Themida V1.3.5.5脱壳之delphi程序
【破解作者】 windycandy【使用工具】 OD,PEID,LordPE,ImprtREC F1.6
【破解平台】 Win9x/NT/2000/XP
【软件名称】 系统优化大师 V2005 Build06.01
【下载地址】见附件
【软件简介】 今年我们的英雄成功crackThemida,可以说是解密界的一新闻,但themia的脱壳
教程并不多见,近日在一蓑烟雨读得fly大侠大作<Themida V1.1.1.0 无驱动版
试炼普通保护方式脱壳>,成功将Themida.V1.3.5.5.加壳的98notepad脱掉,
遂用Themida.V1.3.5.5.对delphi编写的程序进行试验(将入口virtualization
调至0),本脱文可以说是fly大大那篇脱文的翻版,没有什么技术含量,献给与我一样
的菜鸟分享,高手则略过.如果需要对其中的原理进一步了解,请参照fly大大的文章
http://www.unpack.cn/viewthread.php?tid=2061&extra=page%3D19
【加壳方式】 Themida.V1.3.5.5
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------------------------
【脱壳过程】
设置OD忽略所有异常,载入加壳程序后,停在:
00742014 y>B8 00000000 mov eax,0
00742019 60 pushad
0074201A 0BC0 or eax,eax
0074201C 74 58 je short yhds.00742076
0074201E E8 00000000 call yhds.00742023
00742023 58 pop eax
00742024 05 43000000 add eax,43
00742029 8038 E9 cmp byte ptr ds:,0E9
0074202C 75 03 jnz short yhds.00742031
0074202E 61 popad
0074202F EB 35 jmp short yhds.00742066
Alt+M 打开内存察看窗口,在代码段设置内存写入断点。连续Shift+F9三次后中断在
009327FC F3:A4 rep movs byte ptr es:,byte ptr ds:[>---------中断
009327FE C685 B50C3509 56 mov byte ptr ss:,56
00932805 68 396D1FD4 push D41F6D39
0093280A FFB5 CD253509 push dword ptr ss:
00932810 8D85 04D84009 lea eax,dword ptr ss:
00932816 FFD0 call eax
00932818 68 00800000 push 8000
0093281D 6A 00 push 0
0093281F 52 push edx
00932820 FFD0 call eax
中断后先F7一次,再F8到009327FE,接着在shift+F9两次,中断在
00939043 8908 mov dword ptr ds:,ecx------------中断
00939045 AD lods dword ptr ds:
00939046 C746 FC 00000000 mov dword ptr ds:,0
0093904D 89B5 7D203509 mov dword ptr ss:,esi
00939053 83F8 FF cmp eax,-1
00939056 0F85 20000000 jnz yhds.0093907C
0093905C 813E DDDDDDDD cmp dword ptr ds:,DDDDDDDD
00939062 0F85 14000000 jnz yhds.0093907C
00939068 C706 00000000 mov dword ptr ds:,0
0093906E 83C6 04 add esi,4
00939071 89B5 7D203509 mov dword ptr ss:,esi
这里说明一下,用98的notepad练习的时候,OD载入到这里只用两次就可以了,这个程序一共用了5次,可能是由于不同
语言编写的缘故,但是009327FC 和00939043 的汇编代码是一样的.
中断后,上下拉动鼠标,可以找到一段长长的代码: (对照fly大侠的注析来看这段代码)
009386F7 8B9D 95003509 mov ebx,dword ptr ss:
009386FD 8B0B mov ecx,dword ptr ds:
009386FF 83F9 00 cmp ecx,0
00938702 0F84 690A0000 je yhds.00939171-------------输入表处理完成后此处跳转
00938708 50 push eax
00938709 51 push ecx
0093870A 60 pushad
0093870B 33C0 xor eax,eax
0093870D 8985 15013509 mov dword ptr ss:,eax
00938713 BE 3C000000 mov esi,3C
00938718 037424 20 add esi,dword ptr ss:
0093871C 66:AD lods word ptr ds:
0093871E 034424 20 add eax,dword ptr ss:
00938722 8B70 78 mov esi,dword ptr ds:
00938725 037424 20 add esi,dword ptr ss:
00938729 8B7E 18 mov edi,dword ptr ds:
0093872C 89BD 452A3509 mov dword ptr ss:,edi
00938732 85FF test edi,edi
00938734 0F85 0A000000 jnz yhds.00938744
0093873A E8 3F100000 call yhds.0093977E
0093873F E9 91000000 jmp yhds.009387D5
00938744 51 push ecx
00938745 8BD7 mov edx,edi
00938747 6BD2 04 imul edx,edx,4
0093874A 8995 1D063509 mov dword ptr ss:,edx
00938750 6A 04 push 4
00938752 68 00100000 push 1000
00938757 52 push edx
00938758 6A 00 push 0
0093875A FF95 99283509 call dword ptr ss:
00938760 8985 11283509 mov dword ptr ss:,eax
00938766 8BD0 mov edx,eax
00938768 59 pop ecx
00938769 E8 10100000 call yhds.0093977E
0093876E 56 push esi
0093876F AD lods dword ptr ds:
00938770 034424 24 add eax,dword ptr ss:
00938774 97 xchg eax,edi
00938775 8BDF mov ebx,edi
00938777 57 push edi
00938778 32C0 xor al,al
0093877A AE scas byte ptr es:
0093877B ^ 0F85 F9FFFFFF jnz yhds.0093877A
00938781 5E pop esi
00938782 2BFB sub edi,ebx
00938784 52 push edx
00938785 8BD7 mov edx,edi
00938787 8BBD 8D0D3509 mov edi,dword ptr ss:
0093878D 83C9 FF or ecx,FFFFFFFF
00938790 33C0 xor eax,eax
00938792 8A06 mov al,byte ptr ds:
00938794 32C1 xor al,cl
00938796 46 inc esi
00938797 8B0487 mov eax,dword ptr ds:
