Runscanner V.1.6.3.0 汉化前奏 (脱壳与去自校验)
【文章标题】Runscanner V.1.6.3.0 汉化前奏 (脱壳与去自校验)【文章作者】mgic659117852/蚊香
【作者邮箱】[email protected]
【作者主页】http://hi.baidu.com/magic659117852
【使用工具】ODPEiDLordPEImportREC
【脱壳平台】D版 XP-SP2
【软件名称】Runscanner
【软件大小】1624 KB
【原版下载】http://www.runscanner.net/runscanner.zip
【保护方式】PECompact 2.x + 自校验
【软件简介】RunScanner是一个国外完全免费的Windows系统工具,您可以用它轻松地将隐藏在您系统中的autostart程序,spyware,adware,主页劫持,未经认证的驱动揪出来,并可以导入和导出报告以帮助别人或获取帮助.目前它可以扫描80个容易隐藏恶意软件的地方....
【脱壳声明】纯菜鸟...只是感兴趣,供学习和交流,没有其他目的。失误之处敬请诸位大侠赐教!
------------------------------------------------------------------------
【大概过程】PEiD探测:PECompact 2.x -> Jeremy Collake .....记住Crack高手 wynney 的一句话:每一种壳都有它的套路(当然这是前辈们的总结..偶菜鸟就照搬了)...
打开OD,设置忽略所有异常,插件隐藏OD.......载入文件...停在:
00401000 >B8 D4D78E00 MOV EAX,RunScann.008ED7D4
00401005 50 PUSH EAX
00401006 64:FF35 0000000>PUSH DWORD PTR FS:
0040100D 64:8925 0000000>MOV DWORD PTR FS:,ESP
00401014 33C0 XOR EAX,EAX
00401016 8908 MOV DWORD PTR DS:,ECX
00401018 50 PUSH EAX
00401019 45 INC EBP
0040101A 43 INC EBX
0040101B 6F OUTS DX,DWORD PTR ES: ; I/O 命令
0040101C 6D INS DWORD PTR ES:,DX ; I/O 命令
0040101D 70 61 JO SHORT RunScann.00401080
0040101F 637432 00 ARPL WORD PTR DS:,SI
00401023 8E13 MOV SS,WORD PTR DS: ; 段寄存器更改
命令行下断 BP VirtualFree ... F9运行....程序中断在:
7C809B04 >8BFF MOV EDI,EDI ★☆ 中断在此处 ★☆
7C809B06 55 PUSH EBP
7C809B07 8BEC MOV EBP,ESP
7C809B09 FF75 10 PUSH DWORD PTR SS:
7C809B0C FF75 0C PUSH DWORD PTR SS:
7C809B0F FF75 08 PUSH DWORD PTR SS:
7C809B12 6A FF PUSH -1
7C809B14 E8 09000000 CALL kernel32.VirtualFreeEx
7C809B19 5D POP EBP
7C809B1A C2 0C00 RETN 0C
此时F2取消断点....Alt+F9 执行到用户代码....来到:
011F0934 8B4424 20 MOV EAX,DWORD PTR SS: ; RunScann.0044026C ★☆ 到了这里 ★☆
011F0938 5F POP EDI
011F0939 5E POP ESI
011F093A 5B POP EBX
011F093B 83C4 10 ADD ESP,10
011F093E C2 0C00 RETN 0C
Ctrl+F查找特征码 push 8000....尾部下断:
011F0C54 68 00800000 PUSH 8000
011F0C59 6A 00 PUSH 0
011F0C5B FFB5 271F0010 PUSH DWORD PTR SS:
011F0C61 FF95 3B1F0010 CALL DWORD PTR SS:
011F0C67 8B46 0C MOV EAX,DWORD PTR DS:
011F0C6A 03C7 ADD EAX,EDI
011F0C6C 5D POP EBP
011F0C6D 5E POP ESI
011F0C6E 5F POP EDI
011F0C6F 5B POP EBX
011F0C70 C3 RETN ★☆ 这里下断 ★☆
F9运行程序.....F8单步走到:
008ED87C 8B4B 14 MOV ECX,DWORD PTR DS:
008ED87F 5A POP EDX
008ED880 EB 0C JMP SHORT RunScann.008ED88E
008ED882 03CA ADD ECX,EDX
008ED884 68 00800000 PUSH 8000
008ED889 6A 00 PUSH 0
008ED88B 57 PUSH EDI
008ED88C FF11 CALL DWORD PTR DS:
008ED88E 8BC6 MOV EAX,ESI
008ED890 5A POP EDX
008ED891 5E POP ESI
008ED892 5F POP EDI
008ED893 59 POP ECX
008ED894 5B POP EBX
008ED895 5D POP EBP
008ED896- FFE0 JMP EAX ; RunScann.0076B38C★☆ 此处跳往OEP ★☆
--------------------------------------------------------------------------------------------------
0076B38C 55 PUSH EBP ★☆ 可爱的OEP...看入口就是Delphi ★☆
0076B38D 8BEC MOV EBP,ESP
0076B38F B9 05000000 MOV ECX,5
0076B394 6A 00 PUSH 0
0076B396 6A 00 PUSH 0
0076B398 49 DEC ECX
0076B399^ 75 F9 JNZ SHORT RunScann.0076B394
0076B39B 51 PUSH ECX
0076B39C 53 PUSH EBX
0076B39D 56 PUSH ESI
0076B39E 57 PUSH EDI
0076B39F B8 D8487600 MOV EAX,RunScann.007648D8
0076B3A4 E8 3BCAC9FF CALL RunScann.00407DE4
0076B3A9 33C0 XOR EAX,EAX
0076B3AB 55 PUSH EBP
0076B3AC 68 ACB67600 PUSH RunScann.0076B6AC
0076B3B1 64:FF30 PUSH DWORD PTR FS:
0076B3B4 64:8920 MOV DWORD PTR FS:,ESP
到达OEP后习惯性用OllyDump脱壳调试进程(菜鸟标志动作 =_= )....结果发现OD卡死,,,再来一次,,,汗不是意外=_=! (这
是AntiDump ??)LordPE则很好脱...运行出错...动用ImportREC(V1.6.1 Final)....结果发现在修复抓取文件时又被卡死 ???
