应用平台: Win95/98/NT/2000/XP
破解工具:ollydbg 1.09汉化版、peid8cn、Hex Workshop 4.0、peditor、Lordpe工作平台WINXP(98死得惨)
破解方法:学习如何脱壳
脱壳过程:
一、查壳找入口点,用peid8cn打开主程序,结果是telock0.98,入口点:5a172c(关键入口点用PEID8CN右下下拉菜单中的OEP查找搞定)
二、用OLLYDBG载入主程序,第一对话框点确定,第二对话框点否,来到这儿
0064FBD6 >^E9 25E4FFFF JMP cookbook.0064E000
0064FBDB 0000 ADD BYTE PTR DS:[EAX],AL
0064FBDD 003E ADD BYTE PTR DS:[ESI],BH
0064FBDF 4F DEC EDI
0064FBE0 BB B71EFC24 MOV EBX,24FC1EB7
0064FBE5 0000 ADD BYTE PTR DS:[EAX],AL
0064FBE7 0000 ADD BYTE PTR DS:[EAX],AL
0064FBE9 0000 ADD BYTE PTR DS:[EAX],AL
0064FBEB 0000 ADD BYTE PTR DS:[EAX],AL
0064FBED 003E ADD BYTE PTR DS:[ESI],BH
0064FBEF FC CLD
0064FBF0 24 00 AND AL,0
0064FBF2 2E:FC CLD ; Superfluous prefix
0064FBF4 24 00 AND AL,0
0064FBF6 26:FC CLD ; Superfluous prefix
0064FBF8 24 00 AND AL,0
0064FBFA 0000 ADD BYTE PTR DS:[EAX],AL
0064FBFC 0000 ADD BYTE PTR DS:[EAX],AL
0064FBFE 0000 ADD BYTE PTR DS:[EAX],AL
0064FC00 0000 ADD BYTE PTR DS:[EAX],AL
0064FC02 4B DEC EBX
0064FC03 FC CLD
0064FC04 24 00 AND AL,0
0064FC06 36:FC CLD ; Superfluous prefix
0064FC08 24 00 AND AL,0
0064FC0A 0000 ADD BYTE PTR DS:[EAX],AL
0064FC0C 0000 ADD BYTE PTR DS:[EAX],AL
F9运行,SHIFT+F9进行到这时停下
0064EBA6 CD 68 INT 68 //记住此处一定不要过了,否则不好玩
0064EBA8 66:05 7B0C ADD AX,0C7B
0064EBAC 66:48 DEC AX
0064EBAE 74 55 JE SHORT cookbook.0064EC05
0064EBB0 8D85 450B0000 LEA EAX,DWORD PTR SS:[EBP+B45]
0064EBB6 894424 04 MOV DWORD PTR SS:[ESP+4],EAX
0064EBBA 64:67:8926 0000 MOV DWORD PTR FS:[0],ESP
0064EBC0 EB 1F JMP SHORT cookbook.0064EBE1
0064EBC2 CD20 8B642408 VxDCall 824648B
0064EBC8 8B6C24 08 MOV EBP,DWORD PTR SS:[ESP+8]
0064EBCC 8D85 7A0B0000 LEA EAX,DWORD PTR SS:[EBP+B7A]
0064EBD2 50 PUSH EAX
0064EBD3 EB 01 JMP SHORT cookbook.0064EBD6
0064EBD5 E8 81AD591C CALL 1CBE995B
0064EBDA 0000 ADD BYTE PTR DS:[EAX],AL
0064EBDC 88B465 CCC3EB01 MOV BYTE PTR SS:[EBP+1EBC3CC],DH
0064EBE3 EB 33 JMP SHORT cookbook.0064EC18
0064EBE5 DB ??? ; Unknown command
0064EBE6 8BC3 MOV EAX,EBX
0064EBE8 66:BE 4746 MOV SI,4647
0064EBEC 66:BF 4D4A MOV DI,4A4D
0064EBF0 CC INT3
0064EBF1 90 NOP
