[转载]Themida V1.1.1.0 无驱动版试炼普通保护方式脱壳
<P>文章作者:fly</P><P><FONT face=宋体>下载页面:[url]http://www.oreans.com[/url]<BR>软件大小:6.10M<BR>加入时间:15-Nov-2005<BR>软件简介:AdvancedWindowssoftwareprotectionsystem,developedforsoftwaredeveloperswhowishtoprotecttheirapplicationsagainstadvancedreverseengineeringandsoftwarecracking.<BR><BR>【作者声明】:只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教<BR><BR>【调试环境】:WinXP、OllyDBG、PEiD、LordPE、ImportREC<BR><BR>—————————————————————————————————<BR>【脱壳过程】:<BR><BR><BR>首先需要说明的是ThemidaV1.1.1.0没有使用驱动,可能只是暂时放弃吧。虽然2005.12.02升级成ThemidaV1.1.1.5,但是主页还只提供V1.1.1.0Demo下载。不要用本文的方法去OllyDBG调试有驱动的其他版本Themida,那样只会让你的电脑重启。<BR>没有使用驱动的Themida几乎对OllyDBG没有反调试,直接用原版的OllyDBG即可运行起来。但是Themida的VirtualMachine非常强悍,要还原代码是困难的。感谢heXer和shoooo的帮忙。<BR>下面以ThemidaV1.1.1.0Demo来加壳Win98记事本演示,无SDK、CodeReplace,强度相对来说降低很多。<BR><IMG alt="" src="http://bbs.pediy.com/upload/2005/8/image/themida.v1.1.1.0.test.gif" border=0><BR>—————————————————————————————————<BR>一、EP<BR><BR><BR>调试前需要修改一个地方,用WinHex打开ThemidaV1.1.1.0.Test.exe,修改PE+60处的SizeOfStackReserve值为00380000,或者直接用PETools修改,这是为了方便后面补区段。<BR><BR>设置OllyDBG忽略所有异常选项。用IsDebug插件去掉OllyDBG的调试器标志。<BR><BR>0040D014B800000000moveax,0<BR>//进入OllyDBG后暂停在这<BR>0040D01960pushad<BR>0040D01A0BC0oreax,eax<BR>0040D01C7458jeshort0040D076<BR>0040D01EE800000000call0040D023<BR>0040D02358popeax<BR>0040D0240543000000addeax,43<BR>0040D0298038E9cmpbyteptrds:[eax],0E9<BR>0040D02C7503jnzshort0040D031<BR>0040D02E61popad<BR>0040D02FEB35jmpshort0040D066<BR><BR><BR>—————————————————————————————————<BR>二、输入表处理<BR><BR><BR>Alt+M打开内存察看窗口,在代码段设置内存写入断点。Shift+F9<BR><BR>0059E22DF3:A4repmovsbyteptres:[edi],byteptrds:[esi]<BR>//中断,壳解压各段<BR>0059E22FC68521201F0656movbyteptrss:[ebp+61F2021],56<BR>0059E23668396D1FD4pushD41F6D39<BR>0059E23BFFB5D9201F06pushdwordptrss:[ebp+61F20D9]<BR>0059E2418D8538942606leaeax,dwordptrss:[ebp+6269438]<BR>0059E247FFD0calleax<BR><BR>在0059E22D处我们要F7一次再F8,否则会长时间无反映<BR>至0059E22F时再Shift+F9,会中断在壳处理输入表的005A1DA5处<BR>下面这段代码很长,其实Themida的输入表处理还是比较简单的。<BR><BR>005A15358B9D51111F06movebx,dwordptrss:[ebp+61F1151]<BR>005A153B8B0Bmovecx,dwordptrds:[ebx]<BR>005A153D83F900cmpecx,0<BR>005A15400F848D090000je005A1ED3<BR>//输入表处理完成后此处跳转<BR>005A154650pusheax<BR>005A154751pushecx<BR>005A154860pushad<BR>005A154933C0xoreax,eax<BR>005A154B8985C5181F06movdwordptrss:[ebp+61F18C5],eax<BR>005A1551BE3C000000movesi,3C<BR>005A155603742420addesi,dwordptrss:[esp+20]<BR>005A155A66:ADlodswordptrds:[esi]<BR>005A155C03442420addeax,dwordptrss:[esp+20]<BR>005A15608B7078movesi,dwordptrds:[eax+78]<BR>005A156303742420addesi,dwordptrss:[esp+20]<BR>005A15678B7E18movedi,dwordptrds:[esi+18]<BR>005A156A89BDF9141F06movdwordptrss:[ebp+61F14F9],edi<BR>005A157085FFtestedi,edi<BR>005A15720F850A000000jnz005A1582<BR>005A1578E8630F0000call005A24E0<BR>005A157DE991000000jmp005A1613<BR>005A158251pushecx<BR>005A15838BD7movedx,edi<BR>005A15856BD204imuledx,edx,4<BR>005A15888995750D1F06movdwordptrss:[ebp+61F0D75],edx<BR>005A158E6A04push4<BR>005A15906800100000push1000<BR>005A159552pushedx<BR>005A15966A00push0<BR>005A1598FF95AD251F06calldwordptrss:[ebp+61F25AD]<BR>005A159E8985AD2F1F06movdwordptrss:[ebp+61F2FAD],eax<BR>005A15A48BD0movedx,eax<BR>005A15A659popecx<BR>005A15A7E8340F0000call005A24E0<BR>005A15AC56pushesi<BR>005A15ADADlodsdwordptrds:[esi]<BR>005A15AE03442424addeax,dwordptrss:[esp+24