• 标 题:手动脱JDPACKV1.01的壳--mir333的壳
  • 作 者:txm123
  • 时 间:2003年11月24日 11:26
  • 链 接:http://bbs.pediy.com

手动脱JDPACKV1.01的壳--mir333的壳
破解作者:
         yzez[DFCG][BCG][FCG]
破解对象:
         mir333(这是在看雪论坛一个网友请求FLY大侠帮助的软件)
破解工具:
         FI3.01、OLLYDBG1.09、ImportREC
破解目的:
         只为技术而破解,不为破解而破解,如有失误,请大侠们指点! 
破解过程:
     说明:这个软件的脱壳,只是为了兴趣,没有其它的目的,因为网友在论坛发帖,我是菜鸟,所以
就试一试,运气好,脱掉了!
1、用FI301查壳是JDPACKV1.01的壳,不知保护怎样,反正试试先!用OD载入程序,第二个对话框点否,载
入程序后,我们停在下面的地方:
0091A000 >  60              PUSHAD*******************载入程序后我们停在这里!F8往下走!
0091A001    E8 00000000     CALL    mir333.0091A006
0091A006    5D              POP     EBP                              
0091A007    8BD5            MOV     EDXEBP
0091A009    81ED C62B4000   SUB     EBP, mir333.00402BC6
0091A00F    2B95 61344000   SUB     EDXDWORD PTR SS:[EBP+403461]
0091A015    81EA 06000000   SUB     EDX, 6
0091A01B    8995 65344000   MOV     DWORD PTR SS:[EBP+403465], EDX
0091A021    83BD 69344000 0>CMP     DWORD PTR SS:[EBP+403469], 0
0091A028    0F85 BC030000   JNZ     mir333.0091A3EA*****************这里没有跳!
0091A02E    C785 69344000 0>MOV     DWORD PTR SS:[EBP+403469], 1
0091A038    B9 88070000     MOV     ECX, 788
0091A03D    8DB5 182C4000   LEA     ESIDWORD PTR SS:[EBP+402C18]
0091A043    8A85 60344000   MOV     ALBYTE PTR SS:[EBP+403460]
0091A049    8A1E            MOV     BLBYTE PTR DS:[ESI]
0091A04B    32C3            XOR     ALBL
0091A04D    8806            MOV     BYTE PTR DS:[ESI], AL
0091A04F    889D 60344000   MOV     BYTE PTR SS:[EBP+403460], BL****F8走到这里!下面的程序会变化!
0091A055    46              INC     ESI                             
0091A056  ^ E2 EB           LOOPD   SHORT mir333.0091A043***********这里往回跳,F4下去吧!
0091A058    74 2C           JE      SHORT mir333.0091A086***********走到0091A04F处,这里变成了下面的样子!
0091A05A    DA1E            FICOMP  DWORD PTR DS:[ESI]

0091A058    9C              PUSHFD***********************************在这里F4下来,跳过循环!
0091A059    2C DA           SUB     AL, 0DA