0093879A C1E9 08 shr ecx,8
0093879D 33C8 xor ecx,eax
0093879F 4A dec edx
009387A0 ^ 0F85 EAFFFFFF jnz yhds.00938790
009387A6 8BC1 mov eax,ecx
009387A8 F7D0 not eax
009387AA 5A pop edx
009387AB 8902 mov dword ptr ds:,eax
009387AD 83C2 04 add edx,4
009387B0 52 push edx
009387B1 FF85 15013509 inc dword ptr ss:
009387B7 8B95 15013509 mov edx,dword ptr ss:
009387BD 3995 452A3509 cmp dword ptr ss:,edx
009387C3 0F84 0A000000 je yhds.009387D3
009387C9 5A pop edx
009387CA 5E pop esi
009387CB 83C6 04 add esi,4
009387CE ^ E9 9BFFFFFF jmp yhds.0093876E
009387D3 5A pop edx
009387D4 5E pop esi
009387D5 61 popad
009387D6 59 pop ecx
009387D7 58 pop eax
009387D8 C785 B5143509 00000000mov dword ptr ss:,0
009387E2 C785 69303509 00000000mov dword ptr ss:,0
009387EC 83BD 4CE84409 00 cmp dword ptr ss:,0
009387F3 0F84 08000000 je yhds.00938801
009387F9 8D9D AEE54309 lea ebx,dword ptr ss:
009387FF FFD3 call ebx
00938801 FF85 79113509 inc dword ptr ss:
00938807 83BD 79113509 64 cmp dword ptr ss:,64
0093880E 0F82 62000000 jb yhds.00938876
00938814 C785 79113509 01000000mov dword ptr ss:,1
0093881E 60 pushad
0093881F 8DB5 10E94409 lea esi,dword ptr ss:
00938825 8DBD 28044509 lea edi,dword ptr ss:
0093882B 2BFE sub edi,esi
0093882D 8BD7 mov edx,edi
0093882F 8BBD 8D0D3509 mov edi,dword ptr ss:
00938835 83C9 FF or ecx,FFFFFFFF
00938838 33C0 xor eax,eax
0093883A 8A06 mov al,byte ptr ds:
0093883C 32C1 xor al,cl
0093883E 46 inc esi
0093883F 8B0487 mov eax,dword ptr ds:
00938842 C1E9 08 shr ecx,8
00938845 33C8 xor ecx,eax
00938847 4A dec edx
00938848 ^ 0F85 EAFFFFFF jnz yhds.00938838
0093884E 8BC1 mov eax,ecx
00938850 F7D0 not eax
00938852 3985 B1293509 cmp dword ptr ss:,eax
00938858 0F84 17000000 je yhds.00938875
0093885E 83BD 75133509 00 cmp dword ptr ss:,0
00938865 0F85 0A000000 jnz yhds.00938875-------------------自校验path ①改成:jmp 00938875
0093886B C785 6D063509 01000000mov dword ptr ss:,1
00938875 61 popad
00938876 B9 27171E29 mov ecx,291E1727
0093887B BA 4806DB60 mov edx,60DB0648
00938880 AD lods dword ptr ds:
00938881 89B5 7D203509 mov dword ptr ss:,esi
00938887 C746 FC 00000000 mov dword ptr ds:,0
0093888E 3D EEEEEEEE cmp eax,EEEEEEEE
00938893 0F85 20000000 jnz yhds.009388B9
00938899 813E DDDDDDDD cmp dword ptr ds:,DDDDDDDD
0093889F 0F85 14000000 jnz yhds.009388B9
009388A5 C706 00000000 mov dword ptr ds:,0
009388AB 83C6 04 add esi,4
009388AE 89B5 7D203509 mov dword ptr ss:,esi
009388B4 E9 83080000 jmp yhds.0093913C
009388B9 8BD8 mov ebx,eax
009388BB 3385 6D063509 xor eax,dword ptr ss:
009388C1 C1C8 03 ror eax,3
009388C4 2BC2 sub eax,edx
009388C6 C1C0 10 rol eax,10
009388C9 33C1 xor eax,ecx
009388CB 899D 6D063509 mov dword ptr ss:,ebx
009388D1 3D 00000100 cmp eax,10000 ; UNICODE "ALLUSERSPROFILE=C:\Documents and Settings\All Users"
009388D6 0F83 45000000 jnb yhds.00938921
009388DC 813E BBBBBBBB cmp dword ptr ds:,BBBBBBBB
009388E2 0F85 39000000 jnz yhds.00938921
009388E8 C706 00000000 mov dword ptr ds:,0
009388EE 83C6 04 add esi,4
009388F1 89B5 7D203509 mov dword ptr ss:,esi
009388F7 8B9D 95003509 mov ebx,dword ptr ss:
009388FD 8B0B mov ecx,dword ptr ds:
009388FF 8BD0 mov edx,eax
00938901 60 pushad
00938902 8BC2 mov eax,edx
00938904 2B85 912E3509 sub eax,dword ptr ss:
0093890A C1E0 02 shl eax,2
0093890D 0385 D9273509 add eax,dword ptr ss:
00938913 96 xchg eax,esi
00938914 AD lods dword ptr ds:
00938915 03C1 add eax,ecx
00938917 894424 1C mov dword ptr ss:,eax
0093891B 61 popad
0093891C E9 7C000000 jmp yhds.0093899D
00938921 51 push ecx
00938922 52 push edx
00938923 33C9 xor ecx,ecx
00938925 8B95 11283509 mov edx,dword ptr ss:
0093892B 3B02 cmp eax,dword ptr ds:
0093892D 0F84 38000000 je yhds.0093896B
00938933 83C2 04 add edx,4
00938936 41 inc ecx
