下载地址: http://www.absolutelock.de/construction/files/releases/PEiD.zip
软件大小: 91 KB
【软件简介】:PEiD detects most common packers, cryptors and compilers for PE files. It can currently detect more than 450 different signatures in PE files.Recoded everything again. New faster and better scanning engine. New internal signature system. MFS v0.02 now supports Recursive Scanning. Commandline Parser now updated and more powerful. Detections fine tuned and newer detections added. Very basic Heuristic scanning.
【作者声明】:初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
【调试环境】:WinXP、Ollydbg1.09、PEiD、LordPE、ImportREC
—————————————————————————————————
【脱壳过程】:
PEiD 是偶比较喜欢的侦壳工具,新版的侦壳功能更强了,可以查出ACProtect是:UltraProtect 1.x -> RISCO Software Inc.而FI 3.01就查不出。其附带的2个插件功能也不错。
想必snaker在给PEiD加壳时有点为难,如果加的壳是PEiD所侦测不出岂不是有点没面子?
所以就用自己写的UPXShit加壳了。PEID自己侦测:UPXShit
0.06 -> snaker 查OEP=425AEF 而FI却:PE Win GUI *UNKNOWN* 查不出来。
记得PEiD V0.9加的是UPXShit 0.05壳,sinker 兄弟曾写过脱壳过程。
今夜无眠,忙里抽闲看看UPXShit 0.06是否有变化,发现了一点点捷径
————————————————————————
用Ollydbg手动脱壳,老规矩:载入后弹出“是压缩代码——要继续进行分析吗?”,点“否”。
00435FE9 B8 D35F4300 mov eax,PEiD.00435FD3
====>进入OD后断在这!
00435FEE B9 15000000 mov ecx,15
00435FF3 803408 FD xor byte ptr ds:[eax+ecx],0FD
00435FF7 E2 FA loopd short PEiD.00435FF3
00435FF9 E9 D6FFFFFF jmp PEiD.00435FD4
下断:BP LoadLibraryA F9运行断下 然后取消断点 CTR+F9执行到返回
77E605D8 837C24 04 00 cmp dword ptr ss:[esp+4],0
====>断在这
77E605DD 53 push ebx
77E605DE 56 push esi
77E605DF 74 19 je short kernel32.77E605FA
77E605E1 68 9C5BE777 push kernel32.77E75B9C
77E605E6 FF7424 10 push dword ptr ss:[esp+10]
77E605EA FF15 9013E477 call dword ptr ds:[<&ntdll._strcmpi>]
77E605F0 85C0 test eax,eax
77E605F2 59 pop ecx
77E605F3 59 pop ecx
77E605F4 0F84 76AF0100 je kernel32.77E7B570
77E605FA 6A 00 push 0
77E605FC 6A 00 push 0
77E605FE FF7424 14 push dword ptr ss:[esp+14]
77E60602 E8 B1FFFFFF call kernel32.LoadLibraryExA
77E60607 5E pop esi
77E60608 5B pop ebx
77E60609 C2 0400 retn 4
====>返回到 00435FA8
00435FA2 FF96 84560300 call dword ptr ds:[esi+35684]
00435FA8 95 xchg eax,ebp
====>返回这里,向下找 popad
00435FA9 8A07 mov al,byte ptr ds:[edi]
00435FAB 47 inc edi
00435FAC 08C0 or al,al
00435FAE 74 DC je short PEiD.00435F8C
00435FB0 89F9 mov ecx,edi
00435FB2 57 push edi
00435FB3 48 dec eax
00435FB4 F2:AE repne scas byte ptr es:[edi]
00435FB6 55 push ebp
00435FB7 FF96 88560300 call dword ptr ds:[esi+35688]
00435FBD 09C0 or eax,eax
00435FBF 74 07 je short PEiD.00435FC8
00435FC1 8903 mov dword ptr ds:[ebx],eax
00435FC3 83C3 04 add ebx,4
00435FC6 EB E1 jmp short PEiD.00435FA9
00435FC8 FF96 8C560300 call dword ptr ds:[esi+3568C]
00435FCE 61 popad
====>此处下断 F9断在这
00435FCF E9 1BFBFEFF jmp PEiD.00425AEF
====>飞向光明之巅!
