yoda's Crypter V1.2脱壳——Win98和WinXP的Notepad
下载页面: http://www.pediy.com/code/code.htm
我是以前下载的,刚才看见 看雪 也有下载。
【软件简介】:This is a small PE crypter with some nice protection options.
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:Ollydbg1.09、PEiD、LordPE、ImportREC
—————————————————————————————————
【过 程】:
手里没有用 yoda's Crypter V1.2 加壳的程序,所以我用Windowa自带的记事本加壳实验。
Softice detection、Anti Debug API's、Erase PE Header、Anti Process Dumping、CRC checking、Delete Import Information、API Redirection ——把这些选项全部选上加壳Win98的Notepad.exe,52K->54.5K
调试了一下,发现和EXEStealth壳几乎是一模一样的。 晕 :-)
看见过Deyoda's Crypter v1.2脱壳机,支持yoda's Crypter v1.2。没试过。
—————————————————————————————————
一、在98下脱壳
用Ollydbg手动脱壳,老规矩:载入后弹出“是压缩代码——要继续进行分析吗?”,点“否”。
0040D060 60 pushad
====>进入OD后断在这!
0040D061 E8 00000000 call NOTEPAD.0040D066
====>变形JMP!F7走进
0040D066 5D pop ebp
0040D067 81ED F31D4000 sub ebp,NOTEPAD.00401DF3
0040D06D B9 7B090000 mov ecx,97B
0040D072 8DBD 3B1E4000 lea edi,dword ptr ss:[ebp+401E3B]
0040D078 8BF7 mov esi,edi
0040D07A AC lods byte ptr ds:[esi]
0040D07B F8 clc
0040D07C 2C 7D sub al,7D
0040D07E F9 stc
0040D07F C0C0 20 rol al,20
0040D082 2C 4B sub al,4B
0040D084 C0C0 68 rol al,68
0040D087 EB 01 jmp short NOTEPAD.0040D08A
====>注意这个目的地!
0040D089 E9 F92C54EB jmp EB94FD87
====>花指令!把E9改为90
0040D089 90 nop //改后的变化
0040D08A F9 stc
0040D08B 2C 54 sub al,54
0040D08D EB 01 jmp short NOTEPAD.0040D090
====>注意这个目的地!
0040D08F |C2 F8C0 retn 0C0F8
====>花指令!把C2改为90
0040D08F 90 nop //改后的变化
0040D090 F8 clc
0040D091 C0C0 9A rol al,9A
0040D094 02C1 add al,cl
0040D096 C0C0 7A rol al,7A
0040D099 C0C0 2F rol al,2F
0040D09C C0C0 13 rol al,13
0040D09F 04 E2 add al,0E2
0040D0A1 C0C8 D3 ror al,0D3
0040D0A4 F8 clc
0040D0A5 C0C0 7C rol al,7C
0040D0A8 F8 clc
0040D0A9 2C 7D sub al,7D
0040D0AB AA stos byte ptr es:[edi]
0040D0AC ^ E2 CC loopd short NOTEPAD.0040D07A
====>光标定位到下面一行代码,F4过去,跳出LOOP
0040D0AE 8B4424 20 mov eax,dword ptr ss:[esp+20]
====>下次脱壳时可以直接F4到这里! :-)
0040D0B2 40 inc eax
0040D0B3 78 0A js short NOTEPAD.0040D0BF
====>跳
0040D0B5 C785 78254000 010>mov dword ptr ss:[ebp+402578],1
0040D0BF 8D85 ED1D4000 lea eax,dword ptr ss:[ebp+401DED]
0040D0C5 B9 2A060000 mov ecx,62A
0040D0CA E8 41020000 call NOTEPAD.0040D310
====>这个CALL用F8带过
0040D0CF 8985 74254000 mov dword ptr ss:[ebp+402574],eax
0040D0D5 8B85 6C254000 mov eax,dword ptr ss:[ebp+40256C]
0040D0DB 83E0 01 and eax,1
0040D0DE 74 40 je short NOTEPAD.0040D120
0040D0E0 8DB5 E4264000 lea esi,dword ptr ss:[ebp+4026E4]
0040D0E6 8D85 9A1E4000 lea eax,dword ptr ss:[ebp+401E9A]
0040D0EC 8946 08 mov dword ptr ds:[esi+8],eax
0040D0EF 8BFD mov edi,ebp
0040D0F1 8D85 02254000 lea eax,dword ptr ss:[ebp+402502]
0040D0F7 33DB xor ebx,ebx
0040D0F9 50 push eax
0040D0FA 64:FF33 push dword ptr fs:[ebx]
0040D0FD 64:8923 mov dword ptr fs:[ebx],esp
0040D100 BD 4B484342 mov ebp,4243484B
0040D105 66:B8 0400 mov ax,4
0040D109 EB 01 jmp short NOTEPAD.0040D10C
====>注意这个目的地!