00938937 3B8D 452A3509 cmp ecx,dword ptr ss:
0093893D ^ 0F85 E8FFFFFF jnz yhds.0093892B
00938943 8DB5 09E84409 lea esi,dword ptr ss:
00938949 8DBD 49233509 lea edi,dword ptr ss:
0093894F AC lods byte ptr ds:
00938950 84C0 test al,al
00938952 0F84 06000000 je yhds.0093895E
00938958 AA stos byte ptr es:
00938959 ^ E9 F1FFFFFF jmp yhds.0093894F
0093895E B8 07000000 mov eax,7
00938963 8D8D 124B3509 lea ecx,dword ptr ss:
00938969 FFE1 jmp ecx
0093896B 898D 15013509 mov dword ptr ss:,ecx
00938971 5A pop edx
00938972 59 pop ecx
00938973 56 push esi
00938974 8B9D 95003509 mov ebx,dword ptr ss:
0093897A 8B0B mov ecx,dword ptr ds:
0093897C 8B85 15013509 mov eax,dword ptr ss:
00938982 D1E0 shl eax,1
00938984 0385 DD2F3509 add eax,dword ptr ss:
0093898A 33F6 xor esi,esi
0093898C 96 xchg eax,esi
0093898D 66:AD lods word ptr ds:
0093898F C1E0 02 shl eax,2
00938992 0385 D9273509 add eax,dword ptr ss:
00938998 96 xchg eax,esi
00938999 AD lods dword ptr ds:
0093899A 03C1 add eax,ecx
0093899C 5E pop esi
0093899D 83BD 15083509 01 cmp dword ptr ss:,1
009389A4 0F84 39000000 je yhds.009389E3---------------判断是否是特殊DLL的特殊函数,是则加密。
path② 修改成 jmp 009389CE避免加密
009389AA 3B8D 250C3509 cmp ecx,dword ptr ss:
009389B0 0F84 2D000000 je yhds.009389E3
009389B6 3B8D 71103509 cmp ecx,dword ptr ss:
009389BC 0F84 21000000 je yhds.009389E3
009389C2 3B8D A1133509 cmp ecx,dword ptr ss:
009389C8 0F84 15000000 je yhds.009389E3
009389CE 8D9D 59FC4409 lea ebx,dword ptr ss:
009389D4 FFD3 call ebx
009389D6 8BF8 mov edi,eax
009389D8 8985 E12B3509 mov dword ptr ss:,eax
009389DE E9 3E060000 jmp yhds.00939021
009389E3 8D9D 59FC4409 lea ebx,dword ptr ss:
009389E9 FFD3 call ebx
009389EB 83BD 15083509 00 cmp dword ptr ss:,0
009389F2 0F84 1D000000 je yhds.00938A15
009389F8 3B85 3D093509 cmp eax,dword ptr ss:
009389FE 0F84 0C000000 je yhds.00938A10
00938A04 3B85 25303509 cmp eax,dword ptr ss:
00938A0A 0F85 05000000 jnz yhds.00938A15
00938A10 ^ E9 B9FFFFFF jmp yhds.009389CE
00938A15 3B85 25023509 cmp eax,dword ptr ss:
00938A1B 0F85 18000000 jnz yhds.00938A39
00938A21 83BD 1D203509 00 cmp dword ptr ss:,0
00938A28 0F85 0B000000 jnz yhds.00938A39
00938A2E 8D85 0C964409 lea eax,dword ptr ss:
00938A34 ^ E9 95FFFFFF jmp yhds.009389CE
00938A39 3B85 25023509 cmp eax,dword ptr ss:
00938A3F ^ 0F84 89FFFFFF je yhds.009389CE
00938A45 83BD 05E84409 01 cmp dword ptr ss:,1
00938A4C 0F85 17000000 jnz yhds.00938A69
00938A52 3B85 64E84409 cmp eax,dword ptr ss:
00938A58 0F85 0B000000 jnz yhds.00938A69
00938A5E 8D85 90035800 lea eax,dword ptr ss:
00938A64 ^ E9 6DFFFFFF jmp yhds.009389D6
00938A69 33FF xor edi,edi
00938A6B 83BD 29133509 00 cmp dword ptr ss:,0
00938A72 0F84 E9020000 je yhds.00938D61
00938A78 3B85 50E84409 cmp eax,dword ptr ss:
00938A7E 75 07 jnz short yhds.00938A87
00938A80 8B85 F5003509 mov eax,dword ptr ss:
00938A86 47 inc edi
00938A87 3B85 58E84409 cmp eax,dword ptr ss:
00938A8D 75 07 jnz short yhds.00938A96
00938A8F 8B85 CD303509 mov eax,dword ptr ss:
00938A95 47 inc edi
00938A96 3B85 54E84409 cmp eax,dword ptr ss:
00938A9C 75 07 jnz short yhds.00938AA5
00938A9E 8B85 89063509 mov eax,dword ptr ss:
00938AA4 47 inc edi
00938AA5 3B85 5CE84409 cmp eax,dword ptr ss:
00938AAB 75 07 jnz short yhds.00938AB4
00938AAD 8B85 812E3509 mov eax,dword ptr ss:
00938AB3 47 inc edi
00938AB4 3B85 60E84409 cmp eax,dword ptr ss:
00938ABA 75 07 jnz short yhds.00938AC3
00938ABC 8B85 090D3509 mov eax,dword ptr ss:
00938AC2 47 inc edi
00938AC3 3B85 64E84409 cmp eax,dword ptr ss:
00938AC9 75 07 jnz short yhds.00938AD2
00938ACB 8B85 5D1F3509 mov eax,dword ptr ss:
00938AD1 47 inc edi
00938AD2 3B85 68E84409 cmp eax,dword ptr ss:
00938AD8 75 07 jnz short yhds.00938AE1
00938ADA 8B85 69113509 mov eax,dword ptr ss:
00938AE0 47 inc edi
