CBE168C1 add edx, C168E1CB
005564EB 65:55 push ebp
005564ED 008B C35BEB01 add byte ptr [ebx+1EB5BC3], cl
005564F3 75 66 jnz short 0055655B
005564F5 B8 7F6D6843 mov eax, 43686D7F
005564FA AF scas dword ptr es:[edi]
005564FB 4C dec esp
005564FC B3 66 mov bl, 66
005564FE BF A4925EE8 mov edi, E85E92A4
00556503 0100 add dword ptr [eax], eax
00556505 0000 add byte ptr [eax], al
00556507 ^ 7C 83 jl short 0055648C
00556509 C404E9 les eax, fword ptr [ecx+ebp*8]
0055650C 0900 or dword ptr [eax], eax
0055650E 0000 add byte ptr [eax], al
00556510 F9 stc
00556511 0F85 02000000 jnz 00556519
00556517 D3D7 rcl edi, cl
00556519 B9 2B000000 mov ecx, 2B
0055651E 72 03 jb short 00556523
00556520 73 01 jnb short 00556523
00556522 7B E9 jpo short 0055650D
00556524 07 pop es
00556525 0000 add byte ptr [eax], al
00556527 0081 CAACE9B2 add byte ptr [ecx+B2E9ACCA], al
0055652D 1947 8B **b dword ptr [edi-75], eax
00556530 2BE8 sub ebp, eax
00556532 0100 add dword ptr [eax], eax
00556534 0000 add byte ptr [eax], al
00556536 ^ 7C 83 jl short 005564BB
00556538 04 24 add al, 24
0055653A 06 push es
0055653B C3 retn
0055653C 8BD7 mov edx, edi
0055653E 33EE xor ebp, esi
00556540 EB 01 jmp short 00556543
00556542 ^ 75 E9 jnz short 0055652D
00556544 0300 add eax, dword ptr [eax]
00556546 0000 add byte ptr [eax], al
00556548 C1D0 63 rcl eax, 63
0055654B C1C5 0F rol ebp, 0F
0055654E EB 01 jmp short 00556551
00556550 7D 47 jge short 00556599
00556552 83C3 04 add ebx, 4
00556555 332B xor ebp, dword ptr [ebx]
00556557 83C3 FC add ebx, -4
0055655A 7A 03 jpe short 0055655F
0055655C 7B 01 jpo short 0055655F
0055655E ^ 77 E9 ja short 00556549
00556560 0800 or byte ptr [eax], al
00556562 0000 add byte ptr [eax], al
00556564 0F89 02000000 jns 0055656C
0055656A 8BC1 mov eax, ecx
0055656C 892B mov dword ptr [ebx], ebp
0055656E EB 01 jmp short 00556571
00556570 71 40 jno short 005565B2
00556572 F9 stc
00556573 81EE 16D922D1 sub esi, D122D916
00556579 7C 03 jl short 0055657E
0055657B 7D 01 jge short 0055657E
0055657D EA E9010000 0>jmp far FC00:000001E9
00556584 83C3 04 add ebx, 4
00556587 E8 01000000 call 0055658D
0055658C ^ 7C 83 jl short 00556511
0055658E 04 24 add al, 24
00556590 06 push es
00556591 C3 retn
00556592 0F8A 01000000 jpe 00556599
00556598 4A dec edx
00556599 8BD0 mov edx, eax
0055659B 83C1 FF add ecx, -1
0055659E ^ 0F85 8BFFFFFF jnz 0055652F
005565A4 72 03 jb short 005565A9
005565A6 73 01 jnb short 005565A9
005565A8 7B E9 jpo short 00556593
005565AA 0900 or dword ptr [eax], eax
005565AC 0000 add byte ptr [eax], al
