FSG2.0脱壳动画【野猫III进】

痕迹 · 发表于 2006-6-14 23:29:41

謝謝老大了
支持中

微微虫 · 发表于 2006-6-21 17:02:27

我昨天下载过来脱了，修复时后不能运行，没反应
可能动画技术上不够完整
今天重做了一次，行了。
谢谢了！！
不过对于有自我较验的加FSG2.0 的壳？？

[ 本帖最后由微微虫于 2006-6-22 19:02 编辑 ]

网游难民 · 发表于 2006-6-24 22:33:48

这个东西不好修复,看看老大怎么弄的~~

bad12003 · 发表于 2006-6-25 08:40:20

嘿嘿，回了再下

saojiang · 发表于 2006-6-28 11:01:04

感谢分享的说

寒湖鹤影 · 发表于 2006-7-3 08:28:49

老大的OD弹出的右键菜单和我的不一样，
什么hit那一项，我的OD就没有，老大能不能再详细说一下，为什么要那么找RVA和SIZE,以及为什么从那里找而不从别的地方找，还有右键那一项是什么意思，动画太快了，看不太明白

快雪时晴 · 发表于 2006-7-3 10:38:25

现在论坛的速度可真快，是免费空间？

野猫III · 发表于 2006-7-3 11:18:26

原帖由 快雪时晴 于 2006-7-3 10:38 发表
现在论坛的速度可真快，是免费空间？

不是的，是咱们论坛的一位朋友支持飘云阁送的。

快雪时晴 · 发表于 2006-7-3 12:06:15

FSG2.0加壳记事本脱壳

ALT+M对CODE段下内存写中断，F9，跟踪几步发现在写内存1001000处，并来到这里

010001BC F3:A4    rep    movs byte ptr es:[edi], byte ptr [esi]
010001BE 5E       pop    esi
010001BF  ^ EB 9F    jmp    short 01000160
010001C1 5E       pop    esi
010001C2 AD       lods dword ptr [esi]
010001C3 97       xchg eax, edi
010001C4 AD       lods dword ptr [esi]
010001C5 50       push eax                                     ; 下一个DLL
010001C6 FF53 10 call [ebx+10]                               ; ds:[0101F480]=77E80221 (KERNEL32.LoadLibraryA)
010001C9 95       xchg eax, ebp
010001CA 8B07    mov    eax, [edi]
010001CC 40       inc    eax
010001CD  ^ 78 F3    js    short 010001C2
010001CF 75 03    jnz    short 010001D4
010001D1 FF63 0C jmp    [ebx+C] ;只有这里才能跳出循环，下断点
010001D4 50       push eax
010001D5 55       push ebp
010001D6 FF53 14 call [ebx+14]                               ; ds:[0101F484]=77E80CAB (KERNEL32.GetProcAddress)
010001D9 AB       stos dword ptr es:[edi]
010001DA  ^ EB EE    jmp    short 010001CA

从“010001D1 FF63 0C jmp    [ebx+C]”跳出来到达0100739D，
把地址0100739D以后所有代码选上，右键-〉分析-〉视作command

0100739D    6A 70 push 70
0100739F    68 9818>push 01001898
010073A4    E8 BF01>call 01007568
010073A9    33DB xor    ebx, ebx
010073AB    53    push ebx
010073AC    8B3D CC>mov    edi, [10010CC]                         ;  KERNEL32.GetModuleHandleA
010073B2    FFD7 call edi

此时，所有DLL和API解析完毕，再次ALT+M，CTRL+G 010010000，右键--〉long--〉地址，
整齐的IAT表出现了，OFFSET=010010000 SIZE=344