0040D10B FFCC dec esp
====>花指令!把FFCC改为9090
0040D10B 90 nop //改后的变化
0040D10C 90 nop //改后的变化
0040D10D 8BEF mov ebp,edi
0040D10F 33DB xor ebx,ebx
0040D111 64:8F03 pop dword ptr fs:[ebx]
0040D114 83C4 04 add esp,4
0040D117 3C 04 cmp al,4
0040D119 74 05 je short NOTEPAD.0040D120
====>跳!注意这个目的地!
0040D11D - E9 61C38B85 jmp 85CC9483
====>花指令!把E9改为90
0040D11D 90 nop //改后的变化
0040D11E 61 popad
0040D11F C3 retn
0040D120 8B85 64254000 mov eax,dword ptr ss:[ebp+402564]
====>0040D119跳到这!
0040D126 0340 3C add eax,dword ptr ds:[eax+3C]
0040D129 05 80000000 add eax,80
0040D12E 8B08 mov ecx,dword ptr ds:[eax]
0040D130 038D 64254000 add ecx,dword ptr ss:[ebp+402564]
0040D136 83C1 10 add ecx,10
0040D139 8B01 mov eax,dword ptr ds:[ecx]
0040D13B 0385 64254000 add eax,dword ptr ss:[ebp+402564]
0040D141 8B18 mov ebx,dword ptr ds:[eax]
0040D143 899D F0264000 mov dword ptr ss:[ebp+4026F0],ebx
0040D149 83C0 04 add eax,4
0040D14C 8B18 mov ebx,dword ptr ds:[eax]
0040D14E 899D F4264000 mov dword ptr ss:[ebp+4026F4],ebx
0040D154 8D85 F8264000 lea eax,dword ptr ss:[ebp+4026F8]
0040D15A 50 push eax
0040D15B FF95 F0264000 call dword ptr ss:[ebp+4026F0]
0040D161 8BF0 mov esi,eax
0040D163 8985 05274000 mov dword ptr ss:[ebp+402705],eax
0040D169 8D85 09274000 lea eax,dword ptr ss:[ebp+402709]
0040D16F E8 96000000 call NOTEPAD.0040D20A
0040D174 8985 1A274000 mov dword ptr ss:[ebp+40271A],eax
0040D17A 8D85 1E274000 lea eax,dword ptr ss:[ebp+40271E]
0040D180 E8 85000000 call NOTEPAD.0040D20A
0040D185 8985 2D274000 mov dword ptr ss:[ebp+40272D],eax
0040D18B 8D85 31274000 lea eax,dword ptr ss:[ebp+402731]
0040D191 E8 74000000 call NOTEPAD.0040D20A
0040D196 8985 44274000 mov dword ptr ss:[ebp+402744],eax
0040D19C 8D85 48274000 lea eax,dword ptr ss:[ebp+402748]
0040D1A2 E8 63000000 call NOTEPAD.0040D20A
0040D1A7 8985 54274000 mov dword ptr ss:[ebp+402754],eax
0040D1AD 8D85 58274000 lea eax,dword ptr ss:[ebp+402758]
0040D1B3 E8 52000000 call NOTEPAD.0040D20A
0040D1B8 8985 64274000 mov dword ptr ss:[ebp+402764],eax
0040D1BE 8D85 68274000 lea eax,dword ptr ss:[ebp+402768]
0040D1C4 E8 41000000 call NOTEPAD.0040D20A
0040D1C9 8985 73274000 mov dword ptr ss:[ebp+402773],eax
0040D1CF 8D85 77274000 lea eax,dword ptr ss:[ebp+402777]
0040D1D5 E8 30000000 call NOTEPAD.0040D20A
0040D1DA 8985 80274000 mov dword ptr ss:[ebp+402780],eax
0040D1E0 8D85 84274000 lea eax,dword ptr ss:[ebp+402784]
0040D1E6 E8 1F000000 call NOTEPAD.0040D20A
0040D1EB 8985 90274000 mov dword ptr ss:[ebp+402790],eax
0040D1F1 8D85 94274000 lea eax,dword ptr ss:[ebp+402794]
0040D1F7 E8 0E000000 call NOTEPAD.0040D20A
