轻轻松松进销存基础版V2.0
用UNFOXALL
2.0反编译告知不是FOX文件
用TRW2000动态跟踪
下断CREATEFILEA
当打开文件名是主程序名时
下断READFILE
中断第三次是看看BUFFER中的内容
E6
DA 2D 73....
不是APP的文件头FE F2 ...
跟踪程序如何处理这些数据,BPM 17AF00C
来到如下代码,位置是VFP6R.DLL的gtide段,说明程序用自己的dll文件动态解密
*
Referenced by a CALL at Addresses:
|:0C2EF83A , :0C2EF929 , :0C2EF9F8
, :0C2EFAE0
|
:0C2F3486 55
push ebp
:0C2F3487 8BEC
mov ebp, esp
:0C2F3489
83EC08 sub esp,
00000008
:0C2F348C 53
push ebx
:0C2F348D 56
push esi
:0C2F348E 57
push edi
:0C2F348F
C745FC00000000 mov [ebp-04], 00000000
:0C2F3496
EB03 jmp
0C2F349B
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:0C2F34CB(U)
|
:0C2F3498
FF45FC inc [ebp-04]
<-已解码字节数
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0C2F3496(U)
|
:0C2F349B
8B450C mov eax,
dword ptr [ebp+0C] <-需要解码的字节数
:0C2F349E 3945FC
cmp dword ptr [ebp-04],
eax <-比较,解码完则转
:0C2F34A1 732A
jnb 0C2F34CD
:0C2F34A3 8B45FC
mov eax, dword ptr
[ebp-04]
:0C2F34A6 8B4D08
mov ecx, dword ptr [ebp+08] <-加密文本缓冲区指针
:0C2F34A9
33D2 xor
edx, edx
:0C2F34AB 8A1401
mov dl, byte ptr [ecx+eax] <-取字符
:0C2F34AE
8A82DAD2320C mov al, byte ptr [edx+0C32D2DA]
<-查密码本
:0C2F34B4 8845F8
mov byte ptr [ebp-08], al
:0C2F34B7 33C0
xor eax, eax
:0C2F34B9
8A45F8 mov al, byte
ptr [ebp-08]
:0C2F34BC 8A80DAD3320C mov
al, byte ptr [eax+0C32D3DA] <-查密码本
:0C2F34C2 8B4DFC
mov ecx, dword ptr [ebp-04]
:0C2F34C5 8B5508
mov edx, dword ptr [ebp+08]
:0C2F34C8 88040A
mov byte ptr [edx+ecx], al
<-解密后字符送回
:0C2F34CB EBCB
jmp 0C2F3498
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0C2F34A1(C)
|
:0C2F34CD
5F pop
edi
:0C2F34CE 5E
pop esi
:0C2F34CF 5B
pop ebx
:0C2F34D0 C9
leave
:0C2F34D1 C3
ret
从0c32d2da
开始的200h字节是解密的密钥
经过解密处理后再看看
FE F2 EE 已经是APP文件的文件头了
将0c32d2da
开始的200h字节写入一个文件,取名code.key
用hex workshop打开主程序,查找E6 DA 2D 73....,将一直到文件结束的内容写到另一个文件,
取名code.app
写一段程序解密
我使用vb写的
Dim
keyfiledata(512) As Byte
Dim codefiledata As Byte
Dim middata As Byte
Dim
keyfilelen As Long
keyfilelen = FileLen("code.key")
Open "code.Key"
For Binary As #1
For i = 1 To keyfilelen
Get
#1, i, keyfiledata(i)
Next i
Close #1
keyfilelen
= FileLen("code.app")
Open "code.app" For Binary
As #2
For i = 1 To keyfilelen
Get #2, i, codefiledata
middata = keyfiledata(keyfiledata(codefiledata + 1) +
257)
Put #2, i, middata
Next i
Close #2
MsgBox "finish"
vb就是慢,登上一会之后,告知finish
用unfoxall
反编译一下,所有的代码都能反编译出来,你可以随心所欲了!
想做成exe文件吗?
用vpf编译一个exe文件,将1e00h以后的东西删掉,将code.app贴到1e00h开始的地方.
运行一下,完全正常