01001000  796F4ABA    ADVAPI32.RegQueryValueExW
01001004  796F45B2    ADVAPI32.RegCloseKey
01001008  796E9954    ADVAPI32.RegCreateKeyW
0100100C  796E83F1    ADVAPI32.IsTextUnicode
01001010  796EF5E6    ADVAPI32.RegQueryValueExA
01001014  796EF4C0    ADVAPI32.RegOpenKeyExA
01001018  796EE5CB    ADVAPI32.RegSetValueExW
0100101C  7FFFFFFF
01001020  717514D8    COMCTL32.CreateStatusWindowW
01001024  7FFFFFFF
01001028  77F608BF    GDI32.EndPage
0100102C  77F60A90    GDI32.AbortDoc
01001030  77F609C0    GDI32.EndDoc
01001034  77F44B1E    GDI32.DeleteDC
01001038  77F608DB    GDI32.StartPage
0100103C  77F528FA    GDI32.GetTextExtentPoint32W
01001040  77F5296F    GDI32.CreateDCW
01001044  77F611A4    GDI32.SetAbortProc
01001048  77F4DA75    GDI32.GetTextFaceW
0100104C  77F43209    GDI32.TextOutW
01001050  77F60CB8    GDI32.StartDocW
01001054  77F56CFE    GDI32.EnumFontsW
01001058  77F458BF    GDI32.GetStockObject
0100105C  77F46EA7    GDI32.GetObjectW
01001060  77F44DA1    GDI32.GetDeviceCaps
01001064  77F4356F    GDI32.CreateFontIndirectW
01001068  77F42EC7    GDI32.DeleteObject
0100106C  77F47BE8    GDI32.GetTextMetricsW
01001070  77F4243E    GDI32.SetBkMode
01001074  77F47E12    GDI32.LPtoDP
01001078  77F47096    GDI32.SetWindowExtEx
0100107C  77F48972    GDI32.SetViewportExtEx
01001080  77F46486    GDI32.SetMapMode
01001084  77F41D10    GDI32.SelectObject
01001088  7FFFFFFF
0100108C  77E8BB4F    KERNEL32.GetCurrentThreadId
01001090  77E6EDD2    KERNEL32.GetTickCount
01001094  77E845D7    KERNEL32.QueryPerformanceCounter
01001098  77E6EC16    KERNEL32.GetLocalTime
0100109C  77EA10A3    KERNEL32.GetUserDefaultLCID
010010A0  77EABF09    KERNEL32.GetDateFormatW
010010A4  77EABD7F    KERNEL32.GetTimeFormatW
010010A8  77E7E08F    KERNEL32.GlobalLock
010010AC  77E7E237    KERNEL32.GlobalUnlock
010010B0  77E76792    KERNEL32.GetFileInformationByHandle
010010B4  77E76F47    KERNEL32.CreateFileMappingW
010010B8  77E6ED16    KERNEL32.GetSystemTimeAsFileTime
010010BC  77E86A51    KERNEL32.TerminateProcess
010010C0  77E87909    KERNEL32.GetCurrentProcess
010010C4  77E8BC45    KERNEL32.SetUnhandledExceptionFilter
010010C8  77E80221    KERNEL32.LoadLibraryA
010010CC  77E80B1A    KERNEL32.GetModuleHandleA
010010D0  77E86B5E    KERNEL32.GetStartupInfoA
010010D4  77E7E533    KERNEL32.GlobalFree
010010D8  77EA1245    KERNEL32.GetLocaleInfoW
010010DC  77E692B8    KERNEL32.LocalFree
010010E0  77E69129    KERNEL32.LocalAlloc
010010E4  77E7F462    KERNEL32.lstrlenW
010010E8  77E69547    KERNEL32.LocalUnlock
010010EC  77E69802    KERNEL32.CompareStringW
010010F0  77E69625    KERNEL32.LocalLock
010010F4  77EA5690    KERNEL32.FoldStringW
010010F8  77E67E6D    KERNEL32.CloseHandle
010010FC  77E6AB2C    KERNEL32.lstrcpyW
01001100  77E761B4    KERNEL32.ReadFile
01001104  77E7C229    KERNEL32.CreateFileW
01001108  77E6B2D1    KERNEL32.lstrcmpiW
0100110C  77E8790D    KERNEL32.GetCurrentProcessId
01001110  77E80CAB    KERNEL32.GetProcAddress
