【软件简介】:linson:“抽空更新了一下,减少了一些花指令。 OllyDbg脱这个壳很不爽的干活”
【软件下载】:点击下载
【作者声明】:只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
【调试环境】:WinXP、Ollydbg1.09、PEiD、LordPE、ImportREC
—————————————————————————————————
【脱壳过程】:
设置Ollydbg忽略所有的异常选项。老规矩:用IsDebug 1.4插件去掉Ollydbg的调试器标志。
00405060 55 push ebp //进入OD后停在这!
00405061 8BEC mov ebp,esp
00405063 6A FF push -1
00405065 68 951D4000 push XPAL4.00401D95
0040506A 68 3E1E4000 push XPAL4.00401E3E
0040506F 64:A1 00000000 mov eax,dword ptr fs:[0]
00405075 50 push eax
00405076 64:8925 00000000 mov dword ptr fs:[0],esp
0040507D 83EC 44 sub esp,44
00405080 53 push ebx
00405081 56 push esi
00405082 57 push edi
00405083 66:9C pushfw
00405085 6A 10 push 10
00405087 73 0B jnb short XPAL4.00405094
00405089 EB 02 jmp short XPAL4.0040508D
————————————————————————
直接在CloseHandle处下 硬件执行 断点 
F9运行,断下
77E57963 64:A1 18000000 mov eax,dword ptr fs:[18]//断在这!取消断点 Ctrl+F9执行到返回
77E57969 8B48 30 mov ecx,dword ptr ds:[eax+30]
77E5796C 8B4424 04 mov eax,dword ptr ss:[esp+4]
77E57970 83F8 F4 cmp eax,-0C
77E57973 0F84 4CB4FFFF je kernel32.77E52DC5
77E57979 83F8 F5 cmp eax,-0B
77E5797C 0F84 38B4FFFF je kernel32.77E52DBA
77E57982 83F8 F6 cmp eax,-0A
77E57985 0F84 0F500200 je kernel32.77E7C99A
77E5798B 8BC8 mov ecx,eax
77E5798D 81E1 03000010 and ecx,10000003
77E57993 83F9 03 cmp ecx,3
77E57996 50 push eax
77E57997 0F84 26870000 je kernel32.77E600C3
77E5799D FF15 3C10E477 call dword ptr ds:[<&ntdll.NtClose>]
77E579A3 85C0 test eax,eax
77E579A5 0F8C 02B4FFFF jl kernel32.77E52DAD
77E579AB 33C0 xor eax,eax
77E579AD 40 inc eax
77E579AE C2 0400 retn 4 //返回到 004055B2
004055B2 58 pop eax
004055B3 8B85 B0284000 mov eax,dword ptr ss:[ebp+4028B0]
004055B9 BB 01000000 mov ebx,1
004055BE E8 08000000 call XPAL4.004055CB
004055C3 8D85 C9234000 lea eax,dword ptr ss:[ebp+4023C9]
004055C9 50 push eax
004055CA C3 retn //返回到 00405694
00405694 50 push eax
00405695 8B9D B0284000 mov ebx,dword ptr ss:[ebp+4028B0]//EBX=00400000
0040569B 66:9C pushfw
0040569D 6A 10 push 10
0040569F 73 0B jnb short XPAL4.004056AC
004056AC 73 F7 jnb short XPAL4.004056A5
004056A5 E8 06000000 call XPAL4.004056B0
004056B0 83C4 04 add esp,4
004056B3 EB 02 jmp short XPAL4.004056B7
004056B7 FF0C24 dec dword ptr ss:[esp]
004056BA 71 01 jno short XPAL4.004056BD
004056BD 79 E0 jns short XPAL4.0040569F//F4下去
004056BF 7A 01 jpe short XPAL4.004056C2
004056C2 83C4 04 add esp,4
004056C5 66:9D popfw
004056C7 71 03 jno short XPAL4.004056CC
004056CC 8B85 B4284000 mov eax,dword ptr ss:[ebp+4028B4]
004056D2 64:FF35 00000000 push dword ptr fs:[0]
004056D9 6A 00 push 0
004056DB 64:FF35 00000000 push dword ptr fs:[0]
004056E2 64:8925 00000000 mov dword ptr fs:[0],esp
004056E9 83C4 08 add esp,8
004056EC 6A 00 push 0
004056EE 64:FF35 00000000 push dword ptr fs:[0]
004056F5 64:8925 00000000 mov dword ptr fs:[0],esp
004056FC 83C4 08 add esp,8
004056FF 64:8F05 00000000 pop dword ptr fs:[0]
00405706 66:9C pushfw
00405708 6A 10 push 10
0040570A 73 0B jnb short XPAL4.00405717//直接F4到这
00405717 73 F7 jnb short XPAL4.00405710
00405710 E8 06000000 call XPAL4.0040571B
0040571B 83C4 04 add esp,4
0040571E EB 02 jmp short XPAL4.00405722
00405722 FF0C24 dec dword ptr ss:[esp]
00405725 71 01 jno short XPAL4.00405728
00405728 79 E0 jns short XPAL4.0040570A//F4下去
0040572A 7A 01 jpe short XPAL4.0040572D
0040572D 83C4 04 add esp,4
00405730 66:9D popfw
00405732 71 03 jno short XPAL4.00405737
00405737 03D8 add ebx,eax//EBX=00400000 + 00002F6D=00402F6D 这就是OEP值
00405739 66:9C pushfw
0040573B 6A 10 push 10
0040573D 73 0B jnb short XPAL4.0040574A
0040573F EB 02 jmp short XPAL4.00405743
OK,在00402F6D内存处的几个字节上下 内存访问 断点,F9运行,断在OEP处!