005565AE 0F84 03000000 je 005565B7
005565B4 66:8BC6 mov ax, si
005565B7 810D 095C5500>or dword ptr [555C09], 58C8A77
005565C1 E8 0CEF0000 call 005654D2 <== 这里是我们需要的
005565C6 8B4424 20 mov eax, dword ptr [esp+20]
005565CA 33C9 xor ecx, ecx
005565CC 8B9C8D 693240>mov ebx, dword ptr [ebp+ecx*4+403269]
005565D3 039D 1FFC4000 add ebx, dword ptr [ebp+40FC1F]
005565D9 3BC3 cmp eax, ebx
005565DB 74 07 je short 005565E4
005565DD 90 nop
005565DE 90 nop
005565DF 90 nop
005565E0 90 nop
005565E1 41 inc ecx
005565E2 ^ EB E8 jmp short 005565CC
005565E4 8DB5 49614000 lea esi, dword ptr [ebp+406149]
005565EA B8 0A000000 mov eax, 0A
005565EF F7E1 mul ecx
005565F1 03F0 add esi, eax
005565F3 8DBD EF1B4000 lea edi, dword ptr [ebp+401BEF]
005565F9 0FB6840D B126>movzx eax, byte ptr [ebp+ecx+4026B1]
00556601 FEC0 inc al
00556603 88840D B12640>mov byte ptr [ebp+ecx+4026B1], al
0055660A 3C 20 cmp al, 20
0055660C 75 13 jnz short 00556621 <== 改为Jmp
0055660E 90 nop
0055660F 90 nop
00556610 90 nop
00556611 90 nop
00556612 8BBD 23FC4000 mov edi, dword ptr [ebp+40FC23]
00556618 B8 0A000000 mov eax, 0A
0055661D F7E1 mul ecx
0055661F 03F8 add edi, eax
00556621 8A9D 06244000 mov bl, byte ptr [ebp+402406]
00556627 B9 0A000000 mov ecx, 0A
0055662C AC lods byte ptr [esi]
0055662D 32C3 xor al, bl
0055662F AA stos byte ptr es:[edi]
00556630 ^ E2 FA loopd short 0055662C
00556632 83EF 0A sub edi, 0A
00556635 57 push edi
00556636 8DB5 EF1B4000 lea esi, dword ptr [ebp+401BEF]
0055663C 33F7 xor esi, edi
0055663E 74 19 je short 00556659
00556640 90 nop
00556641 90 nop
00556642 90 nop
00556643 90 nop
00556644 8B7424 24 mov esi, dword ptr [esp+24]
00556648 83EE 04 sub esi, 4
0055664B AD lods dword ptr [esi]
0055664C 81EF 16244000 sub edi, 00402416
00556652 2BFD sub edi, ebp
00556654 03C7 add eax, edi
00556656 8946 FC mov dword ptr [esi-4], eax
00556659 5F pop edi
0055665A 57 push edi
0055665B 33C9 xor ecx, ecx
0055665D 83F9 08 cmp ecx, 8
00556660 74 0E je short 00556670
00556662 90 nop
00556663 90 nop
00556664 90 nop
00556665 90 nop
00556666 8B448C 04 mov eax, dword ptr [esp+ecx*4+4]
0055666A 89048C mov dword ptr [esp+ecx*4], eax
0055666D 41 inc ecx
0055666E ^ EB ED jmp short 0055665D
00556670 893C8C mov dword ptr [esp+ecx*4], edi
00556673 60 pushad
00556674 E8 00000000 call 00556679 <== 从这里开始nop
00556679 5E pop esi
0055667A 83EE 06 sub esi, 6
0055667D B9 B2000000 mov ecx, 0B2
00556682 29CE sub esi, ecx
00556684 BA A7119563 mov edx, 639511A7
00556689 C1E9 02 shr ecx, 2
0055668C 83E9 02 sub ecx, 2
0055668F 83F9 00 cmp ecx, 0