00938AE1 3B85 6CE84409 cmp eax,dword ptr ss:
00938AE7 75 07 jnz short yhds.00938AF0
00938AE9 8B85 AD303509 mov eax,dword ptr ss:
00938AEF 47 inc edi
00938AF0 3B85 70E84409 cmp eax,dword ptr ss:
00938AF6 75 07 jnz short yhds.00938AFF
00938AF8 8B85 211C3509 mov eax,dword ptr ss:
00938AFE 47 inc edi
00938AFF 3B85 74E84409 cmp eax,dword ptr ss:
00938B05 75 07 jnz short yhds.00938B0E
00938B07 8B85 4D213509 mov eax,dword ptr ss:
00938B0D 47 inc edi
00938B0E 3B85 7CE84409 cmp eax,dword ptr ss:
00938B14 75 07 jnz short yhds.00938B1D
00938B16 8B85 D9283509 mov eax,dword ptr ss:
00938B1C 47 inc edi
00938B1D 3B85 78E84409 cmp eax,dword ptr ss:
00938B23 75 07 jnz short yhds.00938B2C
00938B25 8B85 CD013509 mov eax,dword ptr ss:
00938B2B 47 inc edi
00938B2C 83BD 7D293509 00 cmp dword ptr ss:,0
00938B33 74 0F je short yhds.00938B44
00938B35 3B85 04E94409 cmp eax,dword ptr ss:
00938B3B 75 07 jnz short yhds.00938B44
00938B3D 8B85 49003509 mov eax,dword ptr ss:
00938B43 47 inc edi
00938B44 83BD 39213509 00 cmp dword ptr ss:,0
00938B4B 74 72 je short yhds.00938BBF
00938B4D 83BD A1293509 00 cmp dword ptr ss:,0
00938B54 74 69 je short yhds.00938BBF
00938B56 3B85 E8E84409 cmp eax,dword ptr ss:
00938B5C 75 07 jnz short yhds.00938B65
00938B5E 8B85 110C3509 mov eax,dword ptr ss:
00938B64 47 inc edi
00938B65 3B85 F8E84409 cmp eax,dword ptr ss:
00938B6B 75 07 jnz short yhds.00938B74
00938B6D 8B85 15213509 mov eax,dword ptr ss:
00938B73 47 inc edi
00938B74 3B85 ECE84409 cmp eax,dword ptr ss:
00938B7A 75 07 jnz short yhds.00938B83
00938B7C 8B85 A5273509 mov eax,dword ptr ss:
00938B82 47 inc edi
00938B83 3B85 FCE84409 cmp eax,dword ptr ss:
00938B89 75 07 jnz short yhds.00938B92
00938B8B 8B85 A10B3509 mov eax,dword ptr ss:
00938B91 47 inc edi
00938B92 3B85 00E94409 cmp eax,dword ptr ss:
00938B98 75 07 jnz short yhds.00938BA1
00938B9A 8B85 ED113509 mov eax,dword ptr ss:
00938BA0 47 inc edi
00938BA1 3B85 F0E84409 cmp eax,dword ptr ss:
00938BA7 75 07 jnz short yhds.00938BB0
00938BA9 8B85 A90A3509 mov eax,dword ptr ss:
00938BAF 47 inc edi
00938BB0 3B85 F4E84409 cmp eax,dword ptr ss:
00938BB6 75 07 jnz short yhds.00938BBF
00938BB8 8B85 6D013509 mov eax,dword ptr ss:
00938BBE 47 inc edi
00938BBF 83BD A1293509 00 cmp dword ptr ss:,0
00938BC6 0F84 95010000 je yhds.00938D61
00938BCC 3B85 80E84409 cmp eax,dword ptr ss:
00938BD2 75 07 jnz short yhds.00938BDB
00938BD4 8B85 0D2E3509 mov eax,dword ptr ss:
00938BDA 47 inc edi
00938BDB 3B85 84E84409 cmp eax,dword ptr ss:
00938BE1 75 07 jnz short yhds.00938BEA
00938BE3 8B85 61283509 mov eax,dword ptr ss:
00938BE9 47 inc edi
00938BEA 3B85 88E84409 cmp eax,dword ptr ss:
00938BF0 75 07 jnz short yhds.00938BF9
00938BF2 8B85 0D123509 mov eax,dword ptr ss:
00938BF8 47 inc edi
00938BF9 3B85 8CE84409 cmp eax,dword ptr ss:
00938BFF 75 07 jnz short yhds.00938C08
00938C01 8B85 29093509 mov eax,dword ptr ss:
00938C07 47 inc edi
00938C08 3B85 90E84409 cmp eax,dword ptr ss:
00938C0E 75 07 jnz short yhds.00938C17
00938C10 8B85 5D2F3509 mov eax,dword ptr ss:
00938C16 47 inc edi
00938C17 3B85 94E84409 cmp eax,dword ptr ss:
00938C1D 75 07 jnz short yhds.00938C26
00938C1F 8B85 F1213509 mov eax,dword ptr ss:
00938C25 47 inc edi
00938C26 3B85 98E84409 cmp eax,dword ptr ss:
00938C2C 75 07 jnz short yhds.00938C35
00938C2E 8B85 B91C3509 mov eax,dword ptr ss:
00938C34 47 inc edi
00938C35 3B85 9CE84409 cmp eax,dword ptr ss:
00938C3B 75 07 jnz short yhds.00938C44
00938C3D 8B85 610D3509 mov eax,dword ptr ss:
00938C43 47 inc edi
00938C44 3B85 A0E84409 cmp eax,dword ptr ss:
00938C4A 75 07 jnz short yhds.00938C53
00938C4C 8B85 FD163509 mov eax,dword ptr ss:
00938C52 47 inc edi
00938C53 3B85 A8E84409 cmp eax,dword ptr ss:
00938C59 75 07 jnz short yhds.00938C62
00938C5B 8B85 D1053509 mov eax,dword ptr ss:
00938C61 47 inc edi
00938C62 3B85 A4E84409 cmp eax,dword ptr ss:
00938C68 75 07 jnz short yhds.00938C71
00938C6A 8B85 FD143509 mov eax,dword ptr ss:
00938C70 47 inc edi
00938C71 3B85 ACE84409 cmp eax,dword ptr ss:
00938C77 75 07 jnz short yhds.00938C80
00938C79 8B85 650B3509 mov eax,dword ptr ss:
00938C7F 47 inc edi
00938C80 3B85 B0E84409 cmp eax,dword ptr ss:
00938C86 75 07 jnz short yhds.00938C8F
00938C88 8B85 C92E3509 mov eax,dword ptr ss:
00938C8E 47 inc edi
00938C8F 3B85 B4E84409 cmp eax,dword ptr ss:
00938C95 75 07 jnz short yhds.00938C9E
00938C97 8B85 59033509 mov eax,dword ptr ss:
00938C9D 47 inc edi
00938C9E 3B85 B8E84409 cmp eax,dword ptr ss:
00938CA4 75 07 jnz short yhds.00938CAD
00938CA6 8B85 35023509 mov eax,dword ptr ss:
00938CAC 47 inc edi
00938CAD 3B85 BCE84409 cmp eax,dword ptr ss:
00938CB3 75 07 jnz short yhds.00938CBC
00938CB5 8B85 35303509 mov eax,dword ptr ss:
00938CBB 47 inc edi
00938CBC 3B85 C0E84409 cmp eax,dword ptr ss:
00938CC2 75 07 jnz short yhds.00938CCB
00938CC4 8B85 B12E3509 mov eax,dword ptr ss:
00938CCA 47 inc edi
00938CCB 3B85 C4E84409 cmp eax,dword ptr ss:
00938CD1 75 07 jnz short yhds.00938CDA
00938CD3 8B85 E9043509 mov eax,dword ptr ss:
00938CD9 47 inc edi
00938CDA 3B85 C8E84409 cmp eax,dword ptr ss:
00938CE0 75 07 jnz short yhds.00938CE9
00938CE2 8B85 49053509 mov eax,dword ptr ss:
00938CE8 47 inc edi
00938CE9 3B85 C1303509 cmp eax,dword ptr ss:
00938CEF 75 07 jnz short yhds.00938CF8
00938CF1 8B85 B5203509 mov eax,dword ptr ss:
00938CF7 47 inc edi
00938CF8 3B85 CCE84409 cmp eax,dword ptr ss:
00938CFE 75 07 jnz short yhds.00938D07
00938D00 8B85 012E3509 mov eax,dword ptr ss:
00938D06 47 inc edi
00938D07 3B85 D0E84409 cmp eax,dword ptr ss:
00938D0D 75 07 jnz short yhds.00938D16
00938D0F 8B85 8D153509 mov eax,dword ptr ss:
00938D15 47 inc edi
00938D16 3B85 D4E84409 cmp eax,dword ptr ss:
00938D1C 75 07 jnz short yhds.00938D25
00938D1E 8B85 F91C3509 mov eax,dword ptr ss:
00938D24 47 inc edi
00938D25 3B85 D8E84409 cmp eax,dword ptr ss:
00938D2B 75 07 jnz short yhds.00938D34
00938D2D 8B85 55053509 mov eax,dword ptr ss:
00938D33 47 inc edi
00938D34 3B85 DCE84409 cmp eax,dword ptr ss:
00938D3A 75 07 jnz short yhds.00938D43
00938D3C 8B85 350D3509 mov eax,dword ptr ss:
00938D42 47 inc edi
00938D43 3B85 E0E84409 cmp eax,dword ptr ss:
00938D49 75 07 jnz short yhds.00938D52
00938D4B 8B85 F1143509 mov eax,dword ptr ss:
00938D51 47 inc edi
00938D52 3B85 E4E84409 cmp eax,dword ptr ss:
00938D58 75 07 jnz short yhds.00938D61
00938D5A 8B85 0D2E3509 mov eax,dword ptr ss:
00938D60 47 inc edi
00938D61 0BFF or edi,edi
00938D63 0F84 05000000 je yhds.00938D6E
00938D69 ^ E9 68FCFFFF jmp yhds.009389D6
00938D6E 3B85 ED093509 cmp eax,dword ptr ss:
00938D74 0F85 0B000000 jnz yhds.00938D85
00938D7A 8D85 D7224409 lea eax,dword ptr ss:
00938D80 ^ E9 51FCFFFF jmp yhds.009389D6
00938D85 3B85 3D083509 cmp eax,dword ptr ss:
00938D8B 0F85 18000000 jnz yhds.00938DA9
00938D91 83BD 05E84409 01 cmp dword ptr ss:,1
00938D98 0F85 0B000000 jnz yhds.00938DA9
00938D9E 8D85 13035800 lea eax,dword ptr ss:
00938DA4 ^ E9 2DFCFFFF jmp yhds.009389D6
00938DA9 3B85 40E84409 cmp eax,dword ptr ss:
00938DAF 0F84 0C000000 je yhds.00938DC1
00938DB5 3B85 44E84409 cmp eax,dword ptr ss:
00938DBB 0F85 05000000 jnz yhds.00938DC6
00938DC1 ^ E9 10FCFFFF jmp yhds.009389D6
00938DC6 BE 00000000 mov esi,0
00938DCB 83FE 01 cmp esi,1
00938DCE 0F85 45000000 jnz yhds.00938E19
00938DD4 3B85 34E84409 cmp eax,dword ptr ss:
00938DDA 0F85 0B000000 jnz yhds.00938DEB
00938DE0 8D85 54905700 lea eax,dword ptr ss:
00938DE6 ^ E9 EBFBFFFF jmp yhds.009389D6
00938DEB 3B85 38E84409 cmp eax,dword ptr ss:
00938DF1 0F85 0B000000 jnz yhds.00938E02
00938DF7 8D85 CA905700 lea eax,dword ptr ss:
