脱TMD1.88,VC++7.0程序
【文章标题】: 脱TMD1.88,VC++7.0程序【文章作者】: wqhlgr
【软件名称】: XX外挂
【软件大小】: 1.15MB
【下载地址】: 文章最后有地址
【加壳方式】: Themida 1.88
【保护方式】: 加密壳
【编写语言】: VC++ 7.0
【使用工具】: PEID,OD,loadpe,ImportREC
【操作平台】: XP SP2
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教
---------------------------------------------------------------------------------
今天无聊,随便再外挂网找了个外挂下载下来破解玩玩
OD载入,入口
0046A014 >B8 00000000 mov eax, 0
0046A019 60 pushad
0046A01A 0BC0 or eax, eax
0046A01C 74 68 je short 0046A086
0046A01E E8 00000000 call 0046A023
0046A023 58 pop eax
0046A024 05 53000000 add eax, 53
0046A029 8038 E9 cmp byte ptr , 0E9
0046A02C 75 13 jnz short 0046A041
0046A02E 61 popad
0046A02F EB 45 jmp short 0046A076
0046A031 DB2D 37A04600 fld tbyte ptr
一看就是TMD,先用脚本确定一下版本
查TMD版本脚本:
var tmp
var tmpbp
bc
BPHWCALL
gpa "GetLocalTime", "kernel32.dll"
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,"x"
esto
bphwc tmpbp
rtu
gpa "VirtualAlloc", "kernel32.dll"
mov tmpbp,$RESULT
cmp tmpbp,0
jeexit
bphws tmpbp ,"x"
esto
bphwc tmpbp
rtu
GMEMI eip, MEMORYBASE //上面的等themida段解压完再在themida段查找
mov tmp,$RESULT
BPHWCALL
find tmp,#000004000000322E# //特征码,看了几个DLL的也是
cmp $RESULT,0
jz next
jmp message
next:
find tmp,#000004000000312E# //特征码
cmp $RESULT,0
jz exit
message:
mov eax,$RESULT
add eax,6
mov verStr,"Themida/winlicense version: "
mov verAddr,eax
READSTR ,5
add verStr,$RESULT
msg verStr
exit:
ret
查出是1.880
对付1.88用fxyang大侠的Themida & WinLicen 1.1.X - 1.9.X 系列脱壳脚本
脚本运行后提示script finished,check the oep place by yourself
停在了伪OEP,试了下用脚本修复OEP,在脚本插件点继续,结果脚本修复不能运行
于是重新载入运行脚本后手动修复OEP,提示script finished,check the oep place by yourself后停在0042518
00422518 68 6C254200 push 0042256C
0042251D 64:A1 00000000mov eax, dword ptr fs:
00422523 50 push eax
00422524 8B4424 10 mov eax, dword ptr
00422528 896C24 10 mov dword ptr , ebp
0042252C 8D6C24 10 lea ebp, dword ptr
00422530 2BE0 sub esp, eax
00422532 53 push ebx
00422533 56 push esi
00422534 57 push edi
00422535 8B45 F8 mov eax, dword ptr
00422538 8965 E8 mov dword ptr , esp
0042253B 50 push eax
0042253C 8B45 FC mov eax, dword ptr
0042253F C745 FC FFFFFFF>mov dword ptr , -1
00422546 8945 F8 mov dword ptr , eax
00422549 8D45 F0 lea eax, dword ptr
0042254C 64:A3 00000000mov dword ptr fs:, eax
00422552 C3 retn
ALT+M,在 代码 段下内存写入断点,F9运行,按4次后到了0041FE47.一个比较像OEP的地方
0041FDFE 48 dec eax
0041FDFF D6 salc
0041FE00 50 push eax
0041FE01 F9 stc
0041FE02 5A pop edx
0041FE03 9E sahf
0041FE04 EF out dx, eax
0041FE05 B4 96 mov ah, 96
0041FE07 3C 29 cmp al, 29
0041FE09 1E push ds
0041FE0A EE out dx, al
0041FE0B E4 F0 in al, 0F0
0041FE0D 45 inc ebp
0041FE0E 5C pop esp
0041FE0F 3AD0 cmp dl, al
0041FE11 4C dec esp
0041FE12 99 cdq
0041FE13 F1 int1
0041FE14 F6 ??? ; 未知命令
0041FE15 4A dec edx
0041FE16 BC CC77A051 mov esp, 51A077CC
0041FE1B 59 pop ecx
0041FE1C 6B9A 9005D4BB D>imul ebx, dword ptr , ->
0041FE23 B1 AC mov cl, 0AC
0041FE25 67:06 push es
0041FE27 95 xchg eax, ebp
0041FE28 B1 51 mov cl, 51
0041FE2A 58 pop eax
0041FE2B 5F pop edi
0041FE2C 16 push ss
0041FE2D 37 aaa
0041FE2E 55 push ebp
0041FE2F C0FB 1B sar bl, 1B
0041FE32 6D ins dword ptr es:, dx
0041FE33 E5 75 in eax, 75
0041FE35 625F F0 bound ebx, qword ptr
0041FE38 F67B F3 idiv byte ptr
0041FE3B 91 xchg eax, ecx
