北斗nspack2.3 dll脱壳,脱壳,脱壳技术 2008年06月23日 星期一 下午 07:26 【破解作者】 stasi[DCM][BCG][DFCG][FCG][OCN][CZG][D.4s] 【作者邮箱】 stasi@163.com 【使用工具】 od 【破解平台】 Win9x/NT/2000/XP 【软件名称】 北斗nspack2.3 【下载地址】 www.nsdsn.com 【软件简介】 北斗nspack2.3 国产优秀加壳软件 【软件大小】 5k 【加壳方式】 nspack2.3 【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:) -------------------------------------------------------------------------------- 【破解内容】 下载了有两个版本的北斗2.3和2.6,2.6脱壳不能跨平台,就只有2.3可用。 北斗加密dll,可以选择处理重定位表,直接在oep处脱壳后,找不到重定位表,说明对输出表动过手脚 100045F8 R> 9C pushfd **** entry point 100045F9 60 pushad 100045FA E8 00000000 call REALIGN.100045FF 100045FF 5D pop ebp 10004600 B8 07000000 mov eax,7 10004605 2BE8 sub ebp,eax 10004607 8DB5 88FEFFFF lea esi,dword ptr ss:[ebp-178] 1000460D 8B06 mov eax,dword ptr ds:[esi] 1000460F 83F8 00 cmp eax,0 10004612 74 11 je short REALIGN.10004625 0006FB6C 100045F8 offset REALIGN. 0006FB70 0006FBA0 0006FB74 0006FBAC 0006FB78 0006FB8C hr 0006FB6C 10004871 9D popfd 10004872 - E9 EAD2FFFF jmp REALIGN.10001B61 10004877 8BB5 3CFEFFFF mov esi,dword ptr ss:[ebp-1C4] 1000487D 0BF6 or esi,esi 1000487F 0F84 97000000 je REALIGN.1000491C 10001B61 /. 55 push ebp **** oep=1B61 10001B62 |. 8BEC mov ebp,esp 10001B64 |. 53 push ebx 10001B65 |. 8B5D 08 mov ebx,dword ptr ss:[ebp 8] 10001B68 |. 56 push esi 10001B69 |. 8B75 0C mov esi,dword ptr ss:[ebp C] 10001B6C |. 57 push edi 10001B6D |. 8B7D 10 mov edi,dword ptr ss:[ebp 10] 10001B70 |. 85F6 test esi,esi 10001B72 |. 75 09 jnz short REALIGN.10001B7D 10001B74 |. 833D 041C0010 >cmp dword ptr ds:[10001C04],0 size=48 的输入表 10001000 77903039 IMAGEHLP.ImageNtHeader 10001004 00000000 10001008 77E69168 KERNEL32.CloseHandle 1000100C 77E6F2A6 KERNEL32.SetEndOfFile 10001010 77E7C912 KERNEL32.DisableThreadLibraryCalls 10001014 77E7D7CC KERNEL32.SetFilePointer 10001018 77E757E2 KERNEL32.CreateFileA 1000101C 77E732AF KERNEL32.GlobalFree 10001020 77E716B4 KERNEL32.GlobalAlloc 10001024 77E7154E KERNEL32.SetHandleCount 10001028 77E6A63A KERNEL32.LoadResource 1000102C 77E7D38D KERNEL32.FindResourceA 10001030 00000000 10001034 780014A9 10001038 7800BD6A 1000103C 78001DB0 10001040 7800119B 10001044 7801F4E5 10001048 7803A670 基址重定位表可手动修复: 找到重定位代码 1000108C 1000170B REALIGN.1000170B 10001090 10001711 REALIGN.10001711 1000109C 100019E9 REALIGN.100019E9 100010A0 100019EF REALIGN.100019EF 。 。 。 