难道程序有反debug功能?Themida & WinLicense 2.0 - 2.4.6脱壳遇到问题
本帖最后由 Marriner 于 2021-12-3 18:49 编辑用Themida - Winlicense Ultra Unpacker 1.4.txt脱壳,到下面这步就不动了,请大佬帮忙看下该怎么继续,谢谢!
Log data
Address Message
Themida - Winlicense Ultra Unpacker 1.4
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
00AB0A0F Breakpoint at 00AB0A0F
00AB0A10 Breakpoint at 00AB0A10
00AC0054 Breakpoint at 00AC0054
OS=x86 32-Bit
00AC0056 Breakpoint at 00AC0056
00AE0021 Breakpoint at 00AE0021
00AE0028 Breakpoint at 00AE0028
2.434 MB +/-
8.244 MB +/-
Your target is a >>> Dynamic <<< Link Library!
Note: If possible then don't use the VM OEP for dlls if real OEP is not stolen!
Change VM OEP after popad to JMP Target OEP!
Or
Just set a another push 0 before VM OEP push = 2 pushes before jump to WL VM!
OEP change if you want to keep VM OEP for Dll
-------------------------------------------------
popad
mov ebp, Align
push 0
push VM OEP Value
jmp WL VM
-------------------------------------------------
Exsample: Not stolen Dll OEP!
-------------------------------------------------
100084D2 MOV EDI,EDI
100084D4 PUSH EBP
100084D5 MOV EBP,ESP
100084D7 CMP DWORD PTR SS:,0x1<-- check for 1 must be inside to run the Dll
100084DB JNZ SHORT 100084E2 <-- Don't jump if value 1 is inside stack
Stack: At Target OEP / Not stolen
-------------------------------------------------
$ ==> 7C91118ARETURN to ntdll.7C91118A
$+4 10000000Dll_X.10000000<-- Base
$+8 00000001 <-- 1
$+C 00000000
ImageBase in PE keep same = File was loaded with original ImageBase!
PE HEADER: 10000000 | 1000
CODESECTION: 10001000 | 36B000
PE HEADER till CODESECTION Distance: 1000 || Value of 1000 = Normal!
Your Target seems to be a normal file!
Unpacking of NET targets is diffrent!
Dump running process with WinHex and then fix the whole PE and NET struct!
00AF07AA Breakpoint at 00AF07AA
No Overlay used!
Disasembling Syntax: MASM (Microsoft) <=> OK
Show default segments: Enabled
Always show size of memory operands: Enabled
Extra space between arguments: Disabled
StrongOD Found!
----------------------------------------------
HidePEB=1 Enabled = OK
KernelMode=1 Enabled = OK
KillPEBug=1 Enabled = OK
SkipExpection=1 Enabled = OK
Custom ExceptionsDisabled= Set The Range 00000000-FFFFFFFF
DriverName=CError
DRX=1 Enabled = OK
----------------------------------------------
1080C009 Breakpoint at custom.1080C009
1080C00B Breakpoint at custom.1080C00B
XP System found - Very good choice!
Newer SetEvent & Kernel32 ADs Redirecting in Realtime is disabled by user!
Kernel Ex Table Start: 7C802644
00B2003F Breakpoint at 00B2003F
PE DUMPSEC:VA 10810000 - VS 3D000
PE ANTISEC:VA 10811000
PE OEPMAKE:VA 10811600
SETEVENT_VM: VA 108121D0
PE I-Table:VA 10813000
VP - STORE:VA 10812F00
and or...
API JUMP-T:VA 10813000
00B2003F Breakpoint at 00B2003F
RISC VM Store Section VA is: 10850000 - VS 200000
00B20041 Breakpoint at 00B20041
10372A78 Hardware breakpoint 1 at custom.10372A78
Found WL Intern Export API Access at: 10372E59
Use this address to get all intern access WL APIs!
7C809AF1 Hardware breakpoint 2 at kernel32.VirtualAlloc
---------- Loaded File Infos ----------
Target Base: 10000000
Kernel32Base: 7C800000
Kernel32SORD: 7C8001F8 | 83200
Kernel32SORD: 7C800200
User32 Base: 77D10000
Advapi32Base: 77DA0000
---------------------------------------
WL Section: 1036F000 |2E4000
WL Align: FE09F014 |EBP Pointer Value
XBundler Prepair Sign not found!
CISC VM is located in the Themida - Winlicense section 1036F000 | 2E4000.
VMWare Address: 10372946 | 0
VMWare Checks are not Used & Disabled by Script!
Found No SetEvent WL Location!
Found No LoadLibraryA WL Location!
Found No FreeLibrary WL Location!
Auto XBundler Checker & Dumper is enabled!
If XBunlder Files are found in auto-modus then they will dumped by script!
If the auto XBunlder Dumper does fail etc then disable it next time!
Anti Access Stop on Code Section was Set!
Moddern MJM Scan Chosen!
Normal IAT Patch Scan Was Written!
