【加壳方式】:linson 式伪装+这个变形壳
【下载地址】:本地下载
【作者声明】:初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
【调试环境】:WinXP、Ollydbg1.09、PEiD、LordPE、ImportREC
—————————————————————————————————
【脱壳过程】:
设置Ollydbg忽略所有的异常选项。用Ollydbg手动脱壳,老规矩:用IsDebug 1.4插件去掉Ollydbg的调试器标志。载入后弹出“是压缩代码——要继续进行分析吗?”,点“否”。
00405060 55 push ebp //进入OD后停在这!
//下面这段代码是linson伪装的VC的入口方式
00405061 8BEC mov ebp,esp
00405063 6A FF push -1
00405065 68 AAAAAAAA push AAAAAAAA
0040506A 68 BBBBBBBB push BBBBBBBB
0040506F 64:A1 00000000 mov eax,dword ptr fs:[0]
00405075 50 push eax
00405076 64:8925 00000000 mov dword ptr fs:[0],esp
0040507D 83EC 44 sub esp,44
00405080 53 push ebx
00405081 56 push esi
00405082 57 push edi
00405083 66:9C pushfw
00405085 72 08 jb short 02(Packe.0040508F
00405087 EB 01 jmp short 02(Packe.0040508A
————————————————————————
直接下断:BP CloseHandle+6 或者直接在CloseHandle+6处下 硬件执行 断点
77E57963 64:A1 18000000 mov eax,dword ptr fs:[18]
77E57969 8B48 30 mov ecx,dword ptr ds:[eax+30]
//断在这!取消断点 Ctrl+F9执行到返回
77E5796C 8B4424 04 mov eax,dword ptr ss:[esp+4]
77E57970 83F8 F4 cmp eax,-0C
77E57973 0F84 4CB4FFFF je kernel32.77E52DC5
77E57979 83F8 F5 cmp eax,-0B
77E5797C 0F84 38B4FFFF je kernel32.77E52DBA
77E57982 83F8 F6 cmp eax,-0A
77E57985 0F84 0F500200 je kernel32.77E7C99A
77E5798B 8BC8 mov ecx,eax
77E5798D 81E1 03000010 and ecx,10000003
77E57993 83F9 03 cmp ecx,3
77E57996 50 push eax
77E57997 0F84 26870000 je kernel32.77E600C3
77E5799D FF15 3C10E477 call dword ptr ds:[<&ntdll.NtClose>]
77E579A3 85C0 test eax,eax
77E579A5 0F8C 02B4FFFF jl kernel32.77E52DAD
77E579AB 33C0 xor eax,eax
77E579AD 40 inc eax
77E579AE C2 0400 retn 4 //返回到 004053D5
004053D5 58 pop eax
004053D6 8B85 D5254000 mov eax,dword ptr ss:[ebp+4025D5]
004053DC BB 01000000 mov ebx,1
004053E1 E8 08000000 call 0.004053EE
004053E6 8D85 14224000 lea eax,dword ptr ss:[ebp+402214]
004053EC 50 push eax
004053ED C3 retn //返回到 004054B7
004054B7 8B9D D5254000 mov ebx,dword ptr ss:[ebp+4025D5]
004054BD 039D D9254000 add ebx,dword ptr ss:[ebp+4025D9]
//EDX=00400000 + 00001000=00401000 这就是OEP值
004054C3 C1CB 07 ror ebx,7
OK,在00401000内存处的几个字节上下 内存访问断点,F9运行,断在OEP处!
00401000 6A 00 push 0 //在这儿用LordPE纠正ImageSize后完全DUMP这个进程
00401002 68 00304000 push 403000
00401007 68 05304000 push 403005
0040100C 6A 00 push 0
0040100E E8 07000000 call 0040101A
00401013 6A 00 push 0
00401015 E8 06000000 call 00401020
0040101A FF25 08204000 jmp dword ptr ds:[402008]
00401020 FF25 00204000 jmp dword ptr ds:[402000]
———————————————————————
运行ImportREC,选择这个进程。把OEP改为00001000,点IT AutoSearch,点“Get Import”,用“追踪层次1”修复好2个函数。FixDump,正常运行! 7.4K ->8.11K
—————————————————————————————————
, _/
/| _.-~/ _ , 青春都一饷
( /~ / ~-._ |
`\ _/ ~ ) 忍把浮名
_-~~~-.) )__/;;,. _ //'
/'_, --~ ~~~- ,;;___( (.-~~~-. 换了破解轻狂
`~ _( ,_..-- ( ,;'' / ~-- /._`
/~~//' /' `~ ) /--.._, )_ `~
" `~" " `" /~'` `\~~
" " "~' ""
Cracked By 巢水工作坊——fly [OCN][FCG][NUKE]
2003-12-06 20:30