能力值:
( LV4,RANK:50 )
|
-
-
2 楼
|
能力值:
( LV9,RANK:290 )
|
-
-
3 楼
努力中......
|
能力值:
( LV2,RANK:10 )
|
-
-
4 楼
sharelock 再看看
|
能力值:
( LV2,RANK:10 )
|
-
-
5 楼
不是采用多线程的壳吧
|
能力值:
( LV9,RANK:3410 )
|
-
-
6 楼
TO kimmal : 写个教程 ;)
|
能力值:
( LV2,RANK:10 )
|
-
-
7 楼
这个怎么看都不像是有壳的啊.
不过看了kimmal的脱壳后文件,
再比较没脱壳的,发现原来的OEP入口被抽掉了
|
能力值:
( LV4,RANK:50 )
|
-
-
8 楼
最初由 fly 发布
TO kimmal : 写个教程 ;)
:)
教程不会写哦,
我脱壳一般是从输入表开始,
一般壳在跳到入口前都会处理输入表,
比如加密或初始化,
这个壳输入表完全没有加密,
只要注意其输入表的初始化过程就可以了,
还有它把代码段COPY到其分配的内存中去执行了
|
能力值:
( LV12,RANK:980 )
|
-
-
9 楼
008BE2ED 6A 00 PUSH 0
008BE2EF E8 D876FFFF CALL 008B59CC ; JMP to KERNEL32.GetModuleHandleA
008BE2F4 A3 8CF84000 MOV DWORD PTR DS:[40F88C],EAX ; Try.00400000
008BE2F9 68 E0D14000 PUSH 40D1E0
008BE2FE 33C9 XOR ECX,ECX
008BE300 BA 64000000 MOV EDX,64
008BE305 A1 8CF84000 MOV EAX,DWORD PTR DS:[40F88C]
008BE30A E8 3977FFFF CALL 008B5A48=======>过这个CALL就飞了!
008BE30F B8 A8FA4000 MOV EAX,40FAA8
008BE314 E8 17BAFFFF CALL 008B9D30
008BE319 B8 B0FA4000 MOV EAX,40FAB0
008BE31E E8 0DBAFFFF CALL 008B9D30
008BE323 B8 90FA4000 MOV EAX,40FA90
008BE328 E8 03BAFFFF CALL 008B9D30
008BE32D B8 98FA4000 MOV EAX,40FA98
跟不到入口处。请大侠们出手写个教程。而且跟飞处的代码是动态的,不过机器码没变。
|
能力值:
( LV2,RANK:10 )
|
-
-
10 楼
好啊
|
能力值:
( LV9,RANK:290 )
|
-
-
11 楼
这样算是脱壳了吗?
在看到kimmal兄的提示后,才算搞定,但体积还很大,不会修了.
我跟到
00417017 . /74 30 je short Try.00417049 ;运行到这行时,ESI=d4d0
00417019 . |A1 40104200 mov eax, dword ptr ds:[421040]
0041701E . |50 push eax
0041701F . |E8 910A0000 call Try.00417AB5
00417024 . |FF15 441B4200 call dword ptr ds:[421B44]
0041702A . |8B0D 441B4200 mov ecx, dword ptr ds:[421B44]
00417030 . |51 push ecx
00417031 . |E8 7F0A0000 call Try.00417AB5
00417036 . |8BB424 4C010000 mov esi, dword ptr ss:[esp+14C]
0041703D . |83C4 08 add esp, 8
00417040 . |56 push esi
00417041 . |FFD7 call edi
00417043 . |8B4424 34 mov eax, dword ptr ss:[esp+34]
00417047 . |EB 6F jmp short Try.004170B8
发现如果使je short Try.00417049不跳转,则到call dword ptr ds:[421B44]里会是这样
003DDF00 0000 add byte ptr ds:[eax], al
003DDF02 0000 add byte ptr ds:[eax], al
003DDF04 0000 add byte ptr ds:[eax], al
003DDF06 0000 add byte ptr ds:[eax], al
003DDF08 0000 add byte ptr ds:[eax], al