00938DFD ^ E9 D4FBFFFF jmp yhds.009389D6
00938E02 3B85 3CE84409 cmp eax,dword ptr ss:
00938E08 0F85 0B000000 jnz yhds.00938E19
00938E0E 8D85 0F915700 lea eax,dword ptr ss:
00938E14 ^ E9 BDFBFFFF jmp yhds.009389D6
00938E19 8BC0 mov eax,eax
00938E1B BE 01000000 mov esi,1
00938E20 0BF6 or esi,esi
00938E22 0F85 05000000 jnz yhds.00938E2D
00938E28 ^ E9 A1FBFFFF jmp yhds.009389CE
00938E2D 8BF0 mov esi,eax
00938E2F 89B5 152E3509 mov dword ptr ss:,esi
00938E35 89B5 ED273509 mov dword ptr ss:,esi
00938E3B 803E E9 cmp byte ptr ds:,0E9
00938E3E 0F85 26000000 jnz yhds.00938E6A
00938E44 8B7E 01 mov edi,dword ptr ds:
00938E47 03FE add edi,esi
00938E49 8BDE mov ebx,esi
00938E4B 81C3 00400000 add ebx,4000
00938E51 3BBD 152E3509 cmp edi,dword ptr ss:
00938E57 0F82 08000000 jb yhds.00938E65
00938E5D 3BFB cmp edi,ebx
00938E5F 0F86 05000000 jbe yhds.00938E6A
00938E65 ^ E9 64FBFFFF jmp yhds.009389CE
00938E6A 8BBD 250A3509 mov edi,dword ptr ss:
00938E70 C785 E1003509 00000000mov dword ptr ss:,0
00938E7A 60 pushad
00938E7B 89B5 ED273509 mov dword ptr ss:,esi
00938E81 8D9D E1014509 lea ebx,dword ptr ss:
00938E87 FFD3 call ebx
00938E89 0F82 22000000 jb yhds.00938EB1
00938E8F 8D9D 3E394309 lea ebx,dword ptr ss:
00938E95 FFD3 call ebx
00938E97 ^ 0F83 DEFFFFFF jnb yhds.00938E7B
00938E9D 8BB5 ED273509 mov esi,dword ptr ss:
00938EA3 89B5 E1003509 mov dword ptr ss:,esi
00938EA9 8D9D FFE54309 lea ebx,dword ptr ss:
00938EAF FFD3 call ebx
00938EB1 8B85 152E3509 mov eax,dword ptr ss:
00938EB7 8985 ED273509 mov dword ptr ss:,eax
00938EBD 61 popad
00938EBE 8D9D 0EFE4409 lea ebx,dword ptr ss:
00938EC4 FFD3 call ebx
00938EC6 8D9D 91FE4409 lea ebx,dword ptr ss:
00938ECC FFD3 call ebx
00938ECE 8D9D 32014509 lea ebx,dword ptr ss:
00938ED4 FFD3 call ebx
00938ED6 0F83 0C000000 jnb yhds.00938EE8
00938EDC 8385 ED273509 05 add dword ptr ss:,5
00938EE3 ^ E9 D6FFFFFF jmp yhds.00938EBE
00938EE8 8D9D 5B014509 lea ebx,dword ptr ss:
00938EEE FFD3 call ebx
00938EF0 0F83 08000000 jnb yhds.00938EFE
00938EF6 83C2 04 add edx,4
00938EF9 E9 32000000 jmp yhds.00938F30
00938EFE 8D9D 3E394309 lea ebx,dword ptr ss:
00938F04 FFD3 call ebx
00938F06 0F83 0B000000 jnb yhds.00938F17
00938F0C 8BB5 ED273509 mov esi,dword ptr ss:
00938F12 E9 27070000 jmp yhds.0093963E
00938F17 8B8D ED273509 mov ecx,dword ptr ss:
00938F1D 89B5 ED273509 mov dword ptr ss:,esi
00938F23 2BCE sub ecx,esi
00938F25 F7D9 neg ecx
00938F27 2BF1 sub esi,ecx
00938F29 F3:A4 rep movs byte ptr es:,byte ptr ds:[>
00938F2B ^ E9 8EFFFFFF jmp yhds.00938EBE
00938F30 8D9D AEE54309 lea ebx,dword ptr ss:
00938F36 FFD3 call ebx
00938F38 8BC7 mov eax,edi
00938F3A 2B85 250A3509 sub eax,dword ptr ss:
00938F40 8985 89163509 mov dword ptr ss:,eax
00938F46 8B85 250A3509 mov eax,dword ptr ss:
00938F4C 57 push edi
00938F4D 50 push eax
00938F4E 8D8D B9E64309 lea ecx,dword ptr ss:
00938F54 FFD1 call ecx
00938F56 8B85 112A3509 mov eax,dword ptr ss:
00938F5C 50 push eax
00938F5D 57 push edi
00938F5E 8B85 250A3509 mov eax,dword ptr ss:
00938F64 50 push eax
00938F65 8D8D E0E84309 lea ecx,dword ptr ss:
00938F6B FFD1 call ecx
00938F6D 8BD0 mov edx,eax
00938F6F 8BC8 mov ecx,eax
00938F71 2B8D 112A3509 sub ecx,dword ptr ss:
00938F77 83BD 85293509 00 cmp dword ptr ss:,0
00938F7E 0F84 2B000000 je yhds.00938FAF
00938F84 8B85 61003509 mov eax,dword ptr ss:
00938F8A 2B85 85293509 sub eax,dword ptr ss:
00938F90 3BC1 cmp eax,ecx
00938F92 0F86 17000000 jbe yhds.00938FAF
00938F98 8B85 292A3509 mov eax,dword ptr ss:
00938F9E 0385 85293509 add eax,dword ptr ss:
00938FA4 8985 E12B3509 mov dword ptr ss:,eax
00938FAA E9 43000000 jmp yhds.00938FF2
00938FAF 51 push ecx
00938FB0 8BC1 mov eax,ecx
00938FB2 48 dec eax
00938FB3 0D FF0F0000 or eax,0FFF
00938FB8 40 inc eax
