SoftwareCompress1.2主程序脱壳
【作者大名】fobnn【作者邮箱】[email protected]
【作者主页】www.hack58.com
【使用工具】OD PEID LORDPE ImportREC1.42
【操作系统】Windows XP
【软件名称】SoftwareCompress1.2
【下载地址】http://www.softdll.com/dl/download-softwarecompress.html
【软件大小】246k
【加壳方式】SoftwareCompress1.2
【软件简介】
Software Compress is designed for pack and protect your EXE-files. Freeware Lite version compresses approximately 50%, FULL version has more powerful compression. Software Compress is the unique software for pack and protect your executables. Protection level is enough high to prevent disassembly and patch of your software. So it reduces chances to see you program being cracked and spreaded everywhere.
Executable file always contains superfluous code. It allows compress exe-file up to 30-60% original. However, there is not enough to pack exe-file to archive. It must have an added loader-unpacker to run. Unpacked piece of code loads packed code to memory, to unpack and run it. We implemented this algorithm in our software. Algorithm uses one-pass compression and dictionary and provides highest compression level. When packed program runs, it reads the dictionary and unpacks code into RAM in one pass. The unpacking speed is very fast (40 megabytes per second) because compression takes some time (few seconds). So no delays during execution of the packed program. Crack and patch protection is provided by packing original code. Altering packed code will result to broken archive and impossible unpacking. Disassembly protection bases on it too. Cracker would obtain only source code of unpacker section and not original code.
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------------------------
【内容】
1.PEID检测为NOtingFound
2.用OD载入,只保留忽略内存异常。
0046905C S> /E9 BE000000 jmp Software.0046911F 〈〈〈程序停在这里
00469061 |60 pushad
00469062 |8B7424 24 mov esi,dword ptr ss:
00469066 |8B7C24 28 mov edi,dword ptr ss:
0046906A |FC cld
0046906B |B2 80 mov dl,80
0046906D |33DB xor ebx,ebx
0046906F |A4 movs byte ptr es:,byte ptr ds:
00469070 |B3 02 mov bl,2
00469072 |E8 6D000000 call Software.004690E4
00469077 ^|73 F6 jnb short Software.0046906F
00469079 |33C9 xor ecx,ecx
3.F9运行
004691EC 8B00 mov eax,dword ptr ds: <<<异常
004691EE 90 nop
4.此时看看堆
0012FFBC 0012FFE0 指针到下一个 SEH 记录
0012FFC0 00153724 SE 句柄 〈〈〈注意这里
0012FFC4 7C816D4F 返回到 kernel32.7C816D4F
0012FFC8 7C930738 ntdll.7C930738
5.he 153724,Shift+F9
00153724 /E9 A9000000 jmp 001537D2
00153729 |60 pushad
6.F8
.
.
.
.
001538B9 /74 07 je short 001538C2
001538BB |25 FFFF0000 and eax,0FFFF
001538C0 |EB 03 jmp short 001538C5
001538C2 \8D43 02 lea eax,dword ptr ds:
001538C5 52 push edx
001538C6 50 push eax
001538C7 52 push edx
001538C8 FF95 91114100 call dword ptr ss:
001538CE 5A pop edx
001538CF 83C6 04 add esi,4
001538D2 8907 mov dword ptr ds:,eax
001538D4 8B8D A5114100 mov ecx,dword ptr ss:
001538DA 83C7 04 add edi,4
001538DD 8B06 mov eax,dword ptr ds:
001538DF 85C0 test eax,eax
001538E1 8D1C08 lea ebx,dword ptr ds:
001538E4 ^ 75 CE jnz short 001538B4
001538E6 EB 06 jmp short 001538EE
001538E8 8B8D A5114100 mov ecx,dword ptr ss:
001538EE 36:8B4424 10 mov eax,dword ptr ss:
001538F3 83C0 14 add eax,14
001538F6 36:894424 10 mov dword ptr ss:,eax
001538FB ^ 0F85 77FFFFFF jnz 00153878 <<<F8一直到这里,不要让程序往回跳
00153901 8BBD B5114100 mov edi,dword ptr ss:<<<鼠标选中,F4到这里
00153907 03F9 add edi,ecx <<<继续F8一路走
*
*
*
7C80FE2F k> 6A 18 push 18
7C80FE31 68 D8FE807C push kernel32.7C80FED8
7C80FE36 E8 9026FFFF call kernel32.7C8024CB
7C80FE3B 8365 FC 00 and dword ptr ss:,0
7C80FE3F A1 E836887C mov eax,dword ptr ds:
7C80FE44 8B5D 08 mov ebx,dword ptr ss:
7C80FE47 85C0 test eax,eax
7C80FE49 0F85 E1040300 jnz kernel32.7C840330
7C80FE4F F6C3 04 test bl,4
7C80FE52 0F84 98000000 je kernel32.7C80FEF0
7C80FE58 834D FC FF or dword ptr ss:,FFFFFFFF
7C80FE5C FF35 A433887C push dword ptr ds:
7C80FE62 FF15 9C12807C call dword ptr ds:[<&ntdll.RtlLockHeap>] ; ntdll.RtlLockHeap
7C80FE68 C745 FC 01000000 mov dword ptr ss:,1
7C80FE6F 8D73 FC lea esi,dword ptr ds:
7C80FE72 8975 D8 mov dword ptr ss:,esi
7C80FE75 56 push esi
7C80FE76 BF E030887C mov edi,kernel32.7C8830E0
7C80FE7B 57 push edi
7C80FE7C FF15 AC12807C call dword ptr ds:[<&ntdll.RtlIsValidHandle>] ; ntdll.RtlIsValidHandle
7C80FE82 84C0 test al,al
7C80FE84 0F84 BC040300 je kernel32.7C840346
7C80FE8A 8B5E 04 mov ebx,dword ptr ds:
7C80FE8D 895D E4 mov dword ptr ss:,ebx
*
*
7C80FECA E8 3C26FFFF call kernel32.7C80250B
7C80FECF C2 0400 retn 4 <<<走到这里飞向光明!
7C80FED2 90 nop
7C80FED3 90 nop
7C80FED4 90 nop
7C80FED5 90 nop
7C80FED6 90 nop
7C80FED7 90 nop
7.到大OEP
0043632A 6A 60 push 60
0043632C 68 E8C24400 push Software.0044C2E8
00436331 E8 6AC9FFFF call Software.00432CA0
00436336 8365 FC 00 and dword ptr ss:,0
0043633A 8D45 90 lea eax,dword ptr ss:
0043633D 50 push eax
8.DUMP fix
--------------------------------------------------------------------------------
【总结】
这是我的第一篇脱文,初学CRACK是只菜鸟,
QQ:380838221
--------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢! 很奇怪,为什么用二次内断却不能直接到达OEP.....
页:
[1]