01001114  77E86E45    KERNEL32.GetCommandLineW
01001118  77E7F407    KERNEL32.lstrcatW
0100111C  77E758BE    KERNEL32.FindClose
01001120  77E75615    KERNEL32.FindFirstFileW
01001124  77E7741C    KERNEL32.GetFileAttributesW
01001128  77E6AAC8    KERNEL32.lstrcmpW
0100112C  77E6B5E0    KERNEL32.MulDiv
01001130  77E7F377    KERNEL32.lstrcpynW
01001134  77E7F4BF    KERNEL32.LocalSize
01001138  77E68265    KERNEL32.GetLastError
0100113C  77E7639C    KERNEL32.WriteFile
01001140  77E68252    KERNEL32.SetLastError
01001144  77EA906F    KERNEL32.WideCharToMultiByte
01001148  77E6A302    KERNEL32.LocalReAlloc
0100114C  77E7FDE2    KERNEL32.FormatMessageW
01001150  77EA106B    KERNEL32.GetUserDefaultUILanguage
01001154  77E76502    KERNEL32.SetEndOfFile
01001158  77E775F7    KERNEL32.DeleteFileW
0100115C  77EA811A    KERNEL32.GetACP
01001160  77E77279    KERNEL32.UnmapViewOfFile
01001164  77EA87E2    KERNEL32.MultiByteToWideChar
01001168  77E771A8    KERNEL32.MapViewOfFile
0100116C  77E8BD28    KERNEL32.UnhandledExceptionFilter
01001170  7FFFFFFF
01001174  790044BB    SHELL32.DragFinish
01001178  78FC610D    SHELL32.DragQueryFileW
0100117C  78FD0C0C    SHELL32.DragAcceptFiles
01001180  78FD13FC    SHELL32.ShellAboutW
01001184  7FFFFFFF
01001188  77E1C62B    USER32.GetClientRect
0100118C  77E1C1E3    USER32.SetCursor
01001190  77E1AAC7    USER32.ReleaseDC
01001194  77E1AAB4    USER32.GetDC
01001198  77E09187    USER32.DialogBoxParamW
0100119C  77E189A3    USER32.SetActiveWindow
010011A0  77E00DC9    USER32.GetKeyboardLayout
010011A4  77E1C133    USER32.DefWindowProcW
010011A8  77E13F1D    USER32.DestroyWindow
010011AC  77DFF38E    USER32.MessageBeep
010011B0  77E19E55    USER32.ShowWindow
010011B4  77E124E8    USER32.GetForegroundWindow
010011B8  77E1B4E2    USER32.IsIconic
010011BC  77E1B44B    USER32.GetWindowPlacement
010011C0  77E04A62    USER32.CharUpperW
010011C4  77E1B552    USER32.LoadStringW
010011C8  77E0F8EE    USER32.LoadAcceleratorsW
010011CC  77E116BD    USER32.GetSystemMenu
010011D0  77E02787    USER32.RegisterClassExW
010011D4  77E09659    USER32.LoadImageW
010011D8  77E22985    USER32.LoadCursorW
010011DC  77E00054    USER32.SetWindowPlacement
010011E0  77E123C2    USER32.CreateWindowExW
010011E4  77E0C063    USER32.GetDesktopWindow
010011E8  77E1BB82    USER32.GetFocus
010011EC  77E084D6    USER32.LoadIconW
010011F0  77E1B9CA    USER32.SetWindowTextW
010011F4  77E0806A    USER32.PostQuitMessage
010011F8  77E0B350    USER32.RegisterWindowMessageW
010011FC  77E1B1D2    USER32.UpdateWindow
01001200  77E080B8    USER32.SetScrollPos
01001204  77E1332E    USER32.CharLowerW
01001208  77E1C53F    USER32.PeekMessageW
0100120C  77E195AC    USER32.EnableWindow
01001210  77E1AA4B    USER32.DrawTextExW
01001214  77E09F33    USER32.CreateDialogParamW
01001218  77E16176    USER32.GetWindowTextW
0100121C  77E13277    USER32.GetSystemMetrics
01001220  77E0D262    USER32.MoveWindow
01001224  77E1B395    USER32.InvalidateRect