0064EBF2 66:81FE 4746 CMP SI,4647
0064EBF7 75 0C JNZ SHORT cookbook.0064EC05
0064EBF9 64:67:8F06 0000 POP DWORD PTR FS:[0]
0064EBFF 83C4 04 ADD ESP,4
按CTRL+F查找TEST ESI,ESI到这儿(我们要找的可不是这儿)
0064F17D 85F6 TEST ESI,ESI
0064F17F 0F84 8B000000 JE cookbook.0064F210
0064F185 8B95 62D34000 MOV EDX,DWORD PTR SS:[EBP+40D362]
0064F18B 03F2 ADD ESI,EDX
0064F18D 2B95 66D34000 SUB EDX,DWORD PTR SS:[EBP+40D366]
0064F193 74 7B JE SHORT cookbook.0064F210
0064F195 8BDA MOV EBX,EDX
0064F197 C1EB 10 SHR EBX,10
0064F19A 8B06 MOV EAX,DWORD PTR DS:[ESI]
0064F19C 85C0 TEST EAX,EAX
0064F19E 74 70 JE SHORT cookbook.0064F210
0064F1A0 8B4E 04 MOV ECX,DWORD PTR DS:[ESI+4]
0064F1A3 83E9 08 SUB ECX,8
0064F1A6 D1E9 SHR ECX,1
0064F1A8 8BBD 62D34000 MOV EDI,DWORD PTR SS:[EBP+40D362]
0064F1AE 03F8 ADD EDI,EAX
0064F1B0 83C6 08 ADD ESI,8
0064F1B3 0FB706 MOVZX EAX,WORD PTR DS:[ESI]
0064F1B6 C1C8 0C ROR EAX,0C
0064F1B9 FEC8 DEC AL
0064F1BB 78 4C JS SHORT cookbook.0064F209
0064F1BD 74 0E JE SHORT cookbook.0064F1CD
0064F1BF FEC8 DEC AL
0064F1C1 74 13 JE SHORT cookbook.0064F1D6
0064F1C3 FEC8 DEC AL
0064F1C5 74 3C JE SHORT cookbook.0064F203
0064F1C7 FEC8 DEC AL
再来一次CRTL+L到此
0064F21C 85F6 TEST ESI,ESI //关键部位到了F2设断切记,目的是DUM出完好的输入表
0064F21E 0F84 06040000 JE cookbook.0064F62A
0064F224 03F2 ADD ESI,EDX
0064F226 83A5 52D44000 00 AND DWORD PTR SS:[EBP+40D452],0
0064F22D 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C]
0064F230 8366 0C 00 AND DWORD PTR DS:[ESI+C],0 //telock加壳死穴,亦可查找此关键点
0064F234 85C0 TEST EAX,EAX
0064F236 0F84 EE030000 JE cookbook.0064F62A
0064F23C 03C2 ADD EAX,EDX
0064F23E 8BD8 MOV EBX,EAX
0064F240 50 PUSH EAX
0064F241 FF95 D0D24000 CALL DWORD PTR SS:[EBP+40D2D0]
0064F247 85C0 TEST EAX,EAX
0064F249 0F85 BA000000 JNZ cookbook.0064F309
0064F24F 53 PUSH EBX
0064F250 FF95 E4BA4000 CALL DWORD PTR SS:[EBP+40BAE4]
0064F256 85C0 TEST EAX,EAX
0064F258 0F85 AB000000 JNZ cookbook.0064F309
0064F25E 8B95 62D34000 MOV EDX,DWORD PTR SS:[EBP+40D362]
0064F264 0195 2AD34000 ADD DWORD PTR SS:[EBP+40D32A],EDX
0064F26A 0195 36D34000 ADD DWORD PTR SS:[EBP+40D336],EDX