]<BR>005A15B297xchgeax,edi<BR>005A15B38BDFmovebx,edi<BR>005A15B557pushedi<BR>005A15B632C0xoral,al<BR>005A15B8AEscasbyteptres:[edi]<BR>005A15B90F85F9FFFFFFjnz005A15B8<BR>005A15BF5Epopesi<BR>005A15C02BFBsubedi,ebx<BR>005A15C252pushedx<BR>005A15C38BD7movedx,edi<BR>005A15C58BBDD9011F06movedi,dwordptrss:[ebp+61F01D9]<BR>005A15CB83C9FForecx,FFFFFFFF<BR>005A15CE33C0xoreax,eax<BR>005A15D08A06moval,byteptrds:[esi]<BR>005A15D232C1xoral,cl<BR>005A15D446incesi<BR>005A15D58B0487moveax,dwordptrds:[edi+eax*4]<BR>005A15D8C1E908shrecx,8<BR>005A15DB33C8xorecx,eax<BR>005A15DD4Adecedx<BR>005A15DE0F85EAFFFFFFjnz005A15CE<BR>005A15E48BC1moveax,ecx<BR>005A15E6F7D0noteax<BR>005A15E85Apopedx<BR>005A15E98902movdwordptrds:[edx],eax<BR>005A15EB83C204addedx,4<BR>005A15EE52pushedx<BR>005A15EFFF85C5181F06incdwordptrss:[ebp+61F18C5]<BR>005A15F58B95C5181F06movedx,dwordptrss:[ebp+61F18C5]<BR>005A15FB3995F9141F06cmpdwordptrss:[ebp+61F14F9],edx<BR>005A16010F840A000000je005A1611<BR>005A16075Apopedx<BR>005A16085Epopesi<BR>005A160983C604addesi,4<BR>005A160CE99BFFFFFFjmp005A15AC<BR>005A16115Apopedx<BR>005A16125Epopesi<BR>005A161361popad<BR>005A161459popecx<BR>005A161558popeax<BR>005A1616C785D9181F060000>movdwordptrss:[ebp+61F18D9],0<BR>005A1620C785B9061F060000>movdwordptrss:[ebp+61F06B9],0<BR>005A162A83BD70A72C0600cmpdwordptrss:[ebp+62CA770],0<BR>005A16310F8408000000je005A163F<BR>005A16378D9D913D2B06leaebx,dwordptrss:[ebp+62B3D91]<BR>005A163DFFD3callebx<BR>005A163FFF8589201F06incdwordptrss:[ebp+61F2089]<BR>005A164583BD89201F0664cmpdwordptrss:[ebp+61F2089],64<BR>005A164C0F8262000000jb005A16B4<BR>005A1652C78589201F060100>movdwordptrss:[ebp+61F2089],1<BR>005A165C60pushad<BR>005A165D8DB504A82C06leaesi,dwordptrss:[ebp+62CA804]<BR>005A16638DBDC6C02C06leaedi,dwordptrss:[ebp+62CC0C6]<BR>005A16692BFEsubedi,esi<BR>005A166B8BD7movedx,edi<BR>005A166D8BBDD9011F06movedi,dwordptrss:[ebp+61F01D9]<BR>005A167383C9FForecx,FFFFFFFF<BR>005A167633C0xoreax,eax<BR>005A16788A06moval,byteptrds:[esi]<BR>005A167A32C1xoral,cl<BR>005A167C46incesi<BR>005A167D8B0487moveax,dwordptrds:[edi+eax*4]<BR>005A1680C1E908shrecx,8<BR>005A168333C8xorecx,eax<BR>005A16854Adecedx<BR>005A16860F85EAFFFFFFjnz005A1676<BR>005A168C8BC1moveax,ecx<BR>005A168EF7D0noteax<BR>005A169039851D1D1F06cmpdwordptrss:[ebp+61F1D1D],eax<BR>005A16960F8417000000je005A16B3<BR>005A169C83BD9D1D1F0600cmpdwordptrss:[ebp+61F1D9D],0<BR>005A16A30F850A000000jnz005A16B3<BR>//自校验<BR>//Patch①、jmp005A16B3★<BR>005A16A9C785990C1F060100>movdwordptrss:[ebp+61F0C99],1<BR>005A16B361popad<BR>005A16B4B9BDEB8C32movecx,328CEBBD<BR>005A16B9BAA0F0804Dmovedx,4D80F0A0<BR>005A16BEADlodsdwordptrds:[esi]<BR>005A16BF89B565031F06movdwordptrss:[ebp+61F0365],esi<BR>005A16C5C746FC00000000movdwordptrds:[esi-4],0<BR>005A16CC3DEEEEEEEEcmpeax,EEEEEEEE<BR>005A16D10F8520000000jnz005A16F7<BR>005A16D7813EDDDDDDDDcmpdwordptrds:[esi],DDDDDDDD<BR>005A16DD0F8514000000jnz005A16F7<BR>005A16E3C70600000000movdwordptrds:[esi],0<BR>005A16E983C604addesi,4<BR>005A16EC89B565031F06movdwordptrss:[ebp+61F0365],esi<BR>005A16F2E9A7070000jmp005A1E9E<BR>005A16F78BD8movebx,eax<BR>005A16F93385990C1F06xoreax,dwordptrss:[ebp+61F0C99]<BR>005A16FFC1C803roreax,3<BR>005A17022BC2subeax,edx<BR>005A1704C1C010roleax,10<BR>005A170733C1xoreax,ecx<BR>005A1709899D990C1F06movdwordptrss:[ebp+61F0C99],ebx<BR>005A170