00938FB9 8985 61003509 mov dword ptr ss:,eax
00938FBF 0185 AD033509 add dword ptr ss:,eax
00938FC5 C785 85293509 00000000mov dword ptr ss:,0
00938FCF 6A 40 push 40
00938FD1 68 00100000 push 1000
00938FD6 51 push ecx
00938FD7 6A 00 push 0
00938FD9 FF95 99283509 call dword ptr ss:
00938FDF FF95 B5163509 call dword ptr ss:
00938FE5 8985 292A3509 mov dword ptr ss:,eax
00938FEB 8985 E12B3509 mov dword ptr ss:,eax
00938FF1 59 pop ecx
00938FF2 FFB5 E12B3509 push dword ptr ss:
00938FF8 FFB5 112A3509 push dword ptr ss:
00938FFE 57 push edi
00938FFF FFB5 250A3509 push dword ptr ss:
00939005 8D85 74EB4309 lea eax,dword ptr ss:
0093900B FFD0 call eax
0093900D 018D 85293509 add dword ptr ss:,ecx
00939013 8BBD E12B3509 mov edi,dword ptr ss:
00939019 8BB5 112A3509 mov esi,dword ptr ss:
0093901F F3:A4 rep movs byte ptr es:,byte ptr ds:[>
00939021 8BB5 7D203509 mov esi,dword ptr ss:
00939027 AD lods dword ptr ds:
00939028 C746 FC 00000000 mov dword ptr ds:,0
0093902F C1C0 05 rol eax,5
00939032 05 27171E29 add eax,291E1727
00939037 0385 2D273509 add eax,dword ptr ss:
0093903D 8B8D E12B3509 mov ecx,dword ptr ss:
00939043 8908 mov dword ptr ds:,ecx--------------上面Shift+F9后中断在这里
将上面的path①和path②修改后,用HideOD申请一段内存地址, 我这里申请到的是02CF0000
将00939043改成jmp 02cf0000 --------------Patch③
00939045 AD lods dword ptr ds:
00939046 C746 FC 00000000 mov dword ptr ds:,0
0093904D 89B5 7D203509 mov dword ptr ss:,esi-------注意这行地址A
00939053 83F8 FF cmp eax,-1
00939056 0F85 20000000 jnz yhds.0093907C
0093905C 813E DDDDDDDD cmp dword ptr ds:,DDDDDDDD
00939062 0F85 14000000 jnz yhds.0093907C
00939068 C706 00000000 mov dword ptr ds:,0
0093906E 83C6 04 add esi,4
00939071 89B5 7D203509 mov dword ptr ss:,esi
00939077 ^ E9 5CF7FFFF jmp yhds.009387D8
0093907C C1C0 03 rol eax,3
0093907F 0385 2D273509 add eax,dword ptr ss:
00939085 83BD 59063509 01 cmp dword ptr ss:,1
0093908C 0F84 9D000000 je yhds.0093912F
00939092 813E AAAAAAAA cmp dword ptr ds:,AAAAAAAA
00939098 0F85 12000000 jnz yhds.009390B0
0093909E 83C6 04 add esi,4
009390A1 C746 FC 00000000 mov dword ptr ds:,0
009390A8 97 xchg eax,edi
009390A9 B0 E9 mov al,0E9
009390AB E9 03000000 jmp yhds.009390B3
009390B0 97 xchg eax,edi
009390B1 B0 E8 mov al,0E8
009390B3 50 push eax
009390B4 83BD 15083509 01 cmp dword ptr ss:,1
009390BB 0F84 3E000000 je yhds.009390FF
009390C1 B8 00010000 mov eax,100
009390C6 83BD 4CE84409 00 cmp dword ptr ss:,0
009390CD 0F84 08000000 je yhds.009390DB
009390D3 8D9D CDEE4309 lea ebx,dword ptr ss:
009390D9 FFD3 call ebx
009390DB 803F 90 cmp byte ptr ds:,90
009390DE 0F84 08000000 je yhds.009390EC
009390E4 83C7 05 add edi,5
009390E7 E9 43000000 jmp yhds.0093912F
009390EC 83F8 50 cmp eax,50
009390EF 0F82 0A000000 jb yhds.009390FF
009390F5 B0 90 mov al,90
009390F7 AA stos byte ptr es:
009390F8 58 pop eax
009390F9 AA stos byte ptr es:
009390FA E9 24000000 jmp yhds.00939123-----------Patch④jmp 02cf0014
009390FF 58 pop eax
00939100 AA stos byte ptr es:
00939101 807F FF E9 cmp byte ptr ds:,0E9
00939105 0F85 18000000 jnz yhds.00939123------------Patch⑤jmp 02cf0036
0093910B 83BD 4CE84409 00 cmp dword ptr ss:,0--------注意这行地址C
00939112 0F84 08000000 je yhds.00939120
00939118 8D9D 9DEE4309 lea ebx,dword ptr ss:
0093911E FFD3 call ebx
00939120 8847 04 mov byte ptr ds:,al------------Patch⑥ NOP 去掉加密
00939123 8B85 E12B3509 mov eax,dword ptr ss:---------注意这行的地址B
00939129 2BC7 sub eax,edi
0093912B 83E8 04 sub eax,4
0093912E AB stos dword ptr es:------Patch⑦NOP 去掉加密
0093912F AD lods dword ptr ds:
00939130 C746 FC 00000000 mov dword ptr ds:,0
00939137 ^ E9 11FFFFFF jmp yhds.0093904D-----循环处理每个DLL的函数
Patch⑧改为 jmp 02cf005F
0093913C 89B5 7D203509 mov dword ptr ss:,esi
00939142 52 push edx
00939143 68 00800000 push 8000
00939148 6A 00 push 0
