加密狗软件破解复制T-GOU工作室
RSS

手脱PEncrypt 4.0

来源:未知 作者:admin 时间:2010-12-26 09:48 浏览:


1、PEID查壳为PEncrypt 4.0 Gamma / 4.0 Phi -> junkcode
  2、寻找OEP,OD忽略异常,停在这里:
  00401000 >  66:83F3 00      XOR BX,0                                 ; OD载入,停在这里,逐步F7
  00401004    FC              CLD
  00401005    FC              CLD
  00401006    90              NOP
  00401007    FC              CLD
  00401008    BD F8DE4500     MOV EBP,game0.0045DEF8
  0040100D    FFE5            JMP EBP
  0040100F    43              INC EBX
  00401010    0C A2           OR AL,0A2
  00401012    A2 3AC271A3     MOV BYTE PTR DS:[A371C23A],AL
 
  .....
  0045DFF0    FC              CLD
  0045DFF1    85DB            TEST EBX,EBX
  0045DFF3  ^\0F85 9CFFFFFF   JNZ game0.0045DF95                       ; 死循环,F4到下面
  0045DFF9    60              PUSHAD                                   ; F4下来,继续F7
  0045DFFA    BE 00104000     MOV ESI,game0.<ModuleEntryPoint>
  0045DFFF    B8 FA69A33A     MOV EAX,3AA369FA
  0045E004    8906            MOV DWORD PTR DS:[ESI],EAX
  0045E006    B8 B455A33A     MOV EAX,3AA355B4
  0045E00B    8946 04         MOV DWORD PTR DS:[ESI+4],EAX
  0045E00E    B8 EEB2AD3A     MOV EAX,3AADB2EE
  0045E013    8946 08         MOV DWORD PTR DS:[ESI+8],EAX
  0045E016    B8 A05DA23A     MOV EAX,3AA25DA0
  0045E01B    8946 0C         MOV DWORD PTR DS:[ESI+C],EAX
  0045E01E    B8 0CA2A23A     MOV EAX,3AA2A20C
  0045E023    8946 10         MOV DWORD PTR DS:[ESI+10],EAX
  0045E026    B8 C271A33A     MOV EAX,3AA371C2
  0045E02B    8946 14         MOV DWORD PTR DS:[ESI+14],EAX
  0045E02E    B8 DEB2AD3A     MOV EAX,3AADB2DE
  0045E033    8946 18         MOV DWORD PTR DS:[ESI+18],EAX
  0045E036    61              POPAD
  0045E037    EB 02           JMP SHORT game0.0045E03B
  0045E039    FB              STI
  0045E03A    DA60 9C         FISUB DWORD PTR DS:[EAX-64]
  0045E03D    BE 00104000     MOV ESI,game0.<ModuleEntryPoint>
  0045E042    8BFE            MOV EDI,ESI
  0045E044    B9 00040100     MOV ECX,10400                            ; UNICODE "EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH"
  0045E049    BB ACF9EA49     MOV EBX,49EAF9AC
  0045E04E    AD              LODS DWORD PTR DS:[ESI]
  0045E04F    33C3            XOR EAX,EBX
  0045E051    AB              STOS DWORD PTR ES:[EDI]
  0045E052  ^ E2 FA           LOOPD SHORT game0.0045E04E               ; 循环
  0045E054    9D              POPFD                                    ; F4下来
  0045E055    61              POPAD
  0045E056    EB 02           JMP SHORT game0.0045E05A
  0045E058    FB              STI
  0045E059    DA60 9C         FISUB DWORD PTR DS:[EAX-64]
  0045E05C    BE 00204400     MOV ESI,game0.00442000
  0045E061    8BFE            MOV EDI,ESI
  0045E063    B9 00040000     MOV ECX,400
  0045E068    BB ACF9EA49     MOV EBX,49EAF9AC
  0045E06D    AD              LODS DWORD PTR DS:[ESI]
  0045E06E    33C3            XOR EAX,EBX
  0045E070    AB              STOS DWORD PTR ES:[EDI]
  0045E071  ^ E2 FA           LOOPD SHORT game0.0045E06D               ; 又一个循环
  0045E073    9D              POPFD                                    ; F4下来
  0045E074    61              POPAD
  0045E075    BA C37A4400     MOV EDX,game0.00447AC3                   ; 注意这里,CTRL+G到00447AC3看看
  0045E07A    FFD2            CALL EDX
 