0064F270 6A 30 PUSH 30
0064F272 53 PUSH EBX
0064F273 FFB5 36D34000 PUSH DWORD PTR SS:[EBP+40D336]
0064F279 EB 53 JMP SHORT cookbook.0064F2CE
0064F27B 8B95 62D34000 MOV EDX,DWORD PTR SS:[EBP+40D362]
0064F281 0195 2AD34000 ADD DWORD PTR SS:[EBP+40D32A],EDX
按SHIFT+F9运行到此处,查看ESI的值为001AA000
然后在OLLYDBG左下角下命令D 005AA000(001AA000+400000)然后向下查找后面全部为00的地方来到5AD0F0
用系统自带计算器计算5AD0F0-5AA000=30F0,为什么到这呢,而不是其它地方,向下太多会出错,向上也会出错,不能太多,也不能太少哦
起动LordPe先主程序进程。点右键选部份脱壳,填上005AA000-------000030F0脱出输入表30F0.DMP备用,退出LORDPE,切换到OLLYDBG,F2取消断点,按SHIFT+F9继续到这
0064F6F1 8DC0 LEA EAX,EAX ; Illegal use of register
0064F6F3 EB 01 JMP SHORT cookbook.0064F6F6
0064F6F5 EB 68 JMP SHORT cookbook.0064F75F
0064F6F7 33C0 XOR EAX,EAX
0064F6F9 -EB FE JMP SHORT cookbook.0064F6F9
0064F6FB FFE4 JMP ESP
0064F6FD CD20 8B642408 VxDCall 824648B
0064F703 33C0 XOR EAX,EAX
0064F705 FF6424 08 JMP DWORD PTR SS:[ESP+8]
0064F709 -E9 58508304 JMP 04E84766
0064F70E 24 37 AND AL,37
0064F710 FFE0 JMP EAX
0064F712 CD20 648F0058 VxDCall 58008F64
0064F718 EB 02 JMP SHORT cookbook.0064F71C
0064F71A -E9 01585DEB JMP EBC24F20
0064F71F 01B8 E8780000 ADD DWORD PTR DS:[EAX+78E8],EDI
0064F725 008F 5C55DB03 ADD BYTE PTR DS:[EDI+3DB555C],CL
0064F72B 9E SAHF
0064F72C 79 22 JNS SHORT cookbook.0064F750
0064F72E 9A 26E92B6E 913F CALL FAR 3F91:6E2BE926 ; Far call
0064F735 26:A0 1342047E MOV AL,BYTE PTR ES:[7E044213]
0064F73B 40 INC EAX
0064F73C 0B03 OR EAX,DWORD PTR DS:[EBX]
0064F73E 2208 AND CL,BYTE PTR DS:[EAX]
0064F740 BC 923FBB1B MOV ESP,1BBB3F92
0064F745 D223 SHL BYTE PTR DS:[EBX],CL
0064F747 5C POP ESP
在左下角命令框下BP 5A172C(入口点哦)按SHIFT+F9运行到入口处,再次起动LORDPE选主程序点右键选完全脱壳脱出文件UNPACKED.EXE,退出OLLYDBG,
三、置入输入表
起动HEX WORKSHOP程序分别打开刚脱出的两个文件,在30F0文件按CRTL+A COPY,然后选打开的UNPACKED文件按CRTL+G填001AA000,在HEX WORKSHOP编辑菜单下选中选择块填入1AD0F0,然后粘贴保存退出
四、修正入口点和输入表位置
起动揫PEDITOR,载入文件UNPACKED.EXE将入口改为001A172C,输入表位置改为001AA000,点重建输入表
五、试运行文件,一切正常,OK收活路,其它你想搞什么你自己玩去,886
推荐文章
热点文章
相关文章
百度搜索
应用olldbg脱telock加壳之菜鸟篇
- 阅览次数:
- 文章来源: CodePub整理
- 原文作者: 不详
- 整理日期: 2006-10-05
- 发表评论
下一篇:构建支持Master/Slave读写分离的数据库操作类