eXPressor 1.4.5.4主程序脱壳
【作者大名】fobnn【作者邮箱】[email protected]
【作者主页】www.hack58.com
【使用工具】OD PEID LORDPE ImportREC1.42
【操作系统】Windows XP
【软件名称】eXPressor 1.4.5.4
【下载地址】google
【软件大小】202KB
【加壳方式】eXPressor 1.4.5.4demo
【软件简介】
.........
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
----------------------------------------------------------------------【内容】
①.OD载入
004B6881 e>55 push ebp:OD载入,中断..F8单步
004B6882 8BEC mov ebp,esp
004B6884 83EC 58 sub esp,58
004B6887 53 push ebx
004B6888 56 push esi
004B6889 57 push edi
004B688A 8365 DC 00 and dword ptr ss:,0
004B688E F3: prefix rep:
004B688F EB 0C jmp short eXPresso.004B689D
004B6891 65:58 pop eax
004B6893 50 push eax
004B6894 72 2D jb short eXPresso.004B68C3
004B6896 76 2E jbe short eXPresso.004B68C6
004B6898 312E xor dword ptr ds:,ebp
004B689A 34 2E xor al,2E
004B689C 00A1 00604B00 add byte ptr ds:,ah
004B68A2 05 00604B00 add eax,eXPresso.004B6000
004B68A7 A3 08604B00 mov dword ptr ds:,eax
004B68AC A1 08604B00 mov eax,dword ptr ds:
004B68B1 B9 81684B00 mov ecx,eXPresso.<ModuleEntryPoi>
004B68B6 2B48 18 sub ecx,dword ptr ds:
004B68B9 890D 0C604B00 mov dword ptr ds:,ecx
004B68BF 833D 10604B00 00 cmp dword ptr ds:,0
004B68C6 74 16 je short eXPresso.004B68DE ; Z=1下面跳到DEMO版本提示!
004B68C8 A1 08604B00 mov eax,dword ptr ds: ;继续 F8
004B68CD 8B0D 0C604B00 mov ecx,dword ptr ds:
004B68D3 0348 14 add ecx,dword ptr ds:
004B68D6 894D CC mov dword ptr ss:,ecx
004B68D9 E9 97040000 jmp eXPresso.004B6D75
004B68DE C705 10604B00 01000>mov dword ptr ds:,1
004B68E8 6A 30 push 30
004B68EA 68 54604B00 push eXPresso.004B6054 ; ASCII "Nfo"
004B68EF 68 18604B00 push eXPresso.004B6018 ; ASCII "This program was packed with a demo version of eXPressor"
004B68F4 6A 00 push 0
004B68F6 FF15 E4604B00 call dword ptr ds:[<&USER32.Mess>; USER32.MessageBoxA ;提示DEMO版本
004B68FC 837D 0C 01 cmp dword ptr ss:,1
004B6900 74 04 je short eXPresso.004B6906
004B6902 8365 08 00 and dword ptr ss:,0
004B6906 6A 04 push 4
004B6908 68 00100000 push 1000
004B690D 68 04010000 push 104
004B6912 6A 00 push 0
004B6914 FF15 C4604B00 call dword ptr ds:[<&KERNEL32.Vi>; kernel32.VirtualAlloc
004B691A 8945 EC mov dword ptr ss:,eax
004B691D 68 04010000 push 104
004B6922 FF75 EC push dword ptr ss:
004B6925 FF75 08 push dword ptr ss:
004B6928 FF15 DC604B00 call dword ptr ds:[<&KERNEL32.Ge>; kernel32.GetModuleFileNameA
004B692E |.8B4D EC mov ecx,dword ptr ss:
004B6931 |.8D4401 FF lea eax,dword ptr ds:
004B6935 |.8945 AC mov dword ptr ss:,eax
004B6938 |>8B45 AC /mov eax,dword ptr ss:
004B693B |.0FBE00 |movsx eax,byte ptr ds:
004B693E |.83F8 5C |cmp eax,5C
004B6941 |.74 09 |je short eXPresso.004B694C
004B6943 |.8B45 AC |mov eax,dword ptr ss:
004B6946 |.48 |dec eax
004B6947 |.8945 AC |mov dword ptr ss:,eax
004B694A . ^ EB EC \jmp short eXPresso.004B6938 ;一路F8到这后,程序要往后跳,不要让它跳
004B694C |> \8B45 AC mov eax,dword ptr ss: ;用鼠标选中这行,F4运行到这
004B694F |.40 inc eax ;F8下去
004B6950 |.8945 AC mov dword ptr ss:,eax
004B6953 |.8B45 AC mov eax,dword ptr ss:
004B6956 |.2B45 EC sub eax,dword ptr ss:
004B6959 |.8945 B0 mov dword ptr ss:,eax
004B695C |.6A 04 push 4 ; /Protect = PAGE_READWRITE
004B695E |.68 00100000 push 1000 ; |AllocationType = MEM_COMMIT
004B6963 |.68 04010000 push 104 ; |Size = 104 (260.)
