EXECryptor2.3.9主程序脱壳,脱壳,脱壳技术 2008年06月23日 星期一 下午 05:18 一、破解目标:EXECryptor2.3.9主程序 二、破解工具:OllyDbg v1.10,ImportREC 1.6 Final,LordPE 三、破解作者:DarkBull#126.com 四、破解过程: 1.寻找OEP 首先设置OD停在系统断点,隐藏OD,忽略所有异常,运行以下脚本: data: var hInstance var codeseg var vmseg var ep var oep var temp code: gpa "VirtualFree","kernel32.dll" bphws $RESULT,"x" run bphwc $RESULT rtu gmi eip,MODULEBASE mov hInstance,$RESULT mov temp,$RESULT add temp,3c mov temp,[temp] add temp,hInstance add temp,28 mov temp,[temp] add temp,hInstance bc temp mov ep,temp gmemi eip,MEMORYBASE mov codeseg,$RESULT find $RESULT,#2ECC9D# mov [$RESULT],#2ECC90# gpa "EnumWindows","user32.dll" mov [$RESULT],#8BC09C85C09D0578563412C20800# gpa "CreateThread","kernel32.dll" find $RESULT,#FF7518# mov [$RESULT],#6A0490# gpa "ZwCreateThread","ntdll.dll" bp $RESULT loop1: run cmp eip,$RESULT jne loop1 bc $RESULT bp ep loop2: run cmp eip,ep jne loop2 bc ep mov temp,codeseg sub temp,1 gmemi temp,MEMORYBASE mov vmseg,$RESULT gmemi temp,MEMORYSIZE bprm vmseg,$RESULT run bpmc mov oep,eax sti bprm oep,1 loop3: run cmp eip,oep jne loop3 bpmc ret 2.修复IAT 通过观察,可以确定IAT的起始地址为:004DD168,结束地址为:004DD988。IAT修复脚本如下: data: var base var size var iats var iate var fun var cnt code: gmi eip,MODULEBASE mov base,$RESULT gmi eip,MODULESIZE mov size,$RESULT add size,base mov iats,4DD168 mov iate,4DD988 exec push 004d70f0 push 004d70a0 push 004d7050 push 004d7000 ende loop1: mov fun,[iats] cmp fun,base jb next cmp fun,size ja next mov eip,fun mov esp,0012ffb4 bphws iats,"w" run gn [iats] cmp $RESULT,0 je pause1 bphwc iats inc cnt jmp next pause1: pause ; 手动修复 bphwc iats next: add iats,4 cmp iats,iate ja end jmp loop1 end: eval "Already Found {cnt} Function!" msg $RESULT ret 3.跨平台 清除已初始化的数据,修复方法基本同EXECr2.2.6,大概修复40多处。 以上脚本及脱壳程序在WINXP和WIN2003下测试通过。 |
|小黑屋|最新主题|手机版|微赢网络技术论坛 ( 苏ICP备08020429号 )
GMT+8, 2024-9-29 21:20 , Processed in 0.144689 second(s), 12 queries , Gzip On, MemCache On.
Powered by Discuz! X3.5
© 2001-2023 Discuz! Team.