00556692 7C 1A jl short 005566AE
00556694 8B048E mov eax, dword ptr [esi+ecx*4]
00556697 8B5C8E 04 mov ebx, dword ptr [esi+ecx*4+4]
0055669B 33C3 xor eax, ebx
0055669D C1C8 0F ror eax, 0F
005566A0 33C2 xor eax, edx
005566A2 81C2 16D922D1 add edx, D122D916
005566A8 89048E mov dword ptr [esi+ecx*4], eax
005566AB 49 dec ecx
005566AC ^ EB E1 jmp short 0055668F <== 一直nop到这里
005566AE 61 popad
005566AF 61 popad
005566B0 C3 retn
做完上面的修改回过头来看556416处:
00556416 60 pushad
00556417 47 inc edi
00556418 66:BA B331 mov dx, 31B3
0055641C FC cld
0055641D D3DF rcr edi, cl
0055641F EB 01 jmp short 00556422 <== 别忘了回头在这里改为jmp 005565c1
修改完以上部分用OD自带的OllyDump直接脱壳,OEP填BC034,无需修复。
[color=red]以上部分可以参考看雪学院 wynney的精华帖《ACProtect 1.32之Code Replace的简单处理》
[url=http://bbs.pediy.com/showthread.php?t=41570&tcatid=15]http://bbs.pediy.com/showthread.php?t=41570&tcatid=15[/url][/color]
感谢wynney的教程,使我少走了不少弯路 :)
运行,出错!这个程序除了API redirection和Stolen Code外,还检验程序入口是否在.perplex段
用OD载入Dump后的程序,运行,看看在什么地方出错:提示025DFFFF不可读,没办法,到这里只好来体力活了,从入口开始单步跟,一直跟到
这里:
004BDEF4 C3 retn <== 到这个retn返回出错,记住这个地址
让我们看看这时的寄存器状态和堆栈:
EAX 00000000
ECX 004BE2B2 unpack.004BE2B2
EDX 004BF6FE unpack.004BF6FE
EBX 004BE301 unpack.004BE301
[color=red]ESP 0012FF5C[/color]
EBP B9BB0001
ESI 0012FF54
EDI DE5A9781
EIP 004BDEF4 unpack.004BDEF4
0012FF4C 004BE301 unpack.004BE301
0012FF50 004BF6FE unpack.004BF6FE
0012FF54 004BE2B2 unpack.004BE2B2
0012FF58 00000000
0012FF5C 025DFFFF <== 返回到这个地址,当然出错
0012FF60 3406CED2
0012FF64 0012FF78 返回到 0012FF78 来自 005EE39D
0012FF68 00000000
0012FF6C 68366694
0012FF70 E8C36158
0012FF74 004BE425 unpack.004BE425
0012FF78 004BE429 unpack.004BE429
再用OD载入原来未脱壳的程序,直接运行到OEP,然后按Ctrl+G,输入4BDEF4,按确定
004BCEF4 4C dec esp <== 下内存写入断点, shift+F9
程序中断在这:
004BC4F4 8908 mov dword ptr [eax], ecx <== 中断在这句,按F8
004BC4F6 E8 01000000 call 004BC4FC
然后再按Ctrl+G,输入4BDEF4,按确定,4BDEF4处代码变为
004BDEF4 C3 retn <== 在这里按F4 ,并观察寄存器和堆栈
EAX 004BF6FE SoftInst.004BF6FE
ECX 004BE301 SoftInst.004BE301
EDX 00000000
EBX B9BB0001
[color=red]ESP 0012FF54[/color]
EBP DE5A9781
ESI 004BF6FB SoftInst.004BF6FB
EDI 9005EBA5
EIP 004BDEF4 SoftInst.004BDEF4
0012FF4C 004BE301 SoftInst.004BE301
0012FF50 004BF6FE SoftInst.004BF6FE
0012FF54 004BE2B2 返回到 SoftInst.004BE2B2 来自 SoftInst.004BDC87
0012FF58 00000000
0012FF5C 025DFFFF
0012FF60 3406CED2
0012FF64 0012FF78 返回到 0012FF78 来自 005EE39D
0012FF68 00000000
0012FF6C 68366694
0012FF70 E8C36158
0012FF74 004BE425 SoftInst.004BE425
0012FF78 004BE429 返回到 SoftInst.004BE429 来自 SoftInst.004BE102
脱壳后的程序和原来的程序ESP值相差8,而堆栈的内容是一样的,但是当执行retn时返回的地址在ESP里
