脱Visual Protect V2.1.0的壳。
好久没有写过东西了,看到电神、小三他们搞Armadillo的壳我也心里痒痒,可是我又不会,只好找个别的壳来试试!正好让我碰到一个,搞定后,赶快写下来。写的水平有限,大家多指正。
要脱壳的程序:因为是国产,所以保密。
工具:trw、importREC、prodump1.62、ida,还有文房四宝。
用trw载入吧!
来到入口:
VCODE:00795BC0
push ebp
VCODE:00795BC1
mov ebp, esp
VCODE:00795BC3
push ecx
VCODE:00795BC4
push ebx
VCODE:00795BC5
push esi
VCODE:00795BC6
push edi
VCODE:00795BC7
mov dword ptr ds:byte_79700C+3B80h,
0
VCODE:00795BD1 push
(offset byte_79700C+2450h) ; lpLibFileName
VCODE:00795BD6
call ds:LoadLibraryA
VCODE:00795BDC mov
dword ptr ds:byte_79700C+3BDCh, eax
VCODE:00795BE1
push (offset byte_79700C+243Ch)
; lpProcName
VCODE:00795BE6
mov eax, dword ptr ds:byte_79700C+3BDCh
VCODE:00795BEB
push eax
; hModule
VCODE:00795BEC
call ds:GetProcAddress
VCODE:00795BF2
mov dword ptr ds:byte_79700C+3B60h,
eax
VCODE:00795BF7
push 0
VCODE:00795BF9
call dword ptr ds:byte_79700C+3B60h
VCODE:00795BFF
mov dword ptr ds:byte_79700C+3BBCh,
eax
VCODE:00795C04
mov ecx, dword ptr ds:byte_79700C+3BBCh
VCODE:00795C0A
push ecx
VCODE:00795C0B
call sub_796550
<-----在这里按F8进入
VCODE:00795C10
add esp, 4
VCODE:00795C13
mov [ebp+var_4], eax
VCODE:00795C16
cmp [ebp+var_4],
0
VCODE:00795C1A jz
short loc_795C1F
VCODE:00795C1C
jmp [ebp+var_4]
VCODE:00796550
sub esp, 328h
VCODE:00796556 mov
al, ds:byte_79700C+3B4Ch
VCODE:0079655B
push ebx
VCODE:0079655C
push ebp
VCODE:0079655D
push esi
VCODE:0079655E
push edi
VCODE:0079655F
mov [esp+338h+var_300],
al
VCODE:00796563
mov ecx, 3Fh
VCODE:00796568
xor eax, eax
VCODE:0079656A
lea edi, [esp+338h+var_2FF]
VCODE:0079656E mov
esi, ds:LoadLibraryA
VCODE:00796574
repe stosd
VCODE:00796576
mov ecx, [esp+338h+arg_0]
VCODE:0079657D
push (offset byte_79700C+2450h)
; lpLibFileName
VCODE:00796582
stosw
VCODE:00796584
stosb
.......
略去部分,你最好用Ctrl+PageDown找个落脚点,我选择796A99,其他你可以试。
VCODE:00796A99 push
(offset byte_79700C+38FCh) <----中断到这里
VCODE:00796A9E
push (offset byte_79700C+3904h)
VCODE:00796AA3 push
(offset byte_79700C+2784h)
VCODE:00796AA8
push 130h
VCODE:00796AAD
push (offset byte_79700C+37CCh)
然后按F10慢慢的跟注意这里:
VCODE:00796C42
call dword ptr ds:byte_79700C+3B58h<----这里是调用一个VP.dll,我们按F8进入。
VCODE:00796C48 mov
eax, [esp+3FCh+var_3F0]
VCODE:00796C4C
test eax, eax
VCODE:00796C4E
jz short
loc_796C5F
VCODE:00796C50
mov ecx, dword ptr ds:byte_79700C+3BBCh
VCODE:00796C56
add eax, ecx
VCODE:00796C58 add
esp, 328h
VCODE:00796C5E
retn
下面都在dll中了,给出断点。
bpx 8302e6
然后在8302f6处进入,然后就要慢慢的试了,你可能发现有几个用户名要验证。还有几个判断,注意要慢慢试,在83086c处不要跳,就会发现jmp
[ebp+4]的字样了,ok!到终点了!
入口是409ebc
用命令suspend挂起,
用produm工具,dump出来,存为dump.exe,然后再用importREC修复输入表。原来程序是VB的,修复输入表很简单的。
ok!到处应该是脱壳完成,运行一下,可以运行。
第一次脱这样的壳写的不好,请大家指正。
小球,
2002.4.24
- 标 题:脱Visual Protect V2.1.0的壳 (4千字)
- 作 者:小球[CCG]
- 时 间:2002-4-24
18:38:26
- 链 接:http://bbs.pediy.com