0040D1FC 8985 A0274000 mov dword ptr ss:[ebp+4027A0],eax
0040D202 8D85 A01F4000 lea eax,dword ptr ss:[ebp+401FA0]
0040D208 50 push eax
0040D209 C3 retn
====>返回到 0040D213
0040D213 F785 6C254000 100>test dword ptr ss:[ebp+40256C],10
0040D21D 74 37 je short NOTEPAD.0040D256
0040D21F 64:FF35 30000000 push dword ptr fs:[30]
0040D226 58 pop eax
0040D227 85C0 test eax,eax
0040D229 78 0F js short NOTEPAD.0040D23A
====>跳
0040D23A 6A 00 push 0
0040D23C FF95 1A274000 call dword ptr ss:[ebp+40271A]
0040D242 85D2 test edx,edx
0040D244 79 10 jns short NOTEPAD.0040D256
0040D246 837A 08 FF cmp dword ptr ds:[edx+8],-1
0040D24A 75 0A jnz short NOTEPAD.0040D256
0040D24C 8B52 04 mov edx,dword ptr ds:[edx+4]
0040D24F C742 50 00100000 mov dword ptr ds:[edx+50],1000
0040D256 8BBD 64254000 mov edi,dword ptr ss:[ebp+402564]
0040D25C 037F 3C add edi,dword ptr ds:[edi+3C]
0040D25F 8BB5 64254000 mov esi,dword ptr ss:[ebp+402564]
0040D265 8B4F 54 mov ecx,dword ptr ds:[edi+54]
0040D268 8D85 D2274000 lea eax,dword ptr ss:[ebp+4027D2]
0040D26E 50 push eax
0040D26F 6A 04 push 4
0040D271 51 push ecx
0040D272 FFB5 64254000 push dword ptr ss:[ebp+402564]
0040D278 FF95 2D274000 call dword ptr ss:[ebp+40272D]
0040D27E F785 6C254000 080>test dword ptr ss:[ebp+40256C],8
0040D288 0F84 A7000000 je NOTEPAD.0040D335
0040D28E 68 04010000 push 104
0040D293 8DBD D2274000 lea edi,dword ptr ss:[ebp+4027D2]
0040D299 57 push edi
0040D29A 6A 00 push 0
0040D29C FF95 44274000 call dword ptr ss:[ebp+402744]
0040D2A2 6A 00 push 0
0040D2A4 68 80000000 push 80
0040D2A9 6A 03 push 3
0040D2AB 6A 00 push 0
0040D2AD 6A 01 push 1
0040D2AF 68 00000080 push 80000000
0040D2B4 57 push edi
0040D2B5 FF95 54274000 call dword ptr ss:[ebp+402754]
0040D2BB 83F8 FF cmp eax,-1
====>把这里的EAX返回值改成FFFFFFFF
0040D2BE 75 04 jnz short NOTEPAD.0040D2C4
====>这里不跳!这样会快点! :-)
0040D2C0 33C0 xor eax,eax
0040D2C2 EB 71 jmp short NOTEPAD.0040D335
====>跳
0040D335 8B85 64254000 mov eax,dword ptr ss:[ebp+402564] ; NOTEPAD.00400000
0040D33B BB 01000000 mov ebx,1
0040D340 E8 08000000 call NOTEPAD.0040D34D
====>这个CALL用F8带过
0040D345 8D85 A3214000 lea eax,dword ptr ss:[ebp+4021A3]
0040D34B 50 push eax
0040D34C C3 retn
====>返回到 0040D416
0040D416 8B9D 64254000 mov ebx,dword ptr ss:[ebp+402564] ; NOTEPAD.00400000
====>[ebp+402564]=00400000
0040D41C 039D 68254000 add ebx,dword ptr ss:[ebp+402568]
====>EBX=00400000 + 000010CC=004010CC 这就是OEP值 :-)
0040D422 C1CB 07 ror ebx,7
====>把这里改一下:JMP EBX,让其直接跳到OEP去!
0040D422 - FFE3 jmp ebx ; NOTEPAD.004010CC //改后的变化
====>跳到OEP
———————————————————————
004010CC 55 push ebp
====>在这儿用OllyDump转存调试进程
====>或者先用LordPE纠正ImageSize,然后完全脱壳!