0041FE3C D39A 8B760C81 rcr dword ptr , cl
0041FE42 E6 FF out 0FF, al
0041FE44 7F 00 jg short 0041FE46
0041FE46 0089 35809045 add byte ptr , cl
0041FE4C 0083 F902740C add byte ptr , al
0041FE52 81CE 00800000 or esi, 8000
0041FE58 8935 80904500 mov dword ptr , esi
0041FE5E C1E0 08 shl eax, 8
0041FE61 03C2 add eax, edx
0041FE63 A3 84904500 mov dword ptr , eax
0041FE68 33F6 xor esi, esi
0041FE6A 56 push esi
0041FE6B 8B3D BC424400 mov edi, dword ptr ; KERNEL32.GetModuleHandleA
0041FE71 FFD7 call edi
看了一下应该是VC++7.0的
的程序,找了一个vc++7.0C程序参考,2进制复制,把0041FDFE到0041FE47覆盖掉变为
0041FDFE 6A 60 push 60
0041FE00 68 68B64200 push 0042B668
0041FE05 E8 D3140000 call 004212DD
0041FE0A BF 94000000 mov edi, 94
0041FE0F 8BC7 mov eax, edi
0041FE11 E8 6BE9FFFF call 0041E781
0041FE16 8965 E8 mov dword ptr , esp
0041FE19 8BF4 mov esi, esp
0041FE1B 893E mov dword ptr , edi
0041FE1D 56 push esi
0041FE1E FF15 AC824200 call dword ptr
0041FE24 8B4E 10 mov ecx, dword ptr
0041FE27 890D 3C704300 mov dword ptr , ecx
0041FE2D 8B46 04 mov eax, dword ptr
0041FE30 A3 48704300 mov dword ptr , eax
0041FE35 8B56 08 mov edx, dword ptr
0041FE38 8915 4C704300 mov dword ptr , edx
0041FE3E 8B76 0C mov esi, dword ptr
0041FE41 81E6 FF7F0000 and esi, 7FFF
0041FE47 8935 80904500 mov dword ptr , esi
0041FE4D 83F9 02 cmp ecx, 2
0041FE50 74 0C je short 0041FE5E
然后2进制查找FF25,
数据窗口跟随后找到
004442B87C812ADEKERNEL32.GetVersionExA
把第三个CALL里改为call dword ptr
然后找第一个CALL的地址 2进制查找64 A1 00 00 00 00 50 8B 44 24 10 89 6C 24 10 8D 6C 24 10 2B E0
然后到了00422518 68 6C254200 push 0042256C
0042251D 64:A1 00000000mov eax, dword ptr fs:
00422523 50 push eax
00422524 8B4424 10 mov eax, dword ptr
00422528 896C24 10 mov dword ptr , ebp
0042252C 8D6C24 10 lea ebp, dword ptr
00422530 2BE0 sub esp, eax
00422532 53 push ebx
第一个CALL改为CALL 00422518
再找第2个CALL 二进制查找F7 D8 03 C4 83 C0 04 85 00 94 8B 00
到了
00420B20 3D 00100000 cmp eax, 1000
00420B25 73 0E jnb short 00420B35
00420B27 F7D8 neg eax
00420B29 03C4 add eax, esp
00420B2B 83C0 04 add eax, 4
00420B2E 8500 test dword ptr , eax
00420B30 94 xchg eax, esp
00420B31 8B00 mov eax, dword ptr
则第二个CALL的值为CALL 00420b20
PUSH的值在可以在堆栈中找到
修复好的OEP为
0041FDFE > $6A 60 push 60
0041FE00.68 409A0000push 44A550
0041FE05.E8 0E270000call 00422518
0041FE0A.BF 94000000mov edi, 94
0041FE0F.8BC7 mov eax, edi
0041FE11.E8 0A0D0000call 00420B20
0041FE16.8965 E8 mov dword ptr , esp
0041FE19.8BF4 mov esi, esp
0041FE1B.893E mov dword ptr , edi
0041FE1D.56 push esi ; /pVersionInformation
0041FE1E.FF15 B8424400 call dword ptr [<&kernel32.GetVersion>; \GetVersionExA
0041FE24.8B4E 10 mov ecx, dword ptr
0041FE27.890D 3C704300 mov dword ptr , ecx
0041FE2D.8B46 04 mov eax, dword ptr
0041FE30.A3 48704300mov dword ptr , eax
0041FE35.8B56 08 mov edx, dword ptr
0041FE38.8915 4C704300 mov dword ptr , edx
0041FE3E.8B76 0C mov esi, dword ptr
0041FE41.81E6 FF7F0000 and esi, 7FFF
0041FE47.8935 40704300 mov dword ptr , esi
0041FE4D.83F9 02 cmp ecx,
0041FE50.74 0C je short 0041FE5E
在0041fdfe新建EIP,DUMP,然后IR修复,PEID查出VC++7.0,脱壳后正常运行。
最后感谢天草的帮助
脱文中的程序的下载地址http://www.rayfile.com/zh-cn/files/fcf5c154-00a3-11de-868e-0014221b798a/
[ 本帖最后由 wqhlgr 于 2009-2-26 21:22 编辑 ] 我记得这个版本的 可以脚本到最后 直接用OD的插件DUMP的:loveliness:
页:
[1]