004B6968 |.6A 00 push 0 ; |Address = NULL
②.
004B6AA6 |.8B45 DC |mov eax,dword ptr ss:
004B6AA9 |.6BC0 18 |imul eax,eax,18
004B6AAC |.8B0D 08604B00 |mov ecx,dword ptr ds: ;eXPresso.004B6F40
004B6AB2 |.8B15 386F4B00 |mov edx,dword ptr ds:
004B6AB8 |.035401 7C |add edx,dword ptr ds:[ecx+eax+7>
004B6ABC |.8915 386F4B00 |mov dword ptr ds:,edx
004B6AC2 |.^ EB 90 \jmp short eXPresso.004B6A54 ;上面一路F8到这里后,程序又要往回跳
004B6AC4 |> \68 00800000 push 8000 ; /FreeType = MEM_RELEASE;老规矩,鼠标选中,F4到这里
004B6AC9 |.6A 00 push 0 ; |Size = 0 ;F8继续
③。
004B6D42 |.83C0 04 ||add eax,4
004B6D45 |.8945 E8 ||mov dword ptr ss:,eax
004B6D48 |.8B45 E0 ||mov eax,dword ptr ss:
004B6D4B |.83C0 04 ||add eax,4
004B6D4E |.8945 E0 ||mov dword ptr ss:,eax
004B6D51 |.^ E9 68FFFFFF |\jmp eXPresso.004B6CBE ;到这又要回跳
004B6D56 |> \8B45 B4 |mov eax,dword ptr ss:;老规矩
004B6D59 |.83C0 14 |add eax,14 ;F8继续
④。
004B6D4B |.83C0 04 ||add eax,4
004B6D4E |.8945 E0 ||mov dword ptr ss:,eax
004B6D51 |.^ E9 68FFFFFF |\jmp eXPresso.004B6CBE ;到这里,又回跳,老规矩
004B6D56 |>8B45 B4 |mov eax,dword ptr ss:
004B6D59 |.83C0 14 |add eax,14
004B6D5C |.8945 B4 |mov dword ptr ss:,eax
004B6D5F |.^ E9 70FEFFFF \jmp eXPresso.004B6BD4 ;到这里,又回跳,老规矩
004B6D64 |>A1 08604B00 mov eax,dword ptr ds:
004B6D69 |.8B0D 0C604B00 mov ecx,dword ptr ds: ;eXPresso.00400000
004B6D6F |.0348 14 add ecx,dword ptr ds:
⑤。
004B6D72 894D CC mov dword ptr ss:,ecx
004B6D75 68 00800000 push 8000
004B6D7A 6A 00 push 0
004B6D7C FF75 FC push dword ptr ss:
004B6D7F FF15 C0604B00 call dword ptr ds:[<&KERNEL32.Vi>; kernel32.VirtualFree
004B6D85 68 00800000 push 8000
004B6D8A 6A 00 push 0
004B6D8C FF75 EC push dword ptr ss:
004B6D8F FF15 C0604B00 call dword ptr ds:[<&KERNEL32.Vi>; kernel32.VirtualFree
004B6D95 8B45 CC mov eax,dword ptr ss:
004B6D98 5F pop edi
004B6D99 5E pop esi
004B6D9A 5B pop ebx
004B6D9B 83C4 5C add esp,5C
004B6D9E 5D pop ebp
004B6D9F 50 push eax
004B6DA0 A1 08604B00 mov eax,dword ptr ds:
004B6DA5 8378 14 00 cmp dword ptr ds:,0
004B6DA9 75 05 jnz short eXPresso.004B6DB0
004B6DAB 58 pop eax
004B6DAC 33C0 xor eax,eax
004B6DAE 40 inc eax
004B6DAF C3 retn
004B6DB0 58 pop eax ; eXPresso.0042C9FE
004B6DB1 FFE0 jmp eax ;一路F8,到这后飞向OEP
004B6DB3 5F pop edi
004B6DB4 5E pop esi
004B6DB5 5B pop ebx
004B6DB6 C9 leave
004B6DB7 C3 retn
⑥
0042C9FE 55 push ebp ; kernel32.7C816D4F ;到达OEP,DUMP吧
0042C9FF 8BEC mov ebp,esp
0042CA01 6A FF push -1
0042CA03 68 68594500 push eXPresso.00455968
0042CA08 68 F0164300 push eXPresso.004316F0
0042CA0D 64:A1 00000000 mov eax,dword ptr fs:
0042CA13 50 push eax
0042CA14 64:8925 00000000 mov dword ptr fs:,esp
0042CA1B 83EC 58 sub esp,58
0042CA1E 53 push ebx
0042CA1F 56 push esi
0042CA20 57 push edi
0042CA21 8965 E8 mov dword ptr ss:,esp
0042CA24 FF15 5C134500 call dword ptr ds: ; kernel32.GetVersion
⑦
FixIA完工。。。
----------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢! 写的不错,顶你
页:
[1]