F3D00000100cmpeax,10000<BR>005A17140F8345000000jnb005A175F<BR>005A171A813EBBBBBBBBcmpdwordptrds:[esi],BBBBBBBB<BR>005A17200F8539000000jnz005A175F<BR>005A1726C70600000000movdwordptrds:[esi],0<BR>005A172C83C604addesi,4<BR>005A172F89B565031F06movdwordptrss:[ebp+61F0365],esi<BR>005A17358B9D51111F06movebx,dwordptrss:[ebp+61F1151]<BR>005A173B8B0Bmovecx,dwordptrds:[ebx]<BR>005A173D8BD0movedx,eax<BR>005A173F60pushad<BR>005A17408BC2moveax,edx<BR>005A17422B8589281F06subeax,dwordptrss:[ebp+61F2889]<BR>005A1748C1E002shleax,2<BR>005A174B038591051F06addeax,dwordptrss:[ebp+61F0591]<BR>005A175196xchgeax,esi<BR>005A1752ADlodsdwordptrds:[esi]<BR>005A175303C1addeax,ecx<BR>005A17558944241Cmovdwordptrss:[esp+1C],eax<BR>005A175961popad<BR>005A175AE97C000000jmp005A17DB<BR>005A175F51pushecx<BR>005A176052pushedx<BR>005A176133C9xorecx,ecx<BR>005A17638B95AD2F1F06movedx,dwordptrss:[ebp+61F2FAD]<BR>005A17693B02cmpeax,dwordptrds:[edx]<BR>005A176B0F8438000000je005A17A9<BR>005A177183C204addedx,4<BR>005A177441incecx<BR>005A17753B8DF9141F06cmpecx,dwordptrss:[ebp+61F14F9]<BR>005A177B0F85E8FFFFFFjnz005A1769<BR>005A17818DB52DA72C06leaesi,dwordptrss:[ebp+62CA72D]<BR>005A17878DBDA51A1F06leaedi,dwordptrss:[ebp+61F1AA5]<BR>005A178DAClodsbyteptrds:[esi]<BR>005A178E84C0testal,al<BR>005A17900F8406000000je005A179C<BR>005A1796AAstosbyteptres:[edi]<BR>005A1797E9F1FFFFFFjmp005A178D<BR>005A179CB807000000moveax,7<BR>005A17A18D8D174C1F06leaecx,dwordptrss:[ebp+61F4C17]<BR>005A17A7FFE1jmpecx<BR>005A17A9898DC5181F06movdwordptrss:[ebp+61F18C5],ecx<BR>005A17AF5Apopedx<BR>005A17B059popecx<BR>005A17B156pushesi<BR>005A17B28B9D51111F06movebx,dwordptrss:[ebp+61F1151]<BR>005A17B88B0Bmovecx,dwordptrds:[ebx]<BR>005A17BA8B85C5181F06moveax,dwordptrss:[ebp+61F18C5]<BR>005A17C0D1E0shleax,1<BR>005A17C20385011E1F06addeax,dwordptrss:[ebp+61F1E01]<BR>005A17C833F6xoresi,esi<BR>005A17CA96xchgeax,esi<BR>005A17CB66:ADlodswordptrds:[esi]<BR>005A17CDC1E002shleax,2<BR>005A17D0038591051F06addeax,dwordptrss:[ebp+61F0591]<BR>005A17D696xchgeax,esi<BR>005A17D7ADlodsdwordptrds:[esi]<BR>005A17D803C1addeax,ecx<BR>005A17DA5Epopesi<BR>005A17DB83BDDD151F0601cmpdwordptrss:[ebp+61F15DD],1<BR>005A17E20F8439000000je005A1821<BR>//下面判断是否是特殊DLL的特殊函数,是则加密。当然不希望其加密啦<BR>//Patch②、jmp005A180C★<BR>005A17E83B8DF1151F06cmpecx,dwordptrss:[ebp+61F15F1]<BR>//Kernel32.DLL?<BR>005A17EE0F842D000000je005A1821<BR>005A17F43B8DB5011F06cmpecx,dwordptrss:[ebp+61F01B5]<BR>//USER32.DLL?<BR>005A17FA0F8421000000je005A1821<BR>005A18003B8D410F1F06cmpecx,dwordptrss:[ebp+61F0F41]<BR>//ADVAPI32.DLL?<BR>005A18060F8415000000je005A1821<BR>005A180C8D9DE4B82C06leaebx,dwordptrss:[ebp+62CB8E4]<BR>005A1812FFD3callebx<BR>005A18148BF8movedi,eax<BR>005A18168985ED091F06movdwordptrss:[ebp+61F09ED],eax<BR>005A181CE962050000jmp005A1D83<BR>//跳开下面的比较和加密<BR>005A18218D9DE4B82C06leaebx,dwordptrss:[ebp+62CB8E4]<BR>005A1827FFD3callebx<BR>005A182983BDDD151F0600cmpdwordptrss:[ebp+61F15DD],0<BR>005A18300F841D000000je005A1853<BR>005A18363B85C9201F06cmpeax,dwordptrss:[ebp+61F20C9]<BR>005A183C0F840C000000je005A184E<BR>005A18423B85ED0D1F06cmpeax,dwordptrss:[ebp+61F0DED]<BR>005A18480F8505000000jnz005A1853<BR>005A184EE9B9FFFFFFjmp005A180C<BR>005A18533B8555121F06cmpeax,dwordptrss:[ebp+61F1255]<BR>005A18590F8518000000jnz005A1877<BR>005A185F83BD45141F0600cmpdwordptrss:[ebp+61F1445],