好友
阅读权限25
听众
最后登录1970-1-1
|
飞叶
发表于 2008-4-22 16:26
用PEID查壳为ASPack 2.12 -> Alexey Solodovnikov [Overlay]
一、脱壳:
设置OD忽略所有异常选项,OD自动隐藏插件帮你隐藏OD.
OD载入程序。
00AF2001 > 60 PUSHAD //OD载入后。停在这外壳入口
00AF2002 E8 03000000 CALL QQ棋牌游.00AF200A //F8到这。这里向右看寄存器窗口ESP变红,esp定律 HR 12FFA4 回车 F9运行
00AF2007 - E9 EB045D45 JMP 460C24F7
00AF200C 55 PUSH EBP
00AF200D C3 RETN
00AF200E E8 01000000 CALL QQ棋牌游.00AF2014
00AF2013 EB 5D JMP SHORT QQ棋牌游.00AF2072
00AF2015 BB EDFFFFFF MOV EBX,-13
00AF201A 03DD ADD EBX,EBP
00AF201C 81EB 00206F00 SUB EBX,QQ棋牌游.006F2000
00AF2022 83BD 22040000 0>CMP DWORD PTR SS:[EBP+422],0
00AF2029 899D 22040000 MOV DWORD PTR SS:[EBP+422],EBX
00AF202F 0F85 65030000 JNZ QQ棋牌游.00AF239A
F9之后来到这里
00AF23B0 /75 08 JNZ SHORT QQ棋牌游.00AF23BA
00AF23B2 |B8 01000000 MOV EAX,1
00AF23B7 |C2 0C00 RETN 0C
00AF23BA \68 EC7B4F00 PUSH QQ棋牌游.004F7BEC
00AF23BF C3 RETN
F8三次后飞向光明之嵿~~~~~(OEP入口)
004F7BEC 55 PUSH EBP
004F7BED 8BEC MOV EBP,ESP
004F7BEF B9 04000000 MOV ECX,4
004F7BF4 6A 00 PUSH 0
004F7BF6 6A 00 PUSH 0
004F7BF8 49 DEC ECX
004F7BF9 ^ 75 F9 JNZ SHORT QQ棋牌游.004F7BF4
用OD插件OllyDump进行脱壳,并且记下OEP为F7BEC
脱壳后要用ImoprtREC1.6最终修正版进行修复!
OPE填:F7BEC
自动查找IAT 然后 获取输入表 最后 修复转存文件 选择刚刚脱壳后的文件进行修复
到这里已经脱壳完成,但是我们发现运行脱壳后的文会自动关闭!
二、修正自校验
关闭OD,重新载入刚刚脱壳修复后的文件下bp CreateFileA 断点F9运行来到这里!
7C801A38 > 8BFF MOV EDI,EDI
7C801A3A 55 PUSH EBP
7C801A3B 8BEC MOV EBP,ESP
7C801A3D FF75 08 PUSH DWORD PTR SS:[EBP+8]
7C801A40 E8 1FA60200 CALL kernel32.7C82C064
7C801A45 85C0 TEST EAX,EAX
7C801A47 74 1E JE SHORT kernel32.7C801A67
7C801A49 FF75 20 PUSH DWORD PTR SS:[EBP+20]
7C801A4C FF75 1C PUSH DWORD PTR SS:[EBP+1C]
7C801A4F FF75 18 PUSH DWORD PTR SS:[EBP+18]
7C801A52 FF75 14 PUSH DWORD PTR SS:[EBP+14]
7C801A55 FF75 10 PUSH DWORD PTR SS:[EBP+10]
7C801A58 FF75 0C PUSH DWORD PTR SS:[EBP+C]
7C801A5B FF70 04 PUSH DWORD PTR DS:[EAX+4]
7C801A5E E8 E8A70200 CALL kernel32.CreateFileW
7C801A63 5D POP EBP
7C801A64 C2 1C00 RETN 1C
一路F8我们来到这里
00492095 . /75 12 JNZ SHORT dumped_.004920A9 ;//这里的JNZ我们把它NOP
00492097 . |B8 E0930400 MOV EAX,493E0
0049209C . |E8 6B12F7FF CALL dumped_.0040330C
004920A1 . |C1E0 02 SHL EAX,2
004920A4 . |8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
004920A7 . |EB 11 JMP SHORT dumped_.004920BA
004920A9 > \B8 E0930400 MOV EAX,493E0
004920AE . E8 5912F7FF CALL dumped_.0040330C
004920B3 . C1E0 02 SHL EAX,2
004920B6 . 40 INC EAX
004920B7 . 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
004920BA > 33C0 XOR EAX,EAX
我把00492095的JNZ改为NOP后保存程序现在可以运行了,现在我们来去广告!