————————————————————————
00425AEF 55 push ebp
====>在这儿用LordPE完全DUMP这个进程
00425AF0 8BEC mov ebp,esp
00425AF2 6A FF push -1
00425AF4 68 78724100 push PEiD.00417278
00425AF9 68 7C5C4200 push PEiD.00425C7C
————————————————————————
运行ImportREC,选择这个进程。把OEP改为00025AEF,点IT AutoSearch,点“Get Import”,FixDump,正常运行!
78.4K ->224K Visual C++ 6.0编写
—————————————————————————————————
呵呵,还有更快的方法,也就是偶所谓的捷径 无须太多的跟踪
用Ollydbg载入程序后直接F9运行PEID V0.91,看看吧:
00435FC8 FF96 8C560300 call dword ptr ds:[esi+3568C]
00435FCE 61 popad
00435FCF E9 1BFBFEFF jmp PEiD.00425AEF
====>这就是跳向OEP的地方,在这里下个硬件执行断点,重新运行就可以断在这了
00435FD4 B8 7F5E4300 mov eax,PEiD.00435E7F
00435FD9 B9 54010000 mov ecx,154
00435FDE 803408 FD xor byte ptr ds:[eax+ecx],0FD
00435FE2 E2 FA loopd short PEiD.00435FDE
00435FE4 E9 97FEFFFF jmp PEiD.00435E80
00435FE9 B8 D35F4300 mov eax,PEiD.00435FD3
====>进入OD后断在这!
呵呵,再看看PEiD V0.9加的UPXShit 0.05壳,同样的方法:
0041FB8E 61 popad
0041FB8F E9 7B18FFFF jmp PEiD.0041140F
====>这就是跳向OEP的地方
0041FB94 B8 40FA4100 mov eax, PEiD.0041FA40
0041FB99 B9 54010000 mov ecx, 154
0041FB9E 83F9 00 cmp ecx, 0
0041FBA1 7E 06 jle short PEiD.0041FBA9
0041FBA3 8030 F7 xor byte ptr ds:[eax], 0F7
0041FBA6 40 inc eax
0041FBA7 E2 F5 loopd short PEiD.0041FB9E
0041FBA9 E9 92FEFFFF jmp PEiD.0041FA40
0041FBAE B8 94FB4100 mov eax, PEiD.0041FB94
0041FBB3 B9 1A000000 mov ecx, 1A
0041FBB8 83F9 00 cmp ecx, 0
0041FBBB 7E 06 jle short PEiD.0041FBC3
0041FBBD 8030 F7 xor byte ptr ds:[eax], 0F7
0041FBC0 40 inc eax
0041FBC1 E2 F5 loopd short PEiD.0041FBB8
0041FBC3 E9 CCFFFFFF jmp PEiD.0041FB94
0041FBC8 B8 AEFB4100 mov eax, PEiD.0041FBAE
0041FBCD B9 1A000000 mov ecx, 1A
0041FBD2 83F9 00 cmp ecx, 0
0041FBD5 7E 06 jle short PEiD.0041FBDD
0041FBD7 8030 F7 xor byte ptr ds:[eax], 0F7
0041FBDA 40 inc eax
0041FBDB E2 F5 loopd short PEiD.0041FBD2
0041FBDD E9 CCFFFFFF jmp PEiD.0041FBAE
0041FBE2 B8 C8FB4100 mov eax, PEiD.0041FBC8
====>进入OD后断在这!
—————————————————————————————————
, _/
/| _.-~/ _ , 青春都一饷
( /~ / ~-._ |
`\ _/ ~ ) 忍把浮名
_-~~~-.) )__/;;,. _ //'
/'_, --~ ~~~- ,;;___( (.-~~~-. 换了破解轻狂
`~ _( ,_..-- ( ,;'' / ~-- /._`
/~~//' /' `~ ) /--.._, )_ `~
" `~" " `" /~'` `\~~
" " "~' ""
Cracked By 巢水工作坊——fly [OCN][FCG][NUKE]
2003-11-20 0:15