0<BR>005A18660F850B000000jnz005A1877<BR>005A186C8D85A89A2C06leaeax,dwordptrss:[ebp+62C9AA8]<BR>005A1872E995FFFFFFjmp005A180C<BR>005A18773B8555121F06cmpeax,dwordptrss:[ebp+61F1255]<BR>005A187D0F8489FFFFFFje005A180C<BR>005A188383BD29A72C0601cmpdwordptrss:[ebp+62CA729],1<BR>005A188A0F8517000000jnz005A18A7<BR>005A18903B8588A72C06cmpeax,dwordptrss:[ebp+62CA788]<BR>005A18960F850B000000jnz005A18A7<BR>005A189C8D8564E35700leaeax,dwordptrss:[ebp+57E364]<BR>005A18A2E96DFFFFFFjmp005A1814<BR>005A18A733FFxoredi,edi<BR>005A18A983BD39301F0600cmpdwordptrss:[ebp+61F3039],0<BR>005A18B00F840D020000je005A1AC3<BR>005A18B63B8574A72C06cmpeax,dwordptrss:[ebp+62CA774]<BR>005A18BC7507jnzshort005A18C5<BR>005A18BE8B8509221F06moveax,dwordptrss:[ebp+61F2209]<BR>005A18C447incedi<BR>005A18C53B857CA72C06cmpeax,dwordptrss:[ebp+62CA77C]<BR>005A18CB7507jnzshort005A18D4<BR>005A18CD8B85151A1F06moveax,dwordptrss:[ebp+61F1A15]<BR>005A18D347incedi<BR>005A18D43B8578A72C06cmpeax,dwordptrss:[ebp+62CA778]<BR>005A18DA7507jnzshort005A18E3<BR>005A18DC8B8595131F06moveax,dwordptrss:[ebp+61F1395]<BR>005A18E247incedi<BR>005A18E33B8580A72C06cmpeax,dwordptrss:[ebp+62CA780]<BR>005A18E97507jnzshort005A18F2<BR>005A18EB8B85C12B1F06moveax,dwordptrss:[ebp+61F2BC1]<BR>005A18F147incedi<BR>005A18F23B8584A72C06cmpeax,dwordptrss:[ebp+62CA784]<BR>005A18F87507jnzshort005A1901<BR>005A18FA8B85DD271F06moveax,dwordptrss:[ebp+61F27DD]<BR>005A190047incedi<BR>005A19013B8588A72C06cmpeax,dwordptrss:[ebp+62CA788]<BR>005A19077507jnzshort005A1910<BR>005A19098B85512A1F06moveax,dwordptrss:[ebp+61F2A51]<BR>005A190F47incedi<BR>005A19103B858CA72C06cmpeax,dwordptrss:[ebp+62CA78C]<BR>005A19167507jnzshort005A191F<BR>005A19188B85110A1F06moveax,dwordptrss:[ebp+61F0A11]<BR>005A191E47incedi<BR>005A191F3B8590A72C06cmpeax,dwordptrss:[ebp+62CA790]<BR>005A19257507jnzshort005A192E<BR>005A19278B858D141F06moveax,dwordptrss:[ebp+61F148D]<BR>005A192D47incedi<BR>005A192E3B8594A72C06cmpeax,dwordptrss:[ebp+62CA794]<BR>005A19347507jnzshort005A193D<BR>005A19368B8561221F06moveax,dwordptrss:[ebp+61F2261]<BR>005A193C47incedi<BR>005A193D3B8598A72C06cmpeax,dwordptrss:[ebp+62CA798]<BR>005A19437507jnzshort005A194C<BR>005A19458B8525131F06moveax,dwordptrss:[ebp+61F1325]<BR>005A194B47incedi<BR>005A194C3B85A0A72C06cmpeax,dwordptrss:[ebp+62CA7A0]<BR>005A19527507jnzshort005A195B<BR>005A19548B85550F1F06moveax,dwordptrss:[ebp+61F0F55]<BR>005A195A47incedi<BR>005A195B3B859CA72C06cmpeax,dwordptrss:[ebp+62CA79C]<BR>005A19617507jnzshort005A196A<BR>005A19638B855D2F1F06moveax,dwordptrss:[ebp+61F2F5D]<BR>005A196947incedi<BR>005A196A3B85A4A72C06cmpeax,dwordptrss:[ebp+62CA7A4]<BR>005A19707507jnzshort005A1979<BR>005A19728B857D2A1F06moveax,dwordptrss:[ebp+61F2A7D]<BR>005A197847incedi<BR>005A19793B85A8A72C06cmpeax,dwordptrss:[ebp+62CA7A8]<BR>005A197F7507jnzshort005A1988<BR>005A19818B850D281F06moveax,dwordptrss:[ebp+61F280D]<BR>005A198747incedi<BR>005A19883B85ACA72C06cmpeax,dwordptrss:[ebp+62CA7AC]<BR>005A198E7507jnzshort005A1997<BR>005A19908B85A1111F06moveax,dwordptrss:[ebp+61F11A1]<BR>005A199647incedi<BR>005A19973B85B0A72C06cmpeax,dwordptrss:[ebp+62CA7B0]<BR>005A199D7507jnzshort005A19A6<BR>005A199F8B85ED251F06moveax,dwordptrss:[ebp+61F25ED]<BR>005A19A547incedi<BR>005A19A63B85B4A72C06cmpeax,dwordptrss:[ebp+62CA7B4]<BR>005A19AC7507jnzshort005A19B5<BR>005A19