0091A058    9C              PUSHFD***********************************F4下来后,又发生了变化!
0091A059    58              POP     EAX                             
0091A05A    F6C4 01         TEST    AH, 1
0091A05D    74 07           JE      SHORT mir333.0091A066************F8下来,这里跳!
0091A05F    80B5 D72F4000 F>XOR     BYTE PTR SS:[EBP+402FD7], 0FF
0091A066    8BB5 01324000   MOV     ESIDWORD PTR SS:[EBP+403201]***跳到这里!
0091A06C    8BC5            MOV     EAXEBP                         
0091A06E    56              PUSH    ESI                              
0091A06F    50              PUSH    EAX
0091A070    8B88 09324000   MOV     ECXDWORD PTR DS:[EAX+403209]
0091A076    6A 04           PUSH    4
0091A078    68 00100000     PUSH    1000
0091A07D    51              PUSH    ECX
0091A07E    6A 00           PUSH    0
0091A080    FF95 EC334000   CALL    DWORD PTR SS:[EBP+4033EC]        
0091A086    8985 E1314000   MOV     DWORD PTR SS:[EBP+4031E1], EAX
0091A08C    58              POP     EAX                             
0091A08D    5E              POP     ESI                            
0091A08E    56              PUSH    ESI                              
0091A08F    50              PUSH    EAX
0091A090    8BB0 05324000   MOV     ESIDWORD PTR DS:[EAX+403205]
0091A096    8B95 65344000   MOV     EDXDWORD PTR SS:[EBP+403465]  
0091A09C    8B88 09324000   MOV     ECXDWORD PTR DS:[EAX+403209]
0091A0A2    03F2            ADD     ESIEDX                        
0091A0A4    60              PUSHAD
0091A0A5    8BFE            MOV     EDIESI                         
0091A0A7    33C0            XOR     EAXEAX
0091A0A9    AC              LODS    BYTE PTR DS:[ESI]
0091A0AA    3285 D72F4000   XOR     ALBYTE PTR SS:[EBP+402FD7]
0091A0B0    AA              STOS    BYTE PTR ES:[EDI]
0091A0B1  ^ E2 F6           LOOPD   SHORT mir333.0091A0A9***********这里又跳回去,F4下去!
0091A0B3    61              POPAD***********************************F4下到这里!F8继续往下!
0091A0B4    8BBD E1314000   MOV     EDIDWORD PTR SS:[EBP+4031E1]
0091A0BA    F3:A4           REP     MOVS BYTE PTR ES:[EDI], BYTE PTR>
0091A0BC    8BB5 E1314000   MOV     ESIDWORD PTR SS:[EBP+4031E1]
0091A0C2    8BB8 05324000   MOV     EDIDWORD PTR DS:[EAX+403205]
0091A0C8    03FA            ADD     EDIEDX                         
0091A0CA    57              PUSH    EDI                             
0091A0CB    56              PUSH    ESI                             
0091A0CC    E8 EC030000     CALL    mir333.0091A4BD
0091A0D1    5E              POP     ESI                             
0091A0D2    5F              POP     EDI                              
0091A0D3    58              POP     EAX                              
0091A0D4    5E              POP     ESI                              
0091A0D5    56              PUSH    ESI                             
0091A0D6    50              PUSH    EAX
0091A0D7    8B88 09324000   MOV     ECXDWORD PTR DS:[EAX+403209]
0091A0DD    8BB5 E1314000   MOV     ESIDWORD PTR SS:[EBP+4031E1]
0091A0E3    68 00400000     PUSH    4000
0091A0E8    51              PUSH    ECX
0091A0E9    56              PUSH    ESI                             
0091A0EA    FF95 F0334000   CALL    DWORD PTR SS:[EBP+4033F0]        
0091A0F0    58              POP     EAX                              
0091A0F1    5E              POP     ESI                              
0091A0F2    83C0 08         ADD     EAX, 8
0091A0F5    4E              DEC     ESI                              
0091A0F6  ^ 0F85 72FFFFFF   JNZ     mir333.0091A06E******************这里往回跳呀!兄弟下去吧!
0091A0FC    83BD E9314000 0>CMP     DWORD PTR SS:[EBP+4031E9], 0*****F4下到这里!
0091A103    0F84 8A000000   JE      mir333.0091A193******************到这里跳呀!一定要跳呀!
0091A109    8B95 65344000   MOV     EDXDWORD PTR SS:[EBP+403465]   ; mir333.00400000
0091A10F    8B85 E5314000   MOV     EAXDWORD PTR SS:[EBP+4031E5]  
0091A115    2BD0            SUB     EDXEAX
0091A117    74 7A           JE      SHORT mir333.0091A193
0091A119    8BC2            MOV     EAXEDX                         
0091A11B    C1E8 10         SHR     EAX, 10
0091A11E    33DB            XOR     EBXEBX
0091A120    8BB5 E9314000   MOV     ESIDWORD PTR SS:[EBP+4031E9]

0091A193    8D9D 89334000   LEA     EBXDWORD PTR SS:[EBP+403389]****跳到了这里!F8往下!
0091A199    53              PUSH    EBX
0091A19A    FF95 E8334000   CALL    DWORD PTR SS:[EBP+4033E8]*********在这里程序有一段解压!        
0091A1A0    50              PUSH    EAX                              
0091A1A1    8D9D 31334000   LEA     EBXDWORD PTR SS:[EBP+403331]
0091A1A7    53              PUSH    EBX
0091A1A8    50              PUSH    EAX                              
0091A1A9    FF95 E0334000   CALL    DWORD PTR SS:[EBP+4033E0]        
0091A1AF    8985 D5314000   MOV     DWORD PTR SS:[EBP+4031D5], EAX   
0091A1B5    58              POP     EAX                              
************************省略一段!******************************

