使用工具 OllyDBG ,LordPE,ImportREC,PEiD
脫殼平臺 WinXP SP2
軟件名稱 Bigman's Crackme6(看雪2007精華裏面的)
軟件大小 7K
加殼方式 ASPack 2.x (without poly) -> Alexey Solodovnikov [Overlay]
雖然現在的脫殼機很多,我是初學者,為了煆煉壹下自己的手動能力,所以將自己脫殼的過程寫下來與大家分享,不對之處請指正.
用OD載入程序:
00405001 > E8 03000000 call crackme6.00405009 ; 加載後停在這裏,按F7
00405007 /EB 04 jmp short crackme6.0040500D
00405009 |5D pop ebp
0040500A |45 inc ebp
0040500B |55 push ebp
0040500C |C3 retn
0040500D \90 nop
0040500E E8 01000000 call crackme6.00405014 ; F7跟進
..........
00405014 5D pop ebp ; 以下按F8單步走,如有向上跳轉用F4打斷
00405015 BB EDFFFFFF mov ebx, -13
0040501A 03DD add ebx, ebp
0040501C 81EB 00500000 sub ebx, 5000
00405022 83BD 22040000 0>cmp dword ptr [ebp+422], 0
00405029 899D 22040000 mov dword ptr [ebp+422], ebx
0040502F 0F85 65030000 jnz crackme6.0040539A
00405035 8D85 2E040000 lea eax, dword ptr [ebp+42E]
0040503B 50 push eax
0040503C FF95 4D0F0000 call near dword ptr [ebp+F4D]
00405042 8985 26040000 mov dword ptr [ebp+426], eax
00405048 8BF8 mov edi, eax
0040504A 8D5D 5E lea ebx, dword ptr [ebp+5E]
..........
0040513A 3C E9 cmp al, 0E9
0040513C 74 04 je short crackme6.00405142
0040513E 43 inc ebx
0040513F 49 dec ecx
00405140 ^ EB EB jmp short crackme6.0040512D
00405142 8B06 mov eax, dword ptr [esi] ; F4 打斷向上跳轉
00405144 EB 00 jmp short crackme6.00405146
00405146 803E 00 cmp byte ptr [esi], 0
00405149 ^ 75 F3 jnz short crackme6.0040513E
0040514B 24 00 and al, 0
0040514D C1C0 18 rol eax, 18
00405150 2BC3 sub eax, ebx
00405152 8906 mov dword ptr [esi], eax
00405154 83C3 05 add ebx, 5
00405157 83C6 04 add esi, 4
0040515A 83E9 05 sub ecx, 5
0040515D ^ EB CE jmp short crackme6.0040512D
0040515F 5B pop ebx ; F4 打斷向上跳轉
00405160 5E pop esi
00405161 59 pop ecx
.............
0040519D 83C6 08 add esi, 8
004051A0 833E 00 cmp dword ptr [esi], 0
004051A3 ^ 0F85 1EFFFFFF jnz crackme6.004050C7
004051A9 68 00800000 push 8000 ; F4 打斷向上跳轉
004051AE 6A 00 push 0
.............
00405376 8907 mov dword ptr [edi], eax
00405378 8385 49050000 0>add dword ptr [ebp+549], 4
0040537F ^ E9 32FFFFFF jmp crackme6.004052B6
00405384 8906 mov dword ptr [esi], eax ; F4 打斷向上跳轉
00405386 8946 0C mov dword ptr [esi+C], eax
00405389 8946 10 mov dword ptr [esi+10], eax
0040538C 83C6 14 add esi, 14
0040538F 8B95 22040000 mov edx, dword ptr [ebp+422]
00405395 ^ E9 EBFEFFFF jmp crackme6.00405285
0040539A B8 CB110000 mov eax, 11CB ; F4 打斷向上跳轉
0040539F 50 push eax
004053A0 0385 22040000 add eax, dword ptr [ebp+422]
004053A6 59 pop ecx
004053A7 0BC9 or ecx, ecx
004053A9 8985 A8030000 mov dword ptr [ebp+3A8], eax
004053AF 61 popad ; 關鍵句了,嘿嘿
004053B0 75 08 jnz short crackme6.004053BA
004053B2 B8 01000000 mov eax, 1
004053B7 C2 0C00 retn 0C
004053BA 68 CB114000 push crackme6.004011CB ; 入口點就是004011CB了啊
004053BF C3 retn ; F8單步返回就是入口點了
.........
004011CB . 64:A1 0100000>mov eax, dword ptr fs:[1] ; SFX 代碼真正入口點,停在這裏脫殼
004011D1 /. 55 push ebp
004011D2 |. 89E5 mov ebp, esp
004011D4 |. 6A FF push -1
004011D6 |. 68 1C204000 push crackme6.0040201C
004011DB |. 68 9A104000 push crackme6.0040109A
004011E0 |. 50 push eax
用lordpe進步脫殼啦,這個大家都會吧,呵呵
脫殼之後用Import REC修正,在OEP中填11CB,點AutoSearch,點Get Imports,發現只有6個導入函數,肯定不對啦,那就要手動找壹下輸入表了.看自動找到輸入表的RVA為03138,加上基址400000就是403138,在OD 的數據窗口中轉到403138的地址處,向上翻,果然還有數據,起地址為4030A4,止地址為4032BE,大小為21A,於是將Import REC中的 IAT RVA填入30A4,Size填21A,再點Get Imports就可以找到很多導入函數了,不過還有壹些無效的,不要緊,點擊show Invalid 將無效的函數CUT掉,然後FIX DUMP妳的脫殼文件就行了,壹切搞定,脫殼運行正常
當然找這個殼的入口點還有壹種簡單的方法,就是在OD中忽略所有異常,在SFX選項中選中字節方式跟蹤真正入口點處,然後載入程序,過壹會就可以停在真正的入口點了.