00BB0306 Hardware breakpoint 3 at 00BB0306
76B10000 Module C:\WINDOWS\system32\winmm.dll
7C8106F9 New thread with ID 000004B0 created
7C8106F9 New thread with ID 000004BC created
7C8106F9 New thread with ID 000004C0 created
7C8106F9 New thread with ID 00000228 created
7C8106F9 New thread with ID 000004E0 created
7C8106F9 New thread with ID 0000050C created
7C8106F9 New thread with ID 00000580 created
7C8106F9 New thread with ID 00000740 created
7C8106F9 New thread with ID 00000290 created
7C8106F9 New thread with ID 00000500 created
00BA0033 Hardware breakpoint 1 at 00BA0033
7C9301DB Hardware breakpoint 3 at ntdll.7C9301DB
Heap Prot was redirected!
7D590000 Module C:\WINDOWS\system32\shell32.dll
77F40000 Module C:\WINDOWS\system32\shlwapi.dll
77180000 Module C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
77BD0000 Module C:\WINDOWS\system32\version.dll
71A20000 Module C:\WINDOWS\system32\ws2_32.dll
71A10000 Module C:\WINDOWS\system32\ws2help.dll
76BC0000 Module C:\WINDOWS\system32\psapi.dll
76680000 Module C:\WINDOWS\system32\wininet.dll
765E0000 Module C:\WINDOWS\system32\crypt32.dll
76DB0000 Module C:\WINDOWS\system32\msasn1.dll
7C8106F9 New thread with ID 00000514 created
61880000 Module C:\WINDOWS\system32\oleacc.dll
7C8106F9 New thread with ID 00000530 created
7C8106F9 New thread with ID 0000033C created
72F70000 Module C:\WINDOWS\system32\winspool.drv
76320000 Module C:\WINDOWS\system32\comdlg32.dll
7C8106F9 New thread with ID 000004F8 created
105BCC24 Hardware breakpoint 2 at custom.105BCC24
10001000 Problems when disabling memory breakpoint:
10001000 Access to memory changed from RE to RWE (original RWECopy)
105C3172 Memory breakpoint when writing to
105C3172 - REP MOVS BYTE PTR ES:,BYTE PTR DS:
105C3174 Breakpoint at custom.105C3174
7C8106F9 New thread with ID 00000560 created
00BA0033 Hardware breakpoint 1 at 00BA0033
7C9301DB Hardware breakpoint 2 at ntdll.7C9301DB
Heap One was redirected!
00BA0033 Hardware breakpoint 1 at 00BA0033
7C9301DB Hardware breakpoint 2 at ntdll.7C9301DB
Heap Two was redirected!
5ADC0000 Module C:\WINDOWS\system32\uxtheme.dll
73640000 Module C:\WINDOWS\system32\MSCTFIME.IME
好像很多kernel32里的函数都没转出来,是不是程序带反anti-debug?有没有插件可以让ollydbg绕过程序的检测?
100CE990|. FF15 0CD18010CALL DWORD PTR DS:[<&kernel32.GetSystemTimeAsFileTime>] ; \GetSystemTimeAsFileTime
100CE99C|. FF15 04D18010CALL DWORD PTR DS:[<&kernel32.GetCurrentProcessId>] ; [GetCurrentProcessId
100CE9AC|. FF15 C4D08010CALL DWORD PTR DS:[<&kernel32.GetTickCount>] ; [GetTickCount 本帖最后由 Marriner 于 2021-11-29 21:58 编辑
。。。。。。。。。。。。。。。。 检查下脚本里使用的插件的版本 包括 OD的设置 有没有对应。 Sound 发表于 2021-12-2 21:04
检查下脚本里使用的插件的版本 包括 OD的设置 有没有对应。
@Sound
我尝试手工脱壳,找到OEP后,用ollyDumpEx dump出来,跑一下报错。
用ollydbg debug,发现100CE990处报错,二进制码没有转成汇编,请问这个可能是什么原因,该如何解决呢?
插件重新下载最新版的,越新越好,或多试几个,啥都不说,给各位点赞,我脱了几个按键精灵的mmt文件夹里文件的壳,好东西,用的虚拟机,装32位win7,乱折腾;搞了一晚,刚脱,你懂,慢慢折腾
我的是最后一步ODbgScript插件无法保存数据,不知道这样说对不对,我都不懂,就找几个教程照着来搞,最后一步一直弹窗这样
“dumping failed by the script
dump the file manually”
然后一个确认跟取消按钮,换了论坛里的汉化ODbgScript跟汉化StrongOD,PhantOm plugin也是论坛里的反正都论坛里的,OD用的吾爱专版那个,没想到成功了
我就一搬运工,依虎花猫,啥都不会,给各位点赞,赞 shendezuiai 发表于 2021-12-21 09:18
插件重新下载最新版的,越新越好,或多试几个,啥都不说,给各位点赞,我脱了几个按键精灵的mmt文件夹里文 ...
发现用不了,原文件后缀是mt9,改成exe才能自动保存,不改的话提示手动保存数据,完全不会手动保存,再说,改天
页:
[1]