1000446C 10001000 REALIGN.10001000 100044B0 10001000 REALIGN.10001000 自己构造基址重定位表: unsigned char data[320] = { 0x00, 0x10, 0x00, 0x00, 0x30, 0x01, 0x00, 0x00, 0x8C, 0x30, 0x90, 0x30, 0x9C, 0x30, 0xA0, 0x30, 0xBD, 0x30, 0xC3, 0x30, 0xEA, 0x30, 0x07, 0x31, 0x0E, 0x31, 0x15, 0x31, 0x3D, 0x31, 0x6F, 0x31, 0x96, 0x31, 0x9B, 0x31, 0xBE, 0x31, 0xDE, 0x31, 0xE4, 0x31, 0xFD, 0x31, 0x26, 0x32, 0x77, 0x32, 0x8D, 0x32, 0xAE, 0x32, 0xBD, 0x32, 0xC2, 0x32, 0xC8, 0x32, 0xCF, 0x32, 0xD9, 0x32, 0xE0, 0x32, 0xEA, 0x32, 0x1D, 0x33, 0x25, 0x33, 0x2B, 0x33, 0x30, 0x33, 0x4D, 0x33, 0x63, 0x33, 0x75, 0x33, 0x7B, 0x33, 0x83, 0x33, 0xA5, 0x33, 0xAD, 0x33, 0xB3, 0x33, 0xBE, 0x33, 0xC9, 0x33, 0xCF, 0x33, 0xE6, 0x33, 0xEC, 0x33, 0xF4, 0x33, 0xFD, 0x33, 0x0B, 0x34, 0x11, 0x34, 0x1A, 0x34, 0x20, 0x34, 0x2B, 0x34, 0x35, 0x34, 0x3E, 0x34, 0x47, 0x34, 0x4D, 0x34, 0x53, 0x34, 0x5F, 0x34, 0x81, 0x34, 0x9A, 0x34, 0xA1, 0x34, 0xAC, 0x34, 0xB3, 0x34, 0xBF, 0x34, 0xC5, 0x34, 0xCA, 0x34, 0xD6, 0x34, 0xE3, 0x34, 0xEA, 0x34, 0x11, 0x35, 0x17, 0x35, 0x20, 0x35, 0x35, 0x35, 0x3D, 0x35, 0x43, 0x35, 0x49, 0x35, 0x4F, 0x35, 0x5F, 0x35, 0x6C, 0x35, 0x74, 0x35, 0x80, 0x35, 0xB5, 0x35, 0xC2, 0x35, 0xCE, 0x35, 0xDD, 0x35, 0xE6, 0x35, 0xEE, 0x35, 0xF9, 0x35, 0x09, 0x36, 0x10, 0x36, 0x17, 0x36, 0x1D, 0x36, 0x22, 0x36, 0x38, 0x36, 0x3E, 0x36, 0x47, 0x36, 0x4D, 0x36, 0x53, 0x36, 0x5C, 0x36, 0x67, 0x36, 0x71, 0x36, 0x7A, 0x36, 0x80, 0x36, 0x86, 0x36, 0x8C, 0x36, 0x9D, 0x36, 0xAB, 0x36, 0xB1, 0x36, 0xB8, 0x36, 0xC7, 0x36, 0xD4, 0x36, 0xDB, 0x36, 0xE9, 0x36, 0x01, 0x37, 0x17, 0x37, 0x1D, 0x37, 0x29, 0x37, 0x2E, 0x37, 0x39, 0x37, 0x41, 0x37, 0x47, 0x37, 0x4F, 0x37, 0x96, 0x37, 0x9B, 0x37, 0x17, 0x3A, 0xB2, 0x3A, 0xC0, 0x3A, 0xC8, 0x3A, 0xCE, 0x3A, 0xD9, 0x3A, 0xE6, 0x3A, 0xEE, 0x3A, 0xFC, 0x3A, 0x01, 0x3B, 0x06, 0x3B, 0x0B, 0x3B, 0x16, 0x3B, 0x23, 0x3B, 0x2D, 0x3B, 0x42, 0x3B, 0x4E, 0x3B, 0x54, 0x3B, 0x76, 0x3B, 0x88, 0x3B, 0xE4, 0x3B, 0x00, 0x3C, 0x98, 0x3C, 0x00, 0x40, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x3C, 0x34, 0x6C, 0x34, 0x90, 0x34, 0xB0, 0x34 }; 基址重定位表有三部分组成: 0x00, 0x10, 0x00, 0x00 是 VirtualAdress: 0x00001000 0x30, 0x01, 0x00, 0x00 是 SizeOfBlock: 0x00000130 (0x130-0x8)/0x2=0x94 就是有148组 0x8C, 0x30 是 重定位数组 08C是偏移 3是HIGHLOW定义 同样: 0x00, 0x40, 0x00, 0x00,是 VirtualAdress: 0x00004000 0x10, 0x00, 0x00, 0x00 是 SizeOfBlock: 0x00000010 (0x10-0x8)/0x2=0x4 就是有4组 0x3C, 0x34 是 重定位数组 43C是偏移 3是HIGHLOW定义 修正pe头 100000E0 8D4F0000 DD 00004F8D ; Relocation Table address = 4F8D 100000E4 08000000 DD 00000008 ; Relocation Table size = 8 改为: 100000E0 00900000 DD 00009000 ; Relocation Table address = 8E90 100000E4 40010000 DD 00000140 ; Relocation Table size = 140 (320.) *Relocation Table address 可以随便找个空白的地方,因为重定位表的地方可以任意,我就选择和iat 放在一起。