003DDF0A 0000 add byte ptr ds:[eax], al
003DDF0C 0000 add byte ptr ds:[eax], al
003DDF0E 0000 add byte ptr ds:[eax], al
003DDF10 79 FF jns short 003DDF11
003DDF12 FF33 push dword ptr ds:[ebx]
003DDF14 C055 68 E8 rcl byte ptr ss:[ebp+68], 0E8 ; Shift constant out of range 1..31
003DDF18 D840 00 fadd dword ptr ds:[eax]
003DDF1B 64:FF30 push dword ptr fs:[eax]
003DDF1E 64:8920 mov dword ptr fs:[eax], esp
003DDF21 E8 06B2FFFF call 003D912C ; jmp to comctl_1.InitCommonControls
而如果从je short Try.00417049这跳转,会弹出提示注册窗口,点否后,从下面的JNZ跳走
004170B1 . 56 push esi ; |hOwner
004170B2 . FF15 40F14100 call dword ptr ds:[<&USER32.Messag>; \MessageBoxA ;提示注册的窗口
004170B8 > 83F8 06 cmp eax, 6
004170BB . 6A 00 push 0 ; /lParam = NULL
004170BD . 0F85 57010000 jnz Try.0041721A ; 选否后,这里跳转
004170C3 . 8B3D 44F14100 mov edi, dword ptr ds:[<&USER32.Cr>; |USER32.CreateWindowExA
004170C9 . 6A 00 push 0 ; |hInst = NULL
从jnz Try.0041721A 会跳到下面
0041721A > \8B0D E81D4200 mov ecx, dword ptr ds:[421DE8]
00417220 . 51 push ecx
00417221 . 8D5424 2C lea edx, dword ptr ss:[esp+2C]
00417225 . 52 push edx
00417226 . FF15 40104200 call dword ptr ds:[421040]
0041722C . 8AD8 mov bl, al
0041722E . A1 40104200 mov eax, dword ptr ds:[421040]
00417233 . 50 push eax
00417234 . E8 7C080000 call Try.00417AB5
00417239 . 83C4 10 add esp, 10
0041723C . 84DB test bl, bl
0041723E . 74 06 je short Try.00417246
00417240 . FF15 441B4200 call dword ptr ds:[421B44]
00417246 > 8B0D 441B4200 mov ecx, dword ptr ds:[421B44]
0041724C . 51 push ecx
0041724D . E8 63080000 call Try.00417AB5
这时走到00417240 . FF15 441B4200 call dword ptr ds:[421B44]时,发现里面的代码已经修复正常了
003DDF00 55 push ebp
003DDF01 8BEC mov ebp, esp
003DDF03 83C4 F0 add esp, -10
003DDF06 53 push ebx
003DDF07 56 push esi
003DDF08 57 push edi
003DDF09 B8 68D44000 mov eax, 40D468
003DDF0E E8 5579FFFF call 003D5868
003DDF13 33C0 xor eax, eax
003DDF15 55 push ebp
003DDF16 68 E8D84000 push 40D8E8
003DDF1B 64:FF30 push dword ptr fs:[eax]
003DDF1E 64:8920 mov dword ptr fs:[eax], esp
003DDF21 E8 06B2FFFF call 003D912C ; jmp to comctl_1.InitCommonControls
然后,根据kimmal兄脱出来的文件,知道OEP是40d4d0,把这部分修复好的代码粘过去,再dump就行了.