0091A25C    837B 10 01      CMP     DWORD PTR DS:[EBX+10], 1
0091A260    74 14           JE      SHORT mir333.0091A276************这里没有跳!
0091A262    837B 10 02      CMP     DWORD PTR DS:[EBX+10], 2
0091A266    74 02           JE      SHORT mir333.0091A26A************这里往下跳!
0091A268    EB 1A           JMP     SHORT mir333.0091A284
0091A26A    E8 DF010000     CALL    mir333.0091A44E******************跳到这里!
0091A26F    83F8 FF         CMP     EAX, -1
0091A272    75 10           JNZ     SHORT mir333.0091A284
0091A274    EB 0A           JMP     SHORT mir333.0091A280
0091A276    E8 9D010000     CALL    mir333.0091A418
0091A27B    83F8 FF         CMP     EAX, -1
0091A27E    75 04           JNZ     SHORT mir333.0091A284************这里往下跳!
0091A280    61              POPAD
0091A281    33C0            XOR     EAXEAX                         
0091A283    C3              RETN
0091A284    8B95 65344000   MOV     EDXDWORD PTR SS:[EBP+403465]***跳到这里!   
0091A28A    8BB5 F1314000   MOV     ESIDWORD PTR SS:[EBP+4031F1]
0091A290    03F2            ADD     ESIEDX
0091A292    8B46 0C         MOV     EAXDWORD PTR DS:[ESI+C]
0091A295    0BC0            OR      EAXEAX                        
0091A297    0F84 65010000   JE      mir333.0091A402******************这里没有跳!
0091A29D    03C2            ADD     EAXEDX
0091A29F    8985 BD314000   MOV     DWORD PTR SS:[EBP+4031BD], EAX   
0091A2A5    8BD8            MOV     EBXEAX                         
0091A2A7    50              PUSH    EAX                              
0091A2A8    FF95 E4334000   CALL    DWORD PTR SS:[EBP+4033E4]        
0091A2AE    0BC0            OR      EAXEAX                         
0091A2B0    75 55           JNZ     SHORT mir333.0091A307************F8到这里就跳到了下面!
0091A2B2    53              PUSH    EBX
*************************省略一段代码********************************************************
0091A304    33C0            XOR     EAXEAX                        
0091A306    C3              RETN
0091A307    8985 F9314000   MOV     DWORD PTR SS:[EBP+4031F9], EAX***上面跳到这个地方!
0091A30D    C785 FD314000 0>MOV     DWORD PTR SS:[EBP+4031FD], 0
0091A317    8B95 65344000   MOV     EDXDWORD PTR SS:[EBP+403465]  
0091A31D    8B06            MOV     EAXDWORD PTR DS:[ESI]
0091A31F    0BC0            OR      EAXEAX                         
0091A321    75 03           JNZ     SHORT mir333.0091A326***********跳到下面!
0091A323    8B46 10         MOV     EAXDWORD PTR DS:[ESI+10]
0091A326    03C2            ADD     EAXEDX
0091A328    0385 FD314000   ADD     EAXDWORD PTR SS:[EBP+4031FD]
0091A32E    8B18            MOV     EBXDWORD PTR DS:[EAX]
0091A330    8B7E 10         MOV     EDIDWORD PTR DS:[ESI+10]
0091A333    03FA            ADD     EDIEDX
0091A335    03BD FD314000   ADD     EDIDWORD PTR SS:[EBP+4031FD]
0091A33B    85DB            TEST    EBXEBX
0091A33D    0F84 99000000   JE      mir333.0091A3DC*****************这里没有跳!
0091A343    F7C3 00000080   TEST    EBX, 80000000
0091A349    75 07           JNZ     SHORT mir333.0091A352***********这里也没跳!
0091A34B    03DA            ADD     EBXEDX
0091A34D    83C3 02         ADD     EBX, 2
0091A350    EB 15           JMP     SHORT mir333.0091A367***********跳!
0091A352    81E3 FFFFFF7F   AND     EBX, 7FFFFFFF