01001228  77E05C1C    USER32.WinHelpW
0100122C  77E1BE2F    USER32.GetDlgCtrlID
01001230  77E0596E    USER32.ChildWindowFromPoint
01001234  77E1CD38    USER32.ScreenToClient
01001238  77E1C797    USER32.GetCursorPos
0100123C  77E0F16B    USER32.SendDlgItemMessageW
01001240  77E1B7C8    USER32.SendMessageW
01001244  77E13EBD    USER32.CharNextW
01001248  77E0A495    USER32.CheckMenuItem
0100124C  77E009BB    USER32.CloseClipboard
01001250  77E0025D    USER32.IsClipboardFormatAvailable
01001254  77E009CC    USER32.OpenClipboard
01001258  77E0A5DC    USER32.GetMenuState
0100125C  77E0A3D8    USER32.EnableMenuItem
01001260  77E115B1    USER32.GetSubMenu
01001264  77E0A44F    USER32.GetMenu
01001268  77DFB70F    USER32.MessageBoxW
0100126C  77E1266A    USER32.SetWindowLongW
01001270  77E21760    USER32.GetWindowLongW
01001274  77E139AB    USER32.GetDlgItem
01001278  77E13AC0    USER32.SetFocus
0100127C  77E0A2A1    USER32.SetDlgItemTextW
01001280  77E1A0A0    USER32.wsprintfW
01001284  77E0F239    USER32.GetDlgItemTextW
01001288  77E16BC5    USER32.EndDialog
0100128C  77E19794    USER32.GetParent
01001290  77DFFECF    USER32.UnhookWinEvent
01001294  77E21E73    USER32.DispatchMessageW
01001298  77E21E49    USER32.TranslateMessage
0100129C  77E1BF08    USER32.TranslateAcceleratorW
010012A0  77E129CA    USER32.IsDialogMessageW
010012A4  77E23415    USER32.PostMessageW
010012A8  77E21EBB    USER32.GetMessageW
010012AC  77DFD504    USER32.SetWinEventHook
010012B0  FFFFFFFF
010012B4  777C4DD4    WINSPOOL.GetPrinterDriverW
010012B8  777C4964    WINSPOOL.ClosePrinter
010012BC  777C44A4    WINSPOOL.OpenPrinterW
010012C0  7FFFFFFF
010012C4  76B0987A    comdlg32.PageSetupDlgW
010012C8  76B0556C    comdlg32.FindTextW
010012CC  76B0E83C    comdlg32.PrintDlgExW
010012D0  76B05ABD    comdlg32.ChooseFontW
010012D4  76AF16E2    comdlg32.GetFileTitleW
010012D8  76AFED3F    comdlg32.GetOpenFileNameW
010012DC  76B0557C    comdlg32.ReplaceTextW
010012E0  76AFDFE8    comdlg32.CommDlgExtendedError
010012E4  76AFED9B    comdlg32.GetSaveFileNameW
010012E8  7FFFFFFF
010012EC  7800C03E    msvcrt._XcptFilter
010012F0  78007CDA    msvcrt._exit
010012F4  780011B7    msvcrt._c_exit
010012F8  780290A1    msvcrt.time
010012FC  78028D0E    msvcrt.localtime
01001300  78007CEB    msvcrt._cexit
01001304  780127FF    msvcrt.iswctype
01001308  7800BD6A    msvcrt._except_handler3
0100130C  780145C2    msvcrt._wtol
01001310  78027782    msvcrt.wcsncmp
01001314  7802197B    msvcrt._snwprintf
01001318  78007C53    msvcrt.exit
0100131C  7803A020    offset msvcrt._acmdln
01001320  78007EDA    msvcrt.__getmainargs
01001324  7800119B    msvcrt._initterm
01001328  78007778    msvcrt.__setusermatherr
0100132C  7803A670    offset msvcrt._adjust_fdiv
01001330  78007FB9    msvcrt.__p__commode
01001334  78007FD7    msvcrt.__p__fmode
01001338  7800776E    msvcrt.__set_app_type
0100133C  78001EC9    msvcrt._controlfp
01001340  780104FC    msvcrt.wcsncpy
01001344  7FFFFFFF
01001348  00000000