不过还不会自己确定出正常的OEP
望各位指教
|
能力值:
( LV9,RANK:290 )
|
-
-
12 楼
另:
若在运行到je short Try.00417049之前,先跟进下面的call ebx
00416FF1 . FFD3 call ebx ;
00416FF3 . 8B7C24 2C mov edi, dword ptr ss:[esp+2C]
00416FF7 . 8B4C24 28 mov ecx, dword ptr ss:[esp+28]
00416FFB . 8B5424 20 mov edx, dword ptr ss:[esp+20]
00416FFF . 8B72 18 mov esi, dword ptr ds:[edx+18]
00417002 . 2BCF sub ecx, edi
00417004 . 8B3D 38F14100 mov edi, dword ptr ds:[<&USER32.De>; USER32.DestroyWindow
0041700A . 03CE add ecx, esi
0041700C . 83C4 0C add esp, 0C
0041700F . 84C0 test al, al
00417011 . 890D 441B4200 mov dword ptr ds:[421B44], ecx
00417017 . 74 30 je short Try.00417049
进入call ebx后来到
003DE670 83EC 3C sub esp, 3C
003DE673 56 push esi
003DE674 57 push edi
003DE675 8B7C24 48 mov edi, dword ptr ss:[esp+48]
003DE679 33F6 xor esi, esi
003DE67B EB 03 jmp short 003DE680
003DE67D 8D49 00 lea ecx, dword ptr ds:[ecx]
003DE680 A1 DC1D4200 mov eax, dword ptr ds:[421DDC]
003DE685 8B0D D81D4200 mov ecx, dword ptr ds:[421DD8]
003DE68B 8B15 D01D4200 mov edx, dword ptr ds:[421DD0]
003DE691 50 push eax
003DE692 8B44F7 04 mov eax, dword ptr ds:[edi+esi*8+4>
003DE696 51 push ecx
003DE697 8B0CF7 mov ecx, dword ptr ds:[edi+esi*8]
003DE69A 6A 00 push 0
003DE69C 52 push edx
003DE69D 50 push eax
003DE69E 51 push ecx
003DE69F E8 CC7B0300 call Try.00416270
003DE6A4 83C4 18 add esp, 18
003DE6A7 66:894474 10 mov word ptr ss:[esp+esi*2+10], ax
003DE6AC 46 inc esi
003DE6AD 83FE 02 cmp esi, 2
003DE6B0 ^ 7C CE jl short 003DE680
003DE6B2 8B5424 4C mov edx, dword ptr ss:[esp+4C]
003DE6B6 3B5424 10 cmp edx, dword ptr ss:[esp+10]
003DE6BA 75 4C jnz short 003DE708 ;只要不上这句跳,下面mov dword ptr ds:[edi+ecx], eax这里,就会还原3ddf00处的代码.
003DE6BC 33FF xor edi, edi
003DE6BE 33F6 xor esi, esi
003DE6C0 A1 DC1D4200 mov eax, dword ptr ds:[421DDC]
003DE6C5 8B0D D81D4200 mov ecx, dword ptr ds:[421DD8]
003DE6CB 8B15 D01D4200 mov edx, dword ptr ds:[421DD0]
003DE6D1 50 push eax
003DE6D2 A1 E41D4200 mov eax, dword ptr ds:[421DE4]
003DE6D7 51 push ecx
003DE6D8 8B4C06 04 mov ecx, dword ptr ds:[esi+eax+4]
003DE6DC 6A 00 push 0
003DE6DE 52 push edx
003DE6DF 8B1406 mov edx, dword ptr ds:[esi+eax]
003DE6E2 51 push ecx
003DE6E3 52 push edx
003DE6E4 E8 877B0300 call Try.00416270
003DE6E9 8B0D E01D4200 mov ecx, dword ptr ds:[421DE0]
003DE6EF 89040F mov dword ptr ds:[edi+ecx], eax
003DE6F2 83C6 08 add esi, 8
003DE6F5 83C4 18 add esp, 18
003DE6F8 83C7 04 add edi, 4
003DE6FB 83FE 20 cmp esi, 20
003DE6FE ^ 7C C0 jl short 003DE6C0 循环还原3ddf00处的代码
003DE700 5F pop edi
003DE701 B0 01 mov al, 1
003DE703 5E pop esi
003DE704 83C4 3C add esp, 3C
003DE707 C3 retn
返回之后
00417017 . 74 30 je short Try.00417049这就不跳了,软件就可直接正常运行.
但感觉上我好像只是去除了NAG,好像并没有实现脱壳?
|
能力值:
( LV2,RANK:10 )
|
-
-
13 楼
试试啊
|
能力值:
( LV9,RANK:290 )
|
-
-
14 楼
老大们,给点意见啊,我那么做算是脱壳了吗?
|
能力值:
( LV9,RANK:3410 )
|
-
-
15 楼
在重定位后的OEP处脱壳
或者使其还原在原来的OEP
而非仅跳开nag
|
能力值:
( LV9,RANK:290 )
|
-
-
16 楼
有时间,老大详细说下,我第一次那种算是在重定位后脱的吗?
|
能力值:
( LV9,RANK:3410 )
|
-
-
17 楼
003DDF00 ?
能在此脱壳?