AE8B8595001F06moveax,dwordptrss:[ebp+61F0095]<BR>005A19B447incedi<BR>005A19B53B85B8A72C06cmpeax,dwordptrss:[ebp+62CA7B8]<BR>005A19BB7507jnzshort005A19C4<BR>005A19BD8B859D251F06moveax,dwordptrss:[ebp+61F259D]<BR>005A19C347incedi<BR>005A19C43B85BCA72C06cmpeax,dwordptrss:[ebp+62CA7BC]<BR>005A19CA7507jnzshort005A19D3<BR>005A19CC8B85511D1F06moveax,dwordptrss:[ebp+61F1D51]<BR>005A19D247incedi<BR>005A19D33B85C0A72C06cmpeax,dwordptrss:[ebp+62CA7C0]<BR>005A19D97507jnzshort005A19E2<BR>005A19DB8B8555271F06moveax,dwordptrss:[ebp+61F2755]<BR>005A19E147incedi<BR>005A19E23B85C4A72C06cmpeax,dwordptrss:[ebp+62CA7C4]<BR>005A19E87507jnzshort005A19F1<BR>005A19EA8B85C1131F06moveax,dwordptrss:[ebp+61F13C1]<BR>005A19F047incedi<BR>005A19F13B85CCA72C06cmpeax,dwordptrss:[ebp+62CA7CC]<BR>005A19F77507jnzshort005A1A00<BR>005A19F98B8515011F06moveax,dwordptrss:[ebp+61F0115]<BR>005A19FF47incedi<BR>005A1A003B85C8A72C06cmpeax,dwordptrss:[ebp+62CA7C8]<BR>005A1A067507jnzshort005A1A0F<BR>005A1A088B859D271F06moveax,dwordptrss:[ebp+61F279D]<BR>005A1A0E47incedi<BR>005A1A0F3B85D0A72C06cmpeax,dwordptrss:[ebp+62CA7D0]<BR>005A1A157507jnzshort005A1A1E<BR>005A1A178B8531111F06moveax,dwordptrss:[ebp+61F1131]<BR>005A1A1D47incedi<BR>005A1A1E3B85D4A72C06cmpeax,dwordptrss:[ebp+62CA7D4]<BR>005A1A247507jnzshort005A1A2D<BR>005A1A268B85390D1F06moveax,dwordptrss:[ebp+61F0D39]<BR>005A1A2C47incedi<BR>005A1A2D3B85D8A72C06cmpeax,dwordptrss:[ebp+62CA7D8]<BR>005A1A337507jnzshort005A1A3C<BR>005A1A358B8565281F06moveax,dwordptrss:[ebp+61F2865]<BR>005A1A3B47incedi<BR>005A1A3C3B85DCA72C06cmpeax,dwordptrss:[ebp+62CA7DC]<BR>005A1A427507jnzshort005A1A4B<BR>005A1A448B85A9101F06moveax,dwordptrss:[ebp+61F10A9]<BR>005A1A4A47incedi<BR>005A1A4B3B85E0A72C06cmpeax,dwordptrss:[ebp+62CA7E0]<BR>005A1A517507jnzshort005A1A5A<BR>005A1A538B855D121F06moveax,dwordptrss:[ebp+61F125D]<BR>005A1A5947incedi<BR>005A1A5A3B85E4A72C06cmpeax,dwordptrss:[ebp+62CA7E4]<BR>005A1A607507jnzshort005A1A69<BR>005A1A628B8535101F06moveax,dwordptrss:[ebp+61F1035]<BR>005A1A6847incedi<BR>005A1A693B85E8A72C06cmpeax,dwordptrss:[ebp+62CA7E8]<BR>005A1A6F7507jnzshort005A1A78<BR>005A1A718B85D1211F06moveax,dwordptrss:[ebp+61F21D1]<BR>005A1A7747incedi<BR>005A1A783B85ECA72C06cmpeax,dwordptrss:[ebp+62CA7EC]<BR>005A1A7E7507jnzshort005A1A87<BR>005A1A808B858D2A1F06moveax,dwordptrss:[ebp+61F2A8D]<BR>005A1A8647incedi<BR>005A1A873B85DD161F06cmpeax,dwordptrss:[ebp+61F16DD]<BR>005A1A8D7507jnzshort005A1A96<BR>005A1A8F8B85D11E1F06moveax,dwordptrss:[ebp+61F1ED1]<BR>005A1A9547incedi<BR>005A1A963B85F0A72C06cmpeax,dwordptrss:[ebp+62CA7F0]<BR>005A1A9C7507jnzshort005A1AA5<BR>005A1A9E8B858D061F06moveax,dwordptrss:[ebp+61F068D]<BR>005A1AA447incedi<BR>005A1AA53B85F4A72C06cmpeax,dwordptrss:[ebp+62CA7F4]<BR>005A1AAB7507jnzshort005A1AB4<BR>005A1AAD8B85C91D1F06moveax,dwordptrss:[ebp+61F1DC9]<BR>005A1AB347incedi<BR>005A1AB43B85F8A72C06cmpeax,dwordptrss:[ebp+62CA7F8]<BR>005A1ABA7507jnzshort005A1AC3<BR>005A1ABC8B85AD2A1F06moveax,dwordptrss:[ebp+61F2AAD]<BR>005A1AC247incedi<BR>005A1AC30BFForedi,edi<BR>005A1AC50F8405000000je005A1AD0<BR>005A1ACBE944FDFFFFjmp005A1814<BR>005A1AD03B8529231F06cmpeax,dwordptrss:[ebp+61F2329]<BR>005A1AD60F850B000000jnz005A1AE7<BR>005A1ADC8D85A46E2B06leaeax,dwordptrss:[ebp+62B6EA4]<BR>005A1AE2E92DFDFFFFjmp005A1814<BR>005A1AE73B85912F1F06cmpeax,dwordptrss:[ebp+61F2F91]<BR>005A1AED0F8518000000jnz005A1B0B<BR>005A1AF383BD29A72C0601cmpdwordptrss:[ebp+62CA729],1<BR>005A1AFA0F850B000000jnz005A1B0B<BR>005A1B008D85E7E25700leaeax,dwordptrss:[ebp+57E2E7]<BR>005A1B06E909FDFFFFjmp005A1814<BR>005A1B0B3B8564A72C06cmpeax,dwordptrss:[ebp+62CA764]<BR>005A1B110F840C000000je005A1B23<BR>005A1B173B8568A72C06cmpeax,dwordptrss:[ebp+62CA768]<BR>005A1B1D0F8505000000jnz005A1B28<BR>005A1B23E9ECFCFFFFjmp005A1814<BR>005A1B28BE00000000movesi,0<BR>005A1B2D83FE01cmpesi,1<BR>005A1B300F8545000000jnz005A1B7B<BR>005A1B363B8558A72C06cmpeax,dwordptrss:[ebp+62CA758]<BR>005A1B3C0F850B000000jnz005A1B4D<BR>005A1B428D857F755700leaeax,dwordptrss:[ebp+57757F]<BR>005A1B48E9C7FCFFFFjmp005A1814<BR>005A1B4D3B855CA72C06cmpeax,dwordptrss:[ebp+62CA75C]<BR>005A1B530F850B000000jnz005A1B64<BR>005A1B598D85F5755700leaeax,dwordptrss:[ebp+5775F5]<BR>005A1B5FE9B0FCFFFFjmp005A1814<BR>005A1B643B8560A72C06cmpeax,dwordptrss:[ebp+62CA760]<BR>005A1B6A0F850B000000jnz005A1B7B<BR>005A1B708D853A765700leaeax,dwordptrss:[ebp+57763A]<BR>005A1B76E999FCFFFFjmp005A1814<BR>005A1B7B8BC0moveax,eax<BR>005A1B7DBE01000000movesi,1<BR>005A1B820BF6oresi,esi<BR>005A1B840F8505000000jnz005A1B8F<BR>005A1B8AE97DFCFFFFjmp005A180C<BR>005A1B8F8BF0movesi,eax<BR>005A1B9189B571231F06movdwordptrss:[ebp+61F2371],esi<BR>005A1B9789B5210C1F06movdwordptrss:[ebp+61F0C21],esi<BR>005A1B9D803EE9cmpbyteptrds:[esi],0E9<BR>005A1BA00F8526000000jnz005A1BCC<BR>005A1BA68B7E01movedi,dwordptrds:[esi+1]<BR>005A1BA903FEaddedi,esi<BR>005A1BAB8BDEmovebx,esi<BR>005A1BAD81C300400000addebx,4000<BR>005A1BB33BBD71231F06cmpedi,dwordptrss:[ebp+61F2371]<BR>005A1BB90F8208000000jb005A1BC7<BR>005A1BBF3BFBcmpedi,ebx<BR>005A1BC10F8605000000jbe005A1BCC<BR>005A1BC7E940FCFFFFjmp005A180C<BR>005A1BCC8BBD190E1F06movedi,dwordptrss:[ebp+61F0E19]<BR>005A1BD2C78549101F060000>movdwordptrss:[ebp+61F1049],0<BR>005A1BDC60pushad<BR>005A1BDD89B5210C1F06movdwordptrss:[ebp+61F0C21],esi<BR>005A1BE38D9D6CBE2C06leaebx,dwordptrss:[ebp+62CBE6C]<BR>005A1BE9FFD3callebx<BR>005A1BEB0F8222000000jb005A1C13<BR>005A1BF18D9D604D2A06leaebx,dwordptrss:[ebp+62A4D60]<BR>005A1BF7FFD3callebx<BR>005A1BF90F83DEFFFFFFjnb005A1BDD<BR>005A1BFF8BB5210C1F06movesi,dwordptrss:[ebp+61F0C21]<BR>005A1C0589B549101F06movdwordptrss:[ebp+61F1049],esi<BR>005A1C0B8D9DE23D2B06leaebx,dwordptrss:[ebp+62B3DE2]<BR>005A1C11FFD3callebx<BR>005A1C138B8571231F06moveax,dwordptrss:[ebp+61F2371]<BR>005A1C198985210C1F06movdwordptrss:[ebp+61F0C21],eax<BR>005A1C1F61popad<BR>005A1C208D9D99BA2C06leaebx,dwordptrss:[ebp+62CBA99]<BR>005A1C26FFD3callebx<BR>005A1C288D9D1CBB2C06leaebx,dwordptrss:[ebp+62CBB1C]<BR>005A1C2EFFD3callebx<BR>005A1C308D9DBDBD2C06leaebx,dwordptrss:[ebp+62CBDBD]<BR>005A1C36FFD3callebx<BR>005A1C380F830C000000jnb005A1C4A<BR>005A1C3E8385210C1F0605adddwordptrss:[ebp+61F0C21],5<BR>005A1C45E9D6FFFFFFjmp005A1C20<BR>005A1C4A8D9DE6BD2C06leaebx,dwordptrss:[ebp+62CBDE6]<BR>005A1C50FFD3callebx<BR>005A1C520F8308000000jnb005A1C60<BR>005A1C5883C204addedx,4<BR>005A1C5BE932000000jmp005A1C92<BR>005A1C608D9D604D2A06leaebx,dwordptrss:[ebp+62A4D60]<BR>005A1C66FFD3callebx<BR>005A1C680F830B000000jnb005A1C79<BR>005A1C6E8BB5210C1F06movesi,dwordptrss:[ebp+61F0C21]<BR>005A1C74E927070000jmp005A23A0<BR>005A1C798B8D210C1F06movecx,dwordptrss:[ebp+61F0C21]<BR>005A1C7F89B5210C1F06movdwordptrss:[ebp+61F0C21],esi<BR>005A1C852BCEsubecx,esi<BR>005A1C87F7D9negecx<BR>005A1C892BF1subesi,ecx<BR>005A1C8BF3:A4repmovsbyteptres:[edi],byteptrds:[esi]<BR>005A1C8DE98EFFFFFFjmp005A1C20<BR>005A1C928D9D913D2B06leaebx,dwordptrss:[ebp+62B3D91]<BR>005A1C98FFD3callebx<BR>005A1C9A8BC7moveax,edi<BR>005A1C9C2B85190E1F06subeax,dwordptrss:[ebp+61F0E19]<BR>005A1CA2898559241F06movdwordptrss:[ebp+61F2459],eax<BR>005A1CA88B85190E1F06moveax,dwordptrss:[ebp+61F0E19]<BR>005A1CAE57pushedi<BR>005A1CAF50pusheax<BR>005A1CB08D8D9C3E2B06leaecx,dwordptrss:[ebp+62B3E9C]<BR>005A1CB6FFD1callecx<BR>005A1CB88B85E1201F06moveax,dwordptrss:[ebp+61F20E1]<BR>005A1CBE50pusheax<BR>005A1CBF57pushedi<BR>005A1CC08B85190E1F06moveax,dwordptrss:[ebp+61F0E19]<BR>005A1CC650pusheax<BR>005A1CC78D8DC3402B06leaecx,dwordptrss:[ebp+62B40C3]<BR>005A1CCDFFD1callecx<BR>005A1CCF8BD0movedx,eax<BR>005A1CD18BC8movecx,eax<BR>005A1CD32B8DE1201F06subecx,dwordptrss:[ebp+61F20E1]<BR>005A1CD983BD5D0A1F0600cmpdwordptrss:[ebp+61F0A5D],0<BR>005A1CE00F842B000000je005A1D11<BR>005A1CE68B8501041F06moveax,dwordptrss:[ebp+61F0401]<BR>005A1CEC2B855D0A1F06subeax,dwordptrss:[ebp+61F0A5D]<BR>005A1CF23BC1cmpeax,ecx<BR>005A1CF40F8617000000jbe005A1D11<BR>005A1CFA8B85B50E1F06moveax,dwordptrss:[ebp+61F0EB5]<BR>005A1D0003855D0A1F06addeax,dwordptrss:[ebp+61F0A5D]<BR>005A1D068985ED091F06movdwordptrss:[ebp+61F09ED],eax<BR>005A1D0CE943000000jmp005A1D54<BR>005A1D1151pushecx<BR>005A1D128BC1moveax,ecx<BR>005A1D1448deceax<BR>005A1D150DFF0F0000oreax,0FFF<BR>005A1D1A40inceax<BR>005A1D1B898501041F06movdwordptrss:[ebp+61F0401],eax<BR>005A1D210185DD091F06adddwordptrss:[ebp+61F09DD],eax<BR>005A1D27C7855D0A1F060000>movdwordptrss:[ebp+61F0A5D],0<BR>005A1D316A40push40<BR>005A1D336800100000push1000<BR>005A1D3851pushecx<BR>005A1D396A00push0<BR>005A1D3BFF95AD251F06calldwordptrss:[ebp+61F25AD]<BR>005A1D41FF9569201F06calldwordptrss:[ebp+61F2069]<BR>005A1D478985B50E1F06movdwordptrss:[ebp+61F0EB5],eax<BR>005A1D4D8985ED091F06movdwordptrss:[ebp+61F09ED],eax<BR>005A1D5359popecx<BR>005A1D54FFB5ED091F06pushdwordptrss:[ebp+61F09ED]<BR>005A1D5AFFB5E1201F06pushdwordptrss:[ebp+61F20E1]<BR>005A1D6057pushedi<BR>005A1D61FFB5190E1F06pushdwordptrss:[ebp+61F0E19]<BR>005A1D678D8557432B06leaeax,dwordptrss:[ebp+62B4357]<BR>005A1D6DFFD0calleax<BR>005A1D6F018D5D0A1F06adddwordptrss:[ebp+61F0A5D],ecx<BR>005A1D758BBDED091F06movedi,dwordptrss:[ebp+61F09ED]<BR>005A1D7B8BB5E1201F06movesi,dwordptrss:[ebp+61F20E1]<BR>005A1D81F3:A4repmovsbyteptres:[edi],byteptrds:[esi]<BR>005A1D838BB565031F06movesi,dwordptrss:[ebp+61F0365]<BR>005A1D89ADlodsdwordptrds:[esi]<BR>005A1D8AC746FC00000000movdwordptrds:[esi-4],0<BR>005A1D91C1C005roleax,5<BR>005A1D9405BDEB8C32addeax,328CEBBD<BR>005A1D990385D9211F06addeax,dwordptrss:[ebp+61F21D9]<BR>005A1D9F8B8DED091F06movecx,dwordptrss:[ebp+61F09ED]<BR>005A1DA58908movdwordptrds:[eax],ecx;SHELL32.ShellExecuteA<BR>//上面Shift+F9后中断在这里<BR>//Patch③、jmp005AF000★<BR>005A1DA7ADlodsdwordptrds:[esi]<BR>005A1DA8C746FC00000000movdwordptrds:[esi-4],0<BR>005A1DAF89B565031F06movdwordptrss:[ebp+61F0365],esi<BR>005A1DB583F8FFcmpeax,-1<BR>005A1DB80F8520000000jnz005A1DDE<BR>005A1DBE813EDDDDDDDDcmpdwordptrds:[esi],DDDDDDDD<BR>005A1DC40F8514000000jnz005A1DDE<BR>005A1DCAC70600000000movdwordptrds:[esi],0<BR>005A1DD083C604addesi,4<BR>005A1DD389B565031F06