004010CD 8BEC mov ebp,esp
004010CF 83EC 44 sub esp,44
004010D2 56 push esi
004010D3 FF15 E4634000 call dword ptr ds:[4063E4]; KERNEL32.GetCommandLineA
———————————————————————
重新运行加壳后的程序,运行ImportREC,选择这个进程。把OEP改为000010CC,点IT AutoSearch,点“Get Import”,手动修复几个函数。FixDump,正常运行! 54.5K ->64K
—————————————————————————————————
二、在WinXP下脱壳
用XP的记事本加壳实验。别选API Redirection、Erase PE Header,否则加壳后无法运行。
这次用的是loveboom兄弟的方法脱壳。详见《ExeStealth2.72的简单脱壳(for vb版)!!》
———————————————————————
01013060 60 pushad
====>进入OD后断在这!
01013061 E8 00000000 call XP-Notep.01013066
F9运行,程序会在异常处中断。
010136DD CD 68 int 68
====>第一个异常
010136DF 33DB xor ebx,ebx
010136E1 64:8F03 pop dword ptr fs:[ebx]
010136E4 83C4 04 add esp,4
010136E7 66:81FF 9712 cmp di,1297
010136EC 74 0E je short 010136FC
Shift+F9通过异常,2次程序运行。好了,Try Again,按1次Shift+F9,停下来。
01013769 0000 add byte ptr ds:[eax],al
====>第2次异常在这儿! :-)
====>看看堆栈区的第二条地址是:0101370C F2设断
Shift+F9通过异常,程序会中断在0101370C处
0101370C 55 push ebp
====>堆栈区的第二条地址 下断点!
0101370D 8BEC mov ebp,esp
0101370F 57 push edi
01013710 8B45 10 mov eax,dword ptr ss:[ebp+10]
01013713 8BB8 C4000000 mov edi,dword ptr ds:[eax+C4]
01013719 FF37 push dword ptr ds:[edi]
0101371B 33FF xor edi,edi
0101371D 64:8F07 pop dword ptr fs:[edi]
01013720 8380 C4000000 08 add dword ptr ds:[eax+C4],8
01013727 8BB8 A4000000 mov edi,dword ptr ds:[eax+A4]
0101372D C1C7 07 rol edi,7
01013730 89B8 B8000000 mov dword ptr ds:[eax+B8],edi
01013736 B8 00000000 mov eax,0
0101373B 5F pop edi
0101373C C9 leave
0101373D C3 retn
====>返回到 77F833A0
下面CTRL+F9执行到返回!
77F833A0 64:8B25 00000000 mov esp,dword ptr fs:[0]
77F833A7 64:8F05 00000000 pop dword ptr fs:[0]
77F833AE 8BE5 mov esp,ebp
77F833B0 5D pop ebp
77F833B1 C2 1400 retn 14
====>返回到 77F83372
77F83372 5F pop edi
77F83373 5E pop esi
77F83374 5B pop ebx
77F83375 C2 1400 retn 14
====>返回到 77F617EE
77F617EE F605 8A51FC77 80 test byte ptr ds:[77FC518A],80
…… …… 省 略 …… ……
77F61C9E B0 01 mov al,1
77F61CA0 5F pop edi
77F61CA1 5B pop ebx
77F61CA2 5E pop esi
77F61CA3 C9 leave
77F61CA4 C2 0800 retn 8
====>返回到 77F510A6
77F510A6 0AC0 or al,al
====>在这里 CTRL+F9 !
如果运气好的话会停留到入口点的下条指令!我试了N次,并不是每次都能停到入口点! :-(
———————————————————————
01006AE0 6A 70 push 70
====>这里是OEP :-)
01006AE2 68 88180001 push 1001888
====>返回到这里!
01006AE7 E8 BC010000 call 01006CA8
01006AEC 33DB xor ebx,ebx
01006AEE 53 push ebx
01006AEF 8B3D 4C110001 mov edi,dword ptr ds:[100114C]; kernel32.GetModuleHandleA
—————————————————————————————————
, _/
/| _.-~/ _ , 青春都一饷
( /~ / ~-._ |
`\ _/ ~ ) 忍把浮名
_-~~~-.) )__/;;,. _ //'
/'_, --~ ~~~- ,;;___( (.-~~~-. 换了破解轻狂
`~ _( ,_..-- ( ,;'' / ~-- /._`
/~~//' /' `~ ) /--.._, )_ `~
" `~" " `" /~'` `\~~
" " "~' ""
Cracked By 巢水工作坊——fly [OCN][FCG]
2003-09-23 17:15