————————————————————————
00402F6D 6A 00 push 0//在这儿用LordPE纠正ImageSize后完全DUMP这个进程
00402F6F E8 36000000 call 00402FAA
00402F74 A3 00104000 mov dword ptr ds:[401000],eax
00402F79 6A 00 push 0
00402F7B 68 232D4000 push 402D23
00402F80 6A 00 push 0
00402F82 6A 64 push 64
00402F84 50 push eax
00402F85 E8 56000000 call 00402FE0
00402F8A 6A 00 push 0
00402F8C E8 0D000000 call 00402F9E
00402F91 CC int3
00402F92 FF25 B0124000 jmp dword ptr ds:[4012B0]
00402F98 FF25 B4124000 jmp dword ptr ds:[4012B4]
00402F9E FF25 B8124000 jmp dword ptr ds:[4012B8]
00402FA4 FF25 BC124000 jmp dword ptr ds:[4012BC]
———————————————————————
运行ImportREC,选择这个进程。把OEP改为00002F6D,点IT AutoSearch,点“Get Import”,用“追踪层次1”全部修复无效函数。FixDump,正常运行! 删除XJ区段,重建PE, 16.7K->13K
—————————————————————————————————
或者载入程序后直接在GetModuleHandleA处下 硬件执行 断点 F9运行,断下。中断3次就可找到OEP啦
77E59F93 837C24 04 00 cmp dword ptr ss:[esp+4],0
77E59F98 0F84 23060000 je kernel32.77E5A5C1
77E59F9E FF7424 04 push dword ptr ss:[esp+4]
77E59FA2 E8 55080000 call kernel32.77E5A7FC
77E59FA7 85C0 test eax,eax
77E59FA9 74 08 je short kernel32.77E59FB3
77E59FAB FF70 04 push dword ptr ds:[eax+4]
77E59FAE E8 B0060000 call kernel32.GetModuleHandleW
77E59FB3 C2 0400 retn 4
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
GetModuleHandleA 堆栈:
1、
0012F7E8 77C059FC /CALL 到 GetModuleHandleA 来自 msvcrt.77C059F6
0012F7EC 77BE31AC pModule = "kernel32.dll"
2、
0012F8AC 772AD205 /CALL 到 GetModuleHandleA 来自 SHLWAPI.772AD1FF
0012F8B0 772B02D8 pModule = "KERNEL32.DLL"
3、
0012FFCC 00402F74 /CALL 到 GetModuleHandleA 来自 00402F6F//返回
0012FFD0 00000000 pModule = NULL
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
00402F6D 6A 00 push 0//OEP
00402F6F E8 36000000 call 00402FAA
00402F74 A3 00104000 mov dword ptr ds:[401000],eax ; XPAL4.00400000//直接返回到这里!
00402F79 6A 00 push 0
00402F7B 68 232D4000 push 402D23
00402F80 6A 00 push 0
00402F82 6A 64 push 64
00402F84 50 push eax
00402F85 E8 56000000 call 00402FE0
—————————————————————————————————
, _/
/| _.-~/ _ , 青春都一饷
( /~ / ~-._ |
`\ _/ ~ ) 忍把浮名
_-~~~-.) )__/;;,. _ //'
/'_, --~ ~~~- ,;;___( (.-~~~-. 换了破解轻狂
`~ _( ,_..-- ( ,;'' / ~-- /._`
/~~//' /' `~ ) /--.._, )_ `~
" `~" " `" /~'` `\~~
" " "~' ""
Cracked By 巢水工作坊——fly [OCN][FCG][NUKE][DCM]
2004-01-11 15:40