再次用OD载入脱壳后的程序,Ctrl+G,输入4BDEF4,按确定,下内存写入断点, shift+F9 程序中断在这:
004BC4F4 8908 mov dword ptr [eax], ecx <==在这里F8
然后Ctrl+G,输入4bdef4,按确定,然后向上查找,来到这里
004BDEB2 90 nop
004BDEB3 90 nop
004BDEB4 90 nop
004BDEB5 58 pop eax
004BDEB6 59 pop ecx
004BDEB7 60 pushad <== 在这里按F2,shift+F9
中断后看到的代码如下:
004BDE70 89B5 DC184000 mov dword ptr [ebp+4018DC], esi
004BDE76 8BFE mov edi, esi
004BDE78 03FA add edi, edx
004BDE7A 8B47 50 mov eax, dword ptr [edi+50]
004BDE7D 03C6 add eax, esi
004BDE7F 8985 D4184000 mov dword ptr [ebp+4018D4], eax
004BDE85 8B47 1C mov eax, dword ptr [edi+1C]
004BDE88 03C6 add eax, esi
004BDE8A 05 00010000 add eax, 100
004BDE8F 8985 D8184000 mov dword ptr [ebp+4018D8], eax
004BDE95 8B47 28 mov eax, dword ptr [edi+28]
004BDE98 3B85 CC184000 cmp eax, dword ptr [ebp+4018CC] <== eax=BC034,比较OEP,相等说明被脱壳,跳就出错
004BDE9E 74 15 je short 004BDEB5
004BDEA0 90 nop
004BDEA1 90 nop
004BDEA2 90 nop
004BDEA3 90 nop
004BDEA4 3B85 D0184000 cmp eax, dword ptr [ebp+4018D0] <== [ebp+4018D0]=155000,脱壳前的入口
004BDEAA 75 09 jnz short 004BDEB5 <== 不等也不对,够阴险
004BDEAC 90 nop
004BDEAD 90 nop
004BDEAE 90 nop
004BDEAF 90 nop
004BDEB0 EB 05 jmp short 004BDEB7
004BDEB2 90 nop
004BDEB3 90 nop
004BDEB4 90 nop
004BDEB5 58 pop eax <== 被脱壳跳到这,对ESP做手脚,所以也得nop掉
004BDEB6 59 pop ecx <== nop掉
004BDEB7 60 pushad <== 中断在这里
004BDEB8 E8 00000000 call 004BDEBD <== 这里开始到004BDEF0的代码很熟悉吧,前面已经
004BDEBD 5E pop esi nop掉一次同样的的代码了,这里说明一下:它的
004BDEBE 83EE 06 sub esi, 6 作用就是加密004BDEB2以前的一部分代码的,
004BDEC1 B9 85000000 mov ecx, 85 所以也nop掉
004BDEC6 29CE sub esi, ecx
004BDEC8 BA C2360020 mov edx, 200036C2
004BDECD C1E9 02 shr ecx, 2
004BDED0 83E9 02 sub ecx, 2
004BDED3 83F9 00 cmp ecx, 0
004BDED6 7C 1A jl short 004BDEF2
004BDED8 8B048E mov eax, dword ptr [esi+ecx*4]
004BDEDB 8B5C8E 04 mov ebx, dword ptr [esi+ecx*4+4]
004BDEDF 33C3 xor eax, ebx
004BDEE1 C1C8 11 ror eax, 11
004BDEE4 2BC2 sub eax, edx
004BDEE6 81EA BF605ABE sub edx, BE5A60BF
004BDEEC 89048E mov dword ptr [esi+ecx*4], eax
004BDEEF 49 dec ecx
004BDEF0 ^ EB E1 jmp short 004BDED3 <== nop到这里
004BDEF2 61 popad
004BDEF3 61 popad
004BDEF4 C3 retn
现在我们已经知道如何修改了,但是此时还[color=Red]不能修改![/color]以为程序已经运行到这里了,在前面还有暗桩我们没有回避
用OD重新载入,脱壳后的文件,对4BDEF4下内存写入断点,中断在004BC4F4处,然后单步,让程序解码
004BC4F4 8908 mov dword ptr [eax], ecx <== 这里单步
004BC4F6 E8 01000000 call 004BC4FC
004BC4FB EA 83C404E9 0>jmp far 0002:E904C483
004BC502 0000 add byte ptr [eax], al
004BC504 85FE test esi, edi
004BC506 81ED 109A4A38 sub ebp, 384A9A10
004BC50C 50 push eax
004BC50D E8 01000000 call 004BC513
004BC512 EA 83C40458 6>jmp far C166:5804C483
004BC519 FE ???