0091A358    53              PUSH    EBX
0091A359    FFB5 F9314000   PUSH    DWORD PTR SS:[EBP+4031F9]
0091A35F    FF95 E0334000   CALL    DWORD PTR SS:[EBP+4033E0]        
0091A365    EB 18           JMP     SHORT mir333.0091A37F
0091A367    53              PUSH    EBX*****************************跳到这里!
0091A368    FFB5 F9314000   PUSH    DWORD PTR SS:[EBP+4031F9]
0091A36E    FF95 E0334000   CALL    DWORD PTR SS:[EBP+4033E0]        
0091A374    EB 04           JMP     SHORT mir333.0091A37A***********跳!
0091A376    C603 00         MOV     BYTE PTR DS:[EBX], 0
0091A379    43              INC     EBX
0091A37A    803B 00         CMP     BYTE PTR DS:[EBX], 0************跳到这里!
0091A37D  ^ 75 F7           JNZ     SHORT mir333.0091A376***********往回跳!F4下去!
0091A37F    0BC0            OR      EAXEAX ***********************在这一行F4下来!                        
0091A381    75 4B           JNZ     SHORT mir333.0091A3CE***********跳呀!
0091A383    FFB5 BD314000   PUSH    DWORD PTR SS:[EBP+4031BD]
0091A389    53              PUSH    EBX
************************省略一段代码!******************************************
0091A3CD    C3              RETN
0091A3CE    8907            MOV     DWORD PTR DS:[EDI], EAX*********跳到这里!
0091A3D0    8385 FD314000 0>ADD     DWORD PTR SS:[EBP+4031FD], 4
0091A3D7  ^ E9 3BFFFFFF     JMP     mir333.0091A317*****************往回跳,还能让你跳吗?
0091A3DC    83C6 14         ADD     ESI, 14*************************F4下来!
0091A3DF    8B95 65344000   MOV     EDXDWORD PTR SS:[EBP+403465]   ; mir333.00400000
0091A3E5  ^ E9 A8FEFFFF     JMP     mir333.0091A292*****************还想往回跳!F4下去吧!不能在下一行
************************************按F4,否则程序就飞了!我们要在0091A414这一行按F4下去!
0091A3EA    6A 30           PUSH    30
0091A3EC    8D9D 4D324000   LEA     EBXDWORD PTR SS:[EBP+40324D]
0091A3F2    53              PUSH    EBX
0091A3F3    8D9D 61324000   LEA     EBXDWORD PTR SS:[EBP+403261]
0091A3F9    53              PUSH    EBX
0091A3FA    6A 00           PUSH    0
0091A3FC    FF95 D5314000   CALL    DWORD PTR SS:[EBP+4031D5]
0091A402    8B95 65344000   MOV     EDXDWORD PTR SS:[EBP+403465]   
0091A408    8B85 ED314000   MOV     EAXDWORD PTR SS:[EBP+4031ED]
0091A40E    03C2            ADD     EAXEDX
0091A410    894424 1C       MOV     DWORD PTR SS:[ESP+1C], EAX 
0091A414    61              POPAD************************************我们在这一行F4下来!
0091A415    50              PUSH    EAX *****************************看看EAX的值:这里是:0046992D,
*******************************************开心吗?这就是我们要找的OEP!                            
0091A416    C3              RETN***********F8走!

0046992D    55              PUSH    EBP******************************返回到这里呀!我们可以脱壳了,用LORDPE
********************************************************************DUMP程序出来
0046992E    8BEC            MOV     EBPESP
00469930    6A FF           PUSH    -1
00469932    68 C86D4700     PUSH    mir333.00476DC8
00469937    68 30964600     PUSH    mir333.00469630
0046993C    64:A1 00000000  MOV     EAXDWORD PTR FS:[0]
00469942    50              PUSH    EAX                              ; mir333.0046992D
00469943    64:8925 0000000>MOV     DWORD PTR FS:[0], ESP
0046994A    83EC 58         SUB     ESP, 58

2、运行脱壳后的程序,没有反应,我倒!用ImportREC修复,填入OEP地址:0006992D,全部修复后,保存下来,再运行
一下,OK,正常!