如果想使用reloc段,就要手动增加一个区段,那么段数目还要加一。 也可用relox帮助还原重定位表,比较简单。 ; Original filename and image base (the separator is a TAB) C:\1500000.dll 01500000 ; Code section indexes (the separator is a TAB) 0 1 ; Syntax for each relocation (the separator is a TAB) ; --------------------------------------------------- ; RVA Type 0000108C 3 00001090 3 0000109C 3 000010A0 3 000010BD 3 000010C3 3 000010EA 3 00001107 3 0000110E 3 00001115 3 0000113D 3 0000116F 3 00001196 3 0000119B 3 000011BE 3 000011DE 3 000011E4 3 000011FD 3 00001226 3 00001277 3 0000128D 3 000012AE 3 000012BD 3 000012C2 3 000012C8 3 000012CF 3 000012D9 3 000012E0 3 000012EA 3 0000131D 3 00001325 3 0000132B 3 00001330 3 0000134D 3 00001363 3 00001375 3 0000137B 3 00001383 3 000013A5 3 000013AD 3 000013B3 3 000013BE 3 000013C9 3 000013CF 3 000013E6 3 000013EC 3 000013F4 3 000013FD 3 0000140B 3 00001411 3 0000141A 3 00001420 3 0000142B 3 00001435 3 0000143E 3 00001447 3 0000144D 3 00001453 3 0000145F 3 00001481 3 0000149A 3 000014A1 3 000014AC 3 000014B3 3 000014BF 3 000014C5 3 000014CA 3 000014D6 3 000014E3 3 000014EA 3 00001511 3 00001517 3 00001520 3 00001535 3 0000153D 3 00001543 3 00001549 3 0000154F 3 0000155F 3 0000156C 3 00001574 3 00001580 3 000015B5 3 000015C2 3 000015CE 3 000015DD 3 000015E6 3 000015EE 3 000015F9 3 00001609 3 00001610 3 00001617 3 0000161D 3 00001622 3 00001638 3 0000163E 3 00001647 3 0000164D 3 00001653 3 0000165C 3 00001667 3 00001671 3 0000167A 3 00001680 3 00001686 3 0000168C 3 0000169D 3 000016AB 3 000016B1 3 000016B8 3 000016C7 3 000016D4 3 000016DB 3 000016E9 3 00001701 3 00001717 3 0000171D 3 00001729 3 0000172E 3 00001739 3 00001741 3 00001747 3 0000174F 3 00001796 3 0000179B 3 00001A17 3 00001AB2 3 00001AC0 3 00001AC8 3 00001ACE 3 00001AD9 3 00001AE6 3 00001AEE 3 00001AFC 3 00001B01 3 00001B06 3 00001B0B 3 00001B16 3 00001B23 3 00001B2D 3 00001B42 3 00001B4E 3 00001B54 3 00001B76 3 00001B88 3 00001BE4 3 00001C00 3 00001C98 3 0000443C 3 0000446C 3 00004490 3 000044B0 3 自动修复基址重定位表。 -------------------------------------------------------------------------------- 【破解总结】 搞定dll的同时,温习基址重定位表知识。 -------------------------------------------------------------------------------- 【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢! 2005-8-30 |
|小黑屋|最新主题|手机版|微赢网络技术论坛 ( 苏ICP备08020429号 )
GMT+8, 2024-9-29 19:21 , Processed in 0.371465 second(s), 13 queries , Gzip On, MemCache On.
Powered by Discuz! X3.5
© 2001-2023 Discuz! Team.