004BC51A BC 81E8FCFF mov esp, FFFCE881
004BC51F FFFF ???
004BC521 78 03 js short 004BC526
004BC523 79 01 jns short 004BC526
004BC525 ^ 75 D3 jnz short 004BC4FA
004BC527 C2 83EB retn 0EB83
004BC52A 010F add dword ptr [edi], ecx
004BC52C 857A FF test dword ptr [edx-1], edi
004BC52F FFFF ???
004BC531 E8 01000000 call 004BC537 <==到这里解码告一段落,我们需要的就是这里
让程序停在这里不要动,再回头看程序入口处,看看是从哪里开始解码的:
004BC034 > 55 push ebp
004BC035 8BEC mov ebp, esp
004BC037 83C4 E8 add esp, -18
004BC03A 33C0 xor eax, eax
004BC03C 8945 E8 mov dword ptr [ebp-18], eax
004BC03F 8945 EC mov dword ptr [ebp-14], eax
004BC042 B8 D4B94B00 mov eax, 004BB9D4
004BC047 E8 8CA8F4FF call 004068D8
004BC04C 33C0 xor eax, eax
004BC04E 55 push ebp
004BC04F 68 61F34B00 push 004BF361
004BC054 64:FF30 push dword ptr fs:[eax]
004BC057 64:8920 mov dword ptr fs:[eax], esp
004BC05A 60 pushad
004BC05B 6A 05 push 5
004BC05D 6A 00 push 0
004BC05F 6A 00 push 0
004BC061 6A FF push -1
004BC063 E8 C0B3F4FF call <jmp.&USER32.MessageBoxA>
004BC068 61 popad
004BC069 90 nop
004BC06A 60 pushad
004BC06B 40 inc eax
004BC06C 46 inc esi
004BC06D E8 01000000 call 004BC073 <== 这里开始解码,所以这里改为jmp 004BC531
004BC072 ^ 77 83 ja short 004BBFF7
004BC074 04 24 add al, 24
004BC076 06 push es
004BC077 C3 retn
004BC078 66:D3D3 rcl bx, cl
004BC07B 50 push eax
004BC07C E8 01000000 call 004BC082
004BC081 ^ 77 83 ja short 004BC006
然后再Ctrl+G,输入4BDEF4,按确定,向上找,来到这里
004BDEB5 58 pop eax
004BDEB6 59 pop ecx
004BDEB7 60 pushad
从004BDEB5处开始,除了004BDEB7 pushad 保留外,一直到004BDEF0 jmp short 004BDED3 处的代码全部nop掉!
然后来到数据窗口,输入命令: D 4BC06D,选择从4BC06D到4BF3BF处所有数据,然后 右键--->复制到可执行文件
这时会弹出个窗口,关闭这个窗口,会提示你是否保存,选择是,然后选你脱壳的文件名,保存!然后运行吧,脱壳成功!
说明一下:4BC06D处为你修改的程序最开始的地方,至于为什么一直选择到4BF3BF,因为脱壳后程序仍然需要解码,我们修改的
地方是经过解码的,所以内存中的程序和文件中的是不一样的,我是基本从头选到尾(4BF3BF以后是0),防止出错! 楼上的兄弟辛苦了……
页:
[1]