这个壳是N久以前搞的,还是让kimmal来写一下吧
|
能力值:
( LV12,RANK:980 )
|
-
-
18 楼
下断bp LoadLibraryA后返回:
003DDED8 55 PUSH EBP//这里是入口吗?DUMP后程序无法运行。
003DDED9 8BEC MOV EBP,ESP
003DDEDB 83C4 F0 ADD ESP,-10
003DDEDE 53 PUSH EBX
003DDEDF 56 PUSH ESI
003DDEE0 57 PUSH EDI
003DDEE1 B8 68D44000 MOV EAX,40D468
003DDEE6 E8 5579FFFF CALL 003D5840
003DDEEB 33C0 XOR EAX,EAX
003DDEED 55 PUSH EBP
003DDEEE 68 E8D84000 PUSH 40D8E8
003DDEF3 64:FF30 PUSH DWORD PTR FS:[EAX]
003DDEF6 64:8920 MOV DWORD PTR FS:[EAX],ESP
003DDEF9 E8 06B2FFFF CALL 003D9104 ; JMP to comctl_1.InitCommonControls
003DDEFE 33C0 XOR EAX,EAX
003DDF00 55 PUSH EBP
003DDF01 68 CBD84000 PUSH 40D8CB
003DDF06 64:FF30 PUSH DWORD PTR FS:[EAX]
003DDF09 64:8920 MOV DWORD PTR FS:[EAX],ESP
003DDF0C 68 F8D84000 PUSH 40D8F8 ; ASCII "KERNEL32.DLL"
003DDF11 E8 3E7AFFFF CALL 003D5954 ; JMP to kernel32.LoadLibraryA
003DDF16 A3 CCE24000 MOV DWORD PTR DS:[40E2CC],EAX//返回到这里。 ; kernel32.77E40000
003DDF1B 68 08D94000 PUSH 40D908 ; ASCII "GetProcAddress"
003DDF20 A1 CCE24000 MOV EAX,DWORD PTR DS:[40E2CC]
003DDF25 50 PUSH EAX
003DDF26 E8 017AFFFF CALL 003D592C ; JMP to kernel32.GetProcAddress
003DDF2B 89C3 MOV EBX,EAX
003DDF2D BA E4FA4000 MOV EDX,40FAE4
003DDF32 B8 20D94000 MOV EAX,40D920 ; ASCII "47657450726F6341646472657373"
003DDF37 E8 04B9FFFF CALL 003D9840
003DDF3C A1 E4FA4000 MOV EAX,DWORD PTR DS:[40FAE4]
003DDF41 E8 2A65FFFF CALL 003D4470
003DDF46 50 PUSH EAX
003DDF47 A1 CCE24000 MOV EAX,DWORD PTR DS:[40E2CC]
003DDF4C 50 PUSH EAX
003DDF4D FFD3 CALL NEAR EBX
003DDF4F 89C3 MOV EBX,EAX
003DDF51 BA E4FA4000 MOV EDX,40FAE4
003DDF56 B8 48D94000 MOV EAX,40D948 ; ASCII "4C6F61644C69627261727941"
003DDF5B E8 E0B8FFFF CALL 003D9840
003DDF60 A1 E4FA4000 MOV EAX,DWORD PTR DS:[40FAE4]
003DDF65 E8 0665FFFF CALL 003D4470
003DDF6A 50 PUSH EAX
003DDF6B A1 CCE24000 MOV EAX,DWORD PTR DS:[40E2CC]
003DDF70 50 PUSH EAX
003DDF71 FFD3 CALL NEAR EBX
003DDF73 89C6 MOV ESI,EAX
003DDF75 BA E4FA4000 MOV EDX,40FAE4
003DDF7A B8 6CD94000 MOV EAX,40D96C ; ASCII "467265654C696272617279"
003DDF7F E8 BCB8FFFF CALL 003D9840
003DDF84 A1 E4FA4000 MOV EAX,DWORD PTR DS:[40FAE4]
003DDF89 E8 E264FFFF CALL 003D4470
003DDF8E 50 PUSH EAX
003DDF8F A1 CCE24000 MOV EAX,DWORD PTR DS:[40E2CC]
003DDF94 50 PUSH EAX
003DDF95 FFD3 CALL NEAR EBX
003DDF97 A3 C8E24000 MOV DWORD PTR DS:[40E2C8],EAX
003DDF9C BA E4FA4000 MOV EDX,40FAE4
003DDFA1 B8 8CD94000 MOV EAX,40D98C ; ASCII "4578697450726F63657373"
003DDFA6 E8 95B8FFFF CALL 003D9840
003DDFAB A1 E4FA4000 MOV EAX,DWORD PTR DS:[40FAE4]
请FLY大侠指点!
|
|
|
|