下载了网友 心海伽蓝 汉化美化的 V1.7a FINAL ....这回就OK了....但运行后弹出'The file "Unpack_.exe" seems to be
corrupt!'自校验 =_= !
------------------------------------------以下解除程序自校验-------------------------------------------
OD载入脱壳修复后的文件...针对其弹框弹出'The file "Unpack_.exe" seems to be corrupt!'...命令行下断 bp
MessageBoxA ....F9运行...注意到堆栈:
0012FCD8 00451131/CALL 到 MessageBoxA 来自 Unpack_.0045112C
0012FCDC 00000000|hOwner = NULL
0012FCE0 013CC060|Text = "The file "Unpack_.exe" seems to be corrupt!"
0012FCE4 00000000|Title = NULL
0012FCE8 00000010\Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
0012FCEC 0012FE2C指向下一个 SEH 记录的指针
0012FCF0 00451188SE处理程序
0012FCF4 0012FE24
0012FCF8 0000018D
0012FCFC 0076612CUnpack_.0076612C
0012FD00 0000001B
0012FD04 013CC060ASCII "The file "Unpack_.exe" seems to be corrupt!"
反汇编窗口跟随后....来到:
00451103|> \84DB TEST BL,BL
00451105 74 60 JE SHORT Unpack_.00451167
00451107 6A 10 PUSH 10
00451109 6A 00 PUSH 0
0045110B 8D95 E0FEFFFF LEA EDX,DWORD PTR SS:
00451111|.A1 74FB7600 MOV EAX,DWORD PTR DS:
00451116|.8B08 MOV ECX,DWORD PTR DS:
00451118|.FF91 48020000 CALL DWORD PTR DS:
0045111E|.8B85 E0FEFFFF MOV EAX,DWORD PTR SS:
00451124|.E8 7748FBFF CALL Unpack_.004059A0
00451129|.50 PUSH EAX ; |Text
0045112A|.6A 00 PUSH 0 ; |hOwner = NULL
0045112C|.E8 B37FFBFF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
00451131|.6A 00 PUSH 0 ; / ★☆ 光标停在此 ★☆
00451133|.E8 C473FBFF CALL <JMP.&kernel32.GetModuleHandleA> ; \GetModuleHandleA
00451138|.3B05 F8077800 CMP EAX,DWORD PTR DS: ;Unpack_.00400000
0045113E|.74 20 JE SHORT Unpack_.00451160
00451140|.B8 74FB7600 MOV EAX,Unpack_.0076FB74
00451145|.E8 0266FBFF CALL Unpack_.0040774C
0045114A|.8B4D FC MOV ECX,DWORD PTR SS:
0045114D|.B2 01 MOV DL,1
0045114F|.A1 D47E4000 MOV EAX,DWORD PTR DS:
00451154|.E8 E76DFBFF CALL Unpack_.00407F40
00451159|.E8 FE3CFBFF CALL Unpack_.00404E5C
0045115E|.EB 07 JMP SHORT Unpack_.00451167
00451160|>6A 00 PUSH 0 ; /ExitCode = 0
00451162|.E8 4D72FBFF CALL <JMP.&kernel32.ExitProcess> ; \ExitProcess
00451167|>33C0 XOR EAX,EAX
仔细观察可知...程序在00451162处调用了函数 ExitProcess...而00451105处的跳转可跳过该处...与是:
00451105 74 60 JE SHORT Unpack_.00451167 ★☆ 此处JE改为JMP ..问题解决^_^ ★☆
保存文件...可以运行了...着手编辑资源.........................
汉化后的成品下载:http://www.fs2you.com/zh-cn/files/cad328b5-ed6b-11dc-a312-0014221f3995/
------------------------------------------------------------------------
【文章总结】脱 PECompact 2.x 的方法很多....bp VirtualFree 查找特征码的方法不错...bp MessageBoxA 对弹框的效果大
家都知道的..
------------------------------------------------------------------------
【版权声明】...啥版权..没...
[ 本帖最后由 magic659117852 于 2008-3-9 21:17 编辑 ] 卸秃冒/:001 不错 ,支持你了LZ 内存校验更麻烦,不知前辈用什么办法解决
页:
[1]