再仔细看这段，怎么那么像未加壳的记事本呀

0100739D    6A 70 push 70
0100739F    68 9818>push 01001898
010073A4    E8 BF01>call 01007568
010073A9    33DB xor    ebx, ebx
010073AB    53    push ebx
010073AC    8B3D CC>mov    edi, [10010CC]                ;  KERNEL32.GetModuleHandleA
010073B2    FFD7 call edi
010073B4    66:8138>cmp    word ptr [eax], 5A4D          ;  [eax]="MZ"?,  看是不是PE头
010073B9    75 1F jnz    short 010073DA
010073BB    8B48 3C mov    ecx, [eax+3C]
010073BE    03C8 add    ecx, eax
010073C0    8139 50>cmp    dword ptr [ecx], 4550
010073C6    75 12 jnz    short 010073DA
010073C8    0FB741 >movzx eax, word ptr [ecx+18]
010073CC    3D 0B01>cmp    eax, 10B
010073D1    74 1F je    short 010073F2
010073D3    3D 0B02>cmp    eax, 20B
010073D8    74 05 je    short 010073DF
010073DA    895D E4 mov    [ebp-1C], ebx
010073DD    EB 27 jmp    short 01007406
010073DF    83B9 84>cmp    dword ptr [ecx+84], 0E
010073E6 ^ 76 F2 jbe    short 010073DA
010073E8    33C0 xor    eax, eax
010073EA    3999 F8>cmp    [ecx+F8], ebx
010073F0    EB 0E jmp    short 01007400
010073F2    8379 74>cmp    dword ptr [ecx+74], 0E
010073F6 ^ 76 E2 jbe    short 010073DA
010073F8    33C0 xor    eax, eax
010073FA    3999 E8>cmp    [ecx+E8], ebx
01007400    0F95C0  setne al
01007403    8945 E4 mov    [ebp-1C], eax
01007406    895D FC mov    [ebp-4], ebx
01007409    6A 02 push 2
0100740B    FF15 38>call [1001338]                      ;  msvcrt.__set_app_type
01007411    59    pop    ecx
01007412    830D 9C>or    dword ptr [100AB9C], FFFFFFFF
01007419    830D A0>or    dword ptr [100ABA0], FFFFFFFF
01007420    FF15 34>call [1001334]                      ;  msvcrt.__p__fmode
01007426    8B0D B8>mov    ecx, [1009AB8]
0100742C    8908 mov    [eax], ecx
0100742E    FF15 30>call [1001330]                      ;  msvcrt.__p__commode
01007434    8B0D B4>mov    ecx, [1009AB4]
0100743A    8908 mov    [eax], ecx
0100743C    A1 2C13>mov    eax, [100132C]
01007441    8B00 mov    eax, [eax]
01007443    A3 A4AB>mov    [100ABA4], eax
01007448    E8 A701>call 010075F4
0100744D    391D 08>cmp    [1009608], ebx
01007453    75 0C jnz    short 01007461
01007455    68 F475>push 010075F4
0100745A    FF15 28>call [1001328]                      ;  msvcrt.__setusermatherr
01007460    59    pop    ecx
01007461    E8 7701>call 010075DD
01007466    68 1090>push 01009010
0100746B    68 0C90>push 0100900C
01007470    E8 5D01>call 010075D2                      ;  jmp 到 msvcrt._initterm
01007475    A1 B09A>mov    eax, [1009AB0]
0100747A    8945 DC mov    [ebp-24], eax
0100747D    8D45 DC lea    eax, [ebp-24]
01007480    50    push eax
01007481    FF35 AC>push dword ptr [1009AAC]
01007487    8D45 D4 lea    eax, [ebp-2C]
0100748A    50    push eax
0100748B    8D45 D0 lea    eax, [ebp-30]
0100748E    50    push eax
0100748F    8D45 CC lea    eax, [ebp-34]
01007492    50    push eax
01007493    FF15 20>call [1001320]                      ;  msvcrt.__getmainargs