0093914A FFB5 11283509 push dword ptr ss:
00939150 FF95 FD283509 call dword ptr ss:
00939156 5A pop edx
00939157 8B8D 95003509 mov ecx,dword ptr ss:
0093915D C701 00000000 mov dword ptr ds:,0
00939163 83C1 04 add ecx,4
00939166 898D 95003509 mov dword ptr ss:,ecx
0093916C ^ E9 86F5FFFF jmp yhds.009386F7
00939171 E9 4B060000 jmp yhds.009397C1----这里F2下断,输入表处理完成后中断在这里
在00939171 处F2下断后,CTRL+G:02CF0000到02CF0000写入path代码:(FLY大侠的代码)
02CF0000 A3 0004CF02 mov dword ptr ds:,eax
02CF0005 8908 mov dword ptr ds:,ecx
02CF0007 AD lods dword ptr ds:
02CF0008 C746 FC 00000000 mov dword ptr ds:,0
02CF000F - E9 3990C4FD jmp yhds.0093904D---------------------地址A
02CF0014 50 push eax
02CF0015 A1 0004CF02 mov eax,dword ptr ds:
02CF001A 8907 mov dword ptr ds:,eax
02CF001C 807F FF E8 cmp byte ptr ds:,0E8
02CF0020 75 08 jnz short 02CF002A
02CF0022 66:C747 FE FF15 mov word ptr ds:,15FF
02CF0028 EB 06 jmp short 02CF0030
02CF002A 66:C747 FE FF25 mov word ptr ds:,25FF
02CF0030 58 pop eax
02CF0031 - E9 ED90C4FD jmp yhds.00939123---------------------地址B
02CF0036 50 push eax
02CF0037 A1 0004CF02 mov eax,dword ptr ds:
02CF003C 8947 01 mov dword ptr ds:,eax
02CF003F 807F FF E8 cmp byte ptr ds:,0E8
02CF0043 75 08 jnz short 02CF004D
02CF0045 66:C747 FF FF15 mov word ptr ds:,15FF
02CF004B EB 06 jmp short 02CF0053
02CF004D 66:C747 FF FF25 mov word ptr ds:,25FF
02CF0053 58 pop eax
02CF0054 - 0F85 C990C4FD jnz yhds.00939123---------------------地址B
02CF005A - E9 AC90C4FD jmp yhds.0093910B---------------------地址C
02CF005F 83C7 04 add edi,4
02CF0062 - E9 E68FC4FD jmp yhds.0093904D---------------------地址A
02CF0067 90 nop
二进制代码:
A3 00 04 CF 02 89 08 AD C7 46 FC 00 00 00 00 E9 39 90 C4 FD 50 A1 00 04 CF 02 89 07 80 7F FF E8
75 08 66 C7 47 FE FF 15 EB 06 66 C7 47 FE FF 25 58 E9 ED 90 C4 FD 50 A1 00 04 CF 02 89 47 01 80
7F FF E8 75 08 66 C7 47 FF FF 15 EB 06 66 C7 47 FF FF 25 58 0F 85 C9 90 C4 FD E9 AC 90 C4 FD 83
C7 04 E9 E6 8F C4 FD 90
写好代码后,取消先前在code段下的内存断点,shift+F9,中断在00939171,到这里已经获得了IAT,现在找OEP.
在这里我按FLY大侠重开一个OD,shift+F9到程序运行后Ctrl+B在整个段块搜索Hex值:9D C3 E9找OEP的方法
没能成功,可能是我自己的操作问题,有成功经验的朋友希望介绍一下.
这里提供一个更快找themida保护程序OEP的方法,具体的原理是什么,我也不清楚,是一次偶然失误发现的(未必适
合所有程序)
在00939171处断下后,取消断点,ALT+M打开内存察看窗口,直接在代码段F2下断点。Shift+F9断在OEP处
0059F96C 55 push ebp-----------------OEP
0059F96D 8BEC mov ebp,esp
0059F96F 83C4 F0 add esp,-10
0059F972 53 push ebx
0059F973 B8 7CF15900 mov eax,yhds.0059F17C
0059F978 E8 8778E6FF call yhds.00407204
0059F97D 8B1D 183C5A00 mov ebx,dword ptr ds: ; yhds.005A4C38
0059F983 68 60FC5900 push yhds.0059FC60 ; ASCII "yyyy-MM-dd"
0059F988 6A 1F push 1F
0059F98A E8 157CE6FF call yhds.004075A4
0059F98F 50 push eax
0059F990 E8 877DE6FF call yhds.0040771C
0059F995 68 6CFC5900 push yhds.0059FC6C
到这里就可以用LordPE纠正大小后完整dump出来了,打开ImportREC F1.6, OEP:19F96C,自动搜索,获得有效指针
RAV:001A61F0, 大小:9CC,剪掉一个无效指针后修改dump出来的文件,修复后PEID0.94显示是Borland Delphi 6.0 - 7.0
编写的程序,修复后程序能正常运行.就是退出来时有出错提示(这个我就不知道怎么弄了,有请知道原因的朋友解
析一下).
--------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[ 本帖最后由 windycandy 于 2006-9-21 12:19 编辑 ] 才发现除了aspr壳和穿山甲壳还有Themida这样的猛壳,孤陋寡闻了,楼主这个壳如有时间可否做个动画,让我们这些莱鸟学习一下 对支持楼主做个动画 希望出个动画 原帖由 jjwspj 于 2006-9-19 21:07 发表
才发现除了aspr壳和穿山甲壳还有Themida这样的猛壳,孤陋寡闻了,楼主这个壳如有时间可否做个动画,让我们这些莱鸟学习一下
同感!希望能看到动画教程! 动画在这里:
https://www.chinapyg.com/viewthread.php?tid=7925&page=1&extra=page%3D1#pid50620 原帖由 windycandy 于 2006-9-21 11:06 发表
动画在这里:
https://www.chinapyg.com/viewthread.php?tid=7925&page=1&extra=page%3D1#pid50620
setup这个程序是插件,兄弟们删除了它吧。
下载解压就可以用了,主程序是:yhds.exe,祝平安! 原帖由 windycandy 于 2006-9-21 11:06 发表
动画在这里:
https://www.chinapyg.com/viewthread.php?tid=7925&page=1&extra=page%3D1#pid50620
setup这个程序是插件,兄弟们删除了它吧。
下载解压就可以用了,主程序是:yhds.exe,祝平安! 原帖由 野猫III 于 2006-9-21 11:59 发表
setup这个程序是插件,兄弟们删除了它吧。
下载解压就可以用了,主程序是:yhds.exe,祝平安!
谢谢猫提醒,已修改,重新上传