• 标 题:UPXShit 0.06 脱壳——PEiD V0.91 主程序
  • 作 者:fly
  • 时 间: 2003-11-20 周四, 上午2:56
  • 链 接:http://bbs.pediy.com

下载地址:  http://www.absolutelock.de/construction/files/releases/PEiD.zip  
软件大小:  91 KB

【软件简介】:PEiD detects most common packers, cryptors and compilers for PE files. It can currently detect more than 450 different signatures in PE files.Recoded everything again. New faster and better scanning engine. New internal signature system. MFS v0.02 now supports Recursive Scanning. Commandline Parser now updated and more powerful. Detections fine tuned and newer detections added. Very basic Heuristic scanning. 

【作者声明】:初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!

【调试环境】:WinXP、Ollydbg1.09、PEiD、LordPE、ImportREC

————————————————————————————————— 
【脱壳过程】:
          

PEiD 是偶比较喜欢的侦壳工具,新版的侦壳功能更强了,可以查出ACProtect是:UltraProtect 1.x -> RISCO Software Inc.而FI 3.01就查不出。其附带的2个插件功能也不错。
 
想必snaker在给PEiD加壳时有点为难,如果加的壳是PEiD所侦测不出岂不是有点没面子?icon_smile.gif 所以就用自己写的UPXShit加壳了。PEID自己侦测:UPXShit 0.06 -> snaker  查OEP=425AEF   而FI却:PE Win GUI *UNKNOWN* 查不出来。

记得PEiD V0.9加的是UPXShit 0.05壳,sinker 兄弟曾写过脱壳过程。
今夜无眠,忙里抽闲看看UPXShit 0.06是否有变化,发现了一点点捷径 icon_smile.gif

————————————————————————
用Ollydbg手动脱壳,老规矩:载入后弹出“是压缩代码——要继续进行分析吗?”,点“否”。


00435FE9     B8 D35F4300          mov eax,PEiD.00435FD3
                                  ====>进入OD后断在这!
00435FEE     B9 15000000          mov ecx,15
00435FF3     803408 FD            xor byte ptr ds:[eax+ecx],0FD
00435FF7     E2 FA                loopd short PEiD.00435FF3
00435FF9     E9 D6FFFFFF          jmp PEiD.00435FD4

下断:BP LoadLibraryA   F9运行断下   然后取消断点   CTR+F9执行到返回

77E605D8     837C24 04 00         cmp dword ptr ss:[esp+4],0
                                  ====>断在这
77E605DD     53                   push ebx
77E605DE     56                   push esi
77E605DF     74 19                je short kernel32.77E605FA
77E605E1     68 9C5BE777          push kernel32.77E75B9C    
77E605E6     FF7424 10            push dword ptr ss:[esp+10]
77E605EA     FF15 9013E477        call dword ptr ds:[<&ntdll._strcmpi>] 
77E605F0     85C0                 test eax,eax
77E605F2     59                   pop ecx
77E605F3     59                   pop ecx
77E605F4     0F84 76AF0100        je kernel32.77E7B570
77E605FA     6A 00                push 0
77E605FC     6A 00                push 0
77E605FE     FF7424 14            push dword ptr ss:[esp+14]
77E60602     E8 B1FFFFFF          call kernel32.LoadLibraryExA
77E60607     5E                   pop esi
77E60608     5B                   pop ebx
77E60609     C2 0400              retn 4
                                  ====>返回到 00435FA8


00435FA2     FF96 84560300        call dword ptr ds:[esi+35684]
00435FA8     95                   xchg eax,ebp
                                  ====>返回这里,向下找 popad  icon_smile.gif
00435FA9     8A07                 mov al,byte ptr ds:[edi]
00435FAB     47                   inc edi
00435FAC     08C0                 or al,al
00435FAE     74 DC                je short PEiD.00435F8C
00435FB0     89F9                 mov ecx,edi
00435FB2     57                   push edi
00435FB3     48                   dec eax
00435FB4     F2:AE                repne scas byte ptr es:[edi]
00435FB6     55                   push ebp
00435FB7     FF96 88560300        call dword ptr ds:[esi+35688]
00435FBD     09C0                 or eax,eax
00435FBF     74 07                je short PEiD.00435FC8
00435FC1     8903                 mov dword ptr ds:[ebx],eax
00435FC3     83C3 04              add ebx,4
00435FC6     EB E1                jmp short PEiD.00435FA9
00435FC8     FF96 8C560300        call dword ptr ds:[esi+3568C]
00435FCE     61                   popad
                                  ====>此处下断  F9断在这
00435FCF     E9 1BFBFEFF          jmp PEiD.00425AEF
                                  ====>飞向光明之巅!