对比不加壳的记事本：
01006420 > $  5>push ebp
01006421 .  8>mov    ebp, esp
01006423 .  6>push -1
01006425 .  6>push 01001888
0100642A .  6>push <jmp.&MSVCRT._except_handler3> ;  SE 处理程序安装
0100642F .  6>mov    eax, fs:[0]
01006435 .  5>push eax
01006436 .  6>mov    fs:[0], esp
0100643D .  8>add    esp, -68
01006440 .  5>push ebx
01006441 .  5>push esi
01006442 .  5>push edi
01006443 .  8>mov    [ebp-18], esp
01006446 .  C>mov    dword ptr [ebp-4], 0
0100644D .  6>push 2
0100644F .  F>call [<&MSVCRT.__set_app_type>]    ;  msvcrt.__set_app_type
01006455 .  8>add    esp, 4
01006458 .  C>mov    dword ptr [1009938], -1
01006462 .  C>mov    dword ptr [100993C], -1
0100646C .  F>call [<&MSVCRT.__p__fmode>]          ;  msvcrt.__p__fmode
01006472 .  8>mov    ecx, [1008844]
01006478 .  8>mov    [eax], ecx
0100647A .  F>call [<&MSVCRT.__p__commode>]       ;  msvcrt.__p__commode
01006480 .  8>mov    edx, [1008840]
01006486 .  8>mov    [eax], edx
01006488 .  A>mov    eax, [<&MSVCRT._adjust_fdiv>]
0100648D .  8>mov    ecx, [eax]
0100648F .  8>mov    [1009940], ecx
01006495 .  E>call 01006620
0100649A .  A>mov    eax, [10085C0]
0100649F .  8>test eax, eax
010064A1 .  7>jnz    short 010064B1
010064A3 .  6>push 01006610
010064A8 .  F>call [<&MSVCRT.__setusermatherr>]    ;  msvcrt.__setusermatherr
010064AE .  8>add    esp, 4
010064B1 >  E>call 010065F0
010064B6 .  6>push 0100800C
010064BB .  6>push 01008008
010064C0 .  E>call <jmp.&MSVCRT._initterm>
010064C5 .  8>add    esp, 8
010064C8 .  8>mov    edx, [100883C]
010064CE .  8>mov    [ebp-6C], edx
010064D1 .  8>lea    eax, [ebp-6C]
010064D4 .  5>push eax
010064D5 .  8>mov    ecx, [1008838]
010064DB .  5>push ecx
010064DC .  8>lea    edx, [ebp-64]
010064DF .  5>push edx
010064E0 .  8>lea    eax, [ebp-70]
010064E3 .  5>push eax
010064E4 .  8>lea    ecx, [ebp-60]
010064E7 .  5>push ecx
010064E8 .  F>call [<&MSVCRT.__getmainargs>]       ;  msvcrt.__getmainargs

虽然头部有点不同，但作用是一样地，就是检查PE头是否有效。

好了，DUMP吧，OEP=739D，然后ImpREC1.6final修复，IAT RVA=1000 SIZE=344，获取输入表，
显示有一个无效指针，把它剪切了，再看，IAT表完整显现了。
FIX DUMP，
运行修复后的程序，很好，正常运行。

收工！

快雪时晴，2006-7-3

快雪时晴 · 发表于 2006-7-3 13:28:03

FSG2.0手动脱壳flash录像
不为别的，仅试验下

		自动登录	找回密码
密码			加入我们

[PYG原创] FSG2.0脱壳动画【野猫III进】

我的脱壳笔记，详细+简单

挂个我做的flash动画

本帖子中包含更多资源