三、去广告
脱壳后,我们OD载入下bp OpenProcessToken断点后F9运行
77F40F1E > 8BFF MOV EDI,EDI //我们断在这里;
77F40F20 55 PUSH EBP
77F40F21 8BEC MOV EBP,ESP
77F40F23 FF75 10 PUSH DWORD PTR SS:[EBP+10]
77F40F26 FF75 0C PUSH DWORD PTR SS:[EBP+C]
77F40F29 FF75 08 PUSH DWORD PTR SS:[EBP+8]
这时的堆栈显示为:
0012EFE4 4B2132DF /CALL 到 OpenProcessToken 来自 4B2132D9
0012EFE8 FFFFFFFF |hProcess = FFFFFFFF
0012EFEC 00000008 |DesiredAccess = TOKEN_QUERY
0012EFF0 0012F000 \phToken = 0012F000
按F9,注意堆栈,到这里时
0012FDAC 004DB9BD /CALL 到 OpenProcessToken 来自 已脱壳.004DB9B8
0012FDB0 FFFFFFFF |hProcess = FFFFFFFF
0012FDB4 00000028 |DesiredAccess = TOKEN_QUERY|TOKEN_ADJUST_PRIVILEGES
0012FDB8 0012FDE8 \phToken = 0012FDE8
我们双击004DB9BD后跟随到这里
004DB9BD . 33C0 XOR EAX,EAX
004DB9BF . 5A POP EDX
004DB9C0 . 59 POP ECX
004DB9C1 . 59 POP ECX
004DB9C2 . 64:8910 MOV DWORD PTR FS:[EAX],EDX
004DB9C5 . EB 0A JMP SHORT 已脱壳.004DB9D1
我们向下走看到这里是广告,我把它们NOP了~~~~
004DBBE2 . /75 13 JNZ SHORT 已脱壳.004DBBF7
004DBBE4 . |8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004DBBE7 . |8B80 0C040000 MOV EAX,DWORD PTR DS:[EAX+40C]
004DBBED . |BA 34BE4D00 MOV EDX,已脱壳.004DBE34 ; UNICODE "http://update.itcount.com/bar.asp"
004DBBF2 . |E8 8D40FAFF CALL 已脱壳.0047FC84
还有这里是自动升级,我们也NOP了~~~
004DBABE > \8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004DBAC1 . 8B88 F8020000 MOV ECX,DWORD PTR DS:[EAX+2F8]
004DBAC7 . B2 01 MOV DL,1
004DBAC9 . A1 74094F00 MOV EAX,DWORD PTR DS:[4F0974]
004DBACE . E8 91C0F7FF CALL 已脱壳.00457B64
004DBAD3 . 8BD8 MOV EBX,EAX
004DBAD5 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004DBAD8 . 8998 14040000 MOV DWORD PTR DS:[EAX+414],EBX
004DBADE . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004DBAE1 . 8B90 00030000 MOV EDX,DWORD PTR DS:[EAX+300]
004DBAE7 . 8BC3 MOV EAX,EBX
004DBAE9 . 8B08 MOV ECX,DWORD PTR DS:[EAX]
004DBAEB . FF51 68 CALL DWORD PTR DS:[ECX+68]
004DBAEE . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004DBAF1 . 8B80 14040000 MOV EAX,DWORD PTR DS:[EAX+414]
004DBAF7 . E8 F0510100 CALL 已脱壳.004F0CEC
好,我们保存,完工~~~
crack by feiye~
QQ:17498016
欢迎交流! |
|
发帖前要善用【论坛搜索】功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。 |
|
|
|
|
|
|
|
发表于 2008-4-22 19:45
发表于 2008-4-23 10:23