 
  CTRL+G到00447AC3:
  00447AC3    55              PUSH EBP                                 ; F4到这里,继续F7下去
  00447AC4    8BEC            MOV EBP,ESP
  00447AC6    81EC B8000000   SUB ESP,0B8
  00447ACC    53              PUSH EBX
  00447ACD    56              PUSH ESI
  00447ACE    57              PUSH EDI
  00447ACF    56              PUSH ESI
  00447AD0    57              PUSH EDI
  00447AD1    52              PUSH EDX
  00447AD2    51              PUSH ECX
  00447AD3    53              PUSH EBX
  00447AD4    50              PUSH EAX
  00447AD5    833D 58AC4500 0>CMP DWORD PTR DS:[45AC58],0
  00447ADC    0F85 99100000   JNZ game0.00448B7B                       ; 这里就是跳往OEP的地方,下面是一堆花指令,我们直接跳到00448B7B看看(不要更改这里的跳转,否则找不到输入表)。
  .....
  00448B7D    59              POP ECX
  00448B7E    5A              POP EDX
  00448B7F    5F              POP EDI
  00448B80    5E              POP ESI
  00448B81    C9              LEAVE
  00448B82  - FF25 18A04500   JMP DWORD PTR DS:[45A018]                ; 可疑,这里就是跳到OEP处,F4下来,F8一下
 
 
  下面就是OEP了:
  0040188C    68 E81B4000     PUSH game0.00401BE8                      ; OEP
  00401891    E8 EEFFFFFF     CALL game0.00401884                      ; JMP to MSVBVM60.ThunRTMain
  00401896    0000            ADD BYTE PTR DS:[EAX],AL
  00401898    0000            ADD BYTE PTR DS:[EAX],AL
  0040189A    0000            ADD BYTE PTR DS:[EAX],AL
 
  3、修复IAT
  事实上,此时在OEP处我们可以直接右击脱壳,转储时去掉重建IAT项,但好象不能跨系统运行。我们用IMPREC修复一下。
  在OEP处用LOADPE纠正IMAGE后转储为DUMP.EXE,IMPREC载入软件线程,填入OEP=188C,点击自动获取IAT,居然没有反应,看来要手动查找IAT。
 
  我们F7跟进00401891处的CALL,右击,在数据窗口中跟随内存地址,下面的内存窗口中右击选“长型”-“地址”就可以看到IAT表了:
  00401000 >6610782A  MSVBVM60.__vbaVarSub
  00401004  66109881  MSVBVM60.__vbaVarTstGt
  00401008  660DF9B9  MSVBVM60.__vbaStrI2
  0040100C  660F8806  MSVBVM60._CIcos
  00401010  660EFE79  MSVBVM60._adj_fptan
  00401014  66106B2E  MSVBVM60.__vbaVarMove
  00401018  660DF9E9  MSVBVM60.__vbaStrI4
  ...
 
  004011C0  66109868  MSVBVM60.__vbaVarTstGe
  004011C4  660E8C60  MSVBVM60.__vbaR8IntI2
  004011C8  660E6271  MSVBVM60.rtcLeftCharVar
  004011CC  660F8740  MSVBVM60._CIatan
  004011D0  660E60F4  MSVBVM60.__vbaStrMove
  004011D4  660EE36D  MSVBVM60._allmul
  004011D8  66108B84  MSVBVM60.__vbaLateIdSt
  004011DC  660F8AC4  MSVBVM60._CItan
  004011E0  660E8C8E  MSVBVM60.__vbaFPInt
  004011E4  6610943A  MSVBVM60.__vbaVarForNext
  004011E8  660ED191  MSVBVM60._CIexp
  004011EC  660DFAC5  MSVBVM60.__vbaStrCy
  004011F0  660D9A27  MSVBVM60.__vbaFreeObj
  004011F4  660E60B0  MSVBVM60.__vbaFreeStr
  004011F8  660D2DD4  MSVBVM60.rtcR8ValFromBstr
  004011FC  00000000
 
  可以看出RVA=1000,大小=1FC,我们在IMPREC中填入RVA=1000,大小=1FC,获取输入表,指针全部正确,不用修复了,OEP处填入0000188C,修复DUMP后运行正常。
 
  //PEncrypt 4.0 OEP finder by langxang

var addr1                       
var addr2                       
var addr3                       
findop eip,#60#                 
bphws $RESULT, "r"                   
run                             
bphwc $RESULT                   
sto                             
sto                             
sto                             
mov addr1,esp                   
bphws addr1,"r"                 
run
bphwc $RESULT
sto
sto
sto
sto
mov addr2,esp                  
bphws addr2,"r"
run
BPHWC addr2
sto
sto
sti
sto
mov addr3,esp                   
bphws addr3,"r"                
run
sto
BPHWC addr3
cmt eip, "This is OEP,enjoy it!"
ret
 


Tags:
最新评论共有 位网友发表了评论
发表评论
评论内容:不能超过250字,需审核,请自觉遵守互联网相关政策法规。
用户名: 密码:
匿名评论
立即注册账号