————————————————————————

00425AEF     55                   push ebp
                                  ====>在这儿用LordPE完全DUMP这个进程
00425AF0     8BEC                 mov ebp,esp
00425AF2     6A FF                push -1
00425AF4     68 78724100          push PEiD.00417278
00425AF9     68 7C5C4200          push PEiD.00425C7C

————————————————————————

运行ImportREC,选择这个进程。把OEP改为00025AEF,点IT AutoSearch,点“Get Import”,FixDump,正常运行!
78.4K ->224K  Visual C++ 6.0编写

—————————————————————————————————

呵呵,还有更快的方法,也就是偶所谓的捷径   无须太多的跟踪  icon_smile.gif


用Ollydbg载入程序后直接F9运行PEID V0.91,看看吧:


00435FC8     FF96 8C560300        call dword ptr ds:[esi+3568C]
00435FCE     61                   popad
00435FCF     E9 1BFBFEFF          jmp PEiD.00425AEF
                                  ====>这就是跳向OEP的地方,在这里下个硬件执行断点,重新运行就可以断在这了
00435FD4     B8 7F5E4300          mov eax,PEiD.00435E7F
00435FD9     B9 54010000          mov ecx,154
00435FDE     803408 FD            xor byte ptr ds:[eax+ecx],0FD
00435FE2     E2 FA                loopd short PEiD.00435FDE
00435FE4     E9 97FEFFFF          jmp PEiD.00435E80
00435FE9     B8 D35F4300          mov eax,PEiD.00435FD3
                                  ====>进入OD后断在这!


呵呵,再看看PEiD V0.9加的UPXShit 0.05壳,同样的方法:

0041FB8E     61                   popad
0041FB8F     E9 7B18FFFF          jmp PEiD.0041140F
                                  ====>这就是跳向OEP的地方 icon_smile.gif
0041FB94     B8 40FA4100          mov eax, PEiD.0041FA40
0041FB99     B9 54010000          mov ecx, 154
0041FB9E     83F9 00              cmp ecx, 0
0041FBA1     7E 06                jle short PEiD.0041FBA9
0041FBA3     8030 F7              xor byte ptr ds:[eax], 0F7
0041FBA6     40                   inc eax
0041FBA7     E2 F5                loopd short PEiD.0041FB9E
0041FBA9     E9 92FEFFFF          jmp PEiD.0041FA40
0041FBAE     B8 94FB4100          mov eax, PEiD.0041FB94
0041FBB3     B9 1A000000          mov ecx, 1A
0041FBB8     83F9 00              cmp ecx, 0
0041FBBB     7E 06                jle short PEiD.0041FBC3
0041FBBD     8030 F7              xor byte ptr ds:[eax], 0F7
0041FBC0     40                   inc eax
0041FBC1     E2 F5                loopd short PEiD.0041FBB8
0041FBC3     E9 CCFFFFFF          jmp PEiD.0041FB94
0041FBC8     B8 AEFB4100          mov eax, PEiD.0041FBAE
0041FBCD     B9 1A000000          mov ecx, 1A
0041FBD2     83F9 00              cmp ecx, 0
0041FBD5     7E 06                jle short PEiD.0041FBDD
0041FBD7     8030 F7              xor byte ptr ds:[eax], 0F7
0041FBDA     40                   inc eax
0041FBDB     E2 F5                loopd short PEiD.0041FBD2
0041FBDD     E9 CCFFFFFF          jmp PEiD.0041FBAE
0041FBE2     B8 C8FB4100          mov eax, PEiD.0041FBC8
                                  ====>进入OD后断在这!


—————————————————————————————————
    
                                
         ,     _/ 
        /| _.-~/            _     ,        青春都一饷
       ( /~   /              ~-._ |
       `\  _/                   ~ )          忍把浮名 
   _-~~~-.)  )__/;;,.          _  //'
  /'_,   --~    ~~~-  ,;;___(  (.-~~~-.        换了破解轻狂
 `~ _( ,_..-- (     ,;'' /    ~--   /._` 
  /~~//'   /' `~         ) /--.._, )_  `~
  "  `~"  "      `"      /~'`    `\~~   
                         "     "   "~'  ""

    

                Cracked By 巢水工作坊——fly [OCN][FCG][NUKE]

                               2003-11-20   0:15