movdwordptrss:[ebp+61F0365],esi<BR>005A1DD9E938F8FFFFjmp005A1616<BR>005A1DDEC1C003roleax,3<BR>005A1DE10385D9211F06addeax,dwordptrss:[ebp+61F21D9]<BR>005A1DE783BD212B1F0601cmpdwordptrss:[ebp+61F2B21],1<BR>005A1DEE0F849D000000je005A1E91<BR>005A1DF4813EAAAAAAAAcmpdwordptrds:[esi],AAAAAAAA<BR>005A1DFA0F8512000000jnz005A1E12<BR>005A1E0083C604addesi,4<BR>005A1E03C746FC00000000movdwordptrds:[esi-4],0<BR>005A1E0A97xchgeax,edi<BR>005A1E0BB0E9moval,0E9<BR>005A1E0DE903000000jmp005A1E15<BR>005A1E1297xchgeax,edi<BR>005A1E13B0E8moval,0E8<BR>005A1E1550pusheax<BR>005A1E1683BDDD151F0601cmpdwordptrss:[ebp+61F15DD],1<BR>005A1E1D0F843E000000je005A1E61<BR>005A1E23B800010000moveax,100<BR>005A1E2883BD70A72C0600cmpdwordptrss:[ebp+62CA770],0<BR>005A1E2F0F8408000000je005A1E3D<BR>005A1E358D9DB0462B06leaebx,dwordptrss:[ebp+62B46B0]<BR>005A1E3BFFD3callebx<BR>005A1E3D803F90cmpbyteptrds:[edi],90<BR>005A1E400F8408000000je005A1E4E<BR>005A1E4683C705addedi,5<BR>005A1E49E943000000jmp005A1E91<BR>005A1E4E83F850cmpeax,50<BR>005A1E510F820A000000jb005A1E61<BR>005A1E57B090moval,90<BR>005A1E59AAstosbyteptres:[edi]<BR>005A1E5A58popeax<BR>005A1E5BAAstosbyteptres:[edi]<BR>005A1E5CE924000000jmp005A1E85<BR>//Patch④、jmp005AF014★<BR>005A1E6158popeax<BR>005A1E62AAstosbyteptres:[edi]<BR>005A1E63807FFFE9cmpbyteptrds:[edi-1],0E9<BR>005A1E670F8518000000jnz005A1E85<BR>//Patch⑤、jmp005AF036★<BR>005A1E6D83BD70A72C0600cmpdwordptrss:[ebp+62CA770],0<BR>005A1E740F8408000000je005A1E82<BR>005A1E7A8D9D80462B06leaebx,dwordptrss:[ebp+62B4680]<BR>005A1E80FFD3callebx<BR>005A1E82884704movbyteptrds:[edi+4],al<BR>//Patch⑥、NOP★去掉加密填充<BR>005A1E858B85ED091F06moveax,dwordptrss:[ebp+61F09ED]<BR>005A1E8B2BC7subeax,edi<BR>005A1E8D83E804subeax,4<BR>005A1E90ABstosdwordptres:[edi]<BR>//Patch⑦、NOP★去掉加密填充<BR>005A1E91ADlodsdwordptrds:[esi]<BR>005A1E92C746FC00000000movdwordptrds:[esi-4],0<BR>005A1E99E911FFFFFFjmp005A1DAF<BR>//循环处理每个DLL的函数<BR>//Patch⑧、jmp005AF05F★<BR>005A1E9E89B565031F06movdwordptrss:[ebp+61F0365],esi<BR>005A1EA452pushedx<BR>005A1EA56800800000push8000<BR>005A1EAA6A00push0<BR>005A1EACFFB5AD2F1F06pushdwordptrss:[ebp+61F2FAD]<BR>005A1EB2FF95B1241F06calldwordptrss:[ebp+61F24B1]<BR>005A1EB85Apopedx<BR>005A1EB98B8D51111F06movecx,dwordptrss:[ebp+61F1151]<BR>005A1EBFC70100000000movdwordptrds:[ecx],0<BR>005A1EC583C104addecx,4<BR>005A1EC8898D51111F06movdwordptrss:[ebp+61F1151],ecx<BR>005A1ECEE962F6FFFFjmp005A1535<BR>//循环处理所有DLL的函数<BR>005A1ED3E94B060000jmp005A2523<BR>//此处下断,输入表处理完成后中断在这里<BR><BR><BR>————————————————————————<BR>在下面找一段空地写Patch代码,放005AF000处吧<BR><BR><BR>005A1DA58908movdwordptrds:[eax],ecx;SHELL32.ShellExecuteA<BR>//Patch③、jmp005AF000★<BR><BR>Patch代码:<BR>005AF000A300F45A00movdwordptrds:[5AF400],eax<BR>//保存EAX值于[5AF400]<BR>005AF0058908movdwordptrds:[eax],ecx<BR>//005A1DA5及其下3行代码挪这里执行<BR>005AF007ADlodsdwordptrds:[esi]<BR>005AF008C746FC00000000movdwordptrds:[esi-4],0<BR>005AF00FE99B2DFFFFjmp005A1DAF<BR>//返回去继续流程<BR><BR>————————————————————————<BR><BR>005A1E5CE924000000jmp005A1E85<BR>//Patch④、jmp005AF014★<BR><BR>Patch代码:<BR>005B901450pusheax<BR>005B9015A100945B00moveax,dwordptrds:[5B9400]<BR>005B901A8947FCmovdwordptrds:[edi-4],eax<BR>//放入正确的API保存地址<BR>005B901D807FFBE8cmpbyteptrds:[edi-5],0E8<BR>//E8?<BR>005B90217508jnzshort005B902B<BR>005B902366:C747FAFF15movwordptrds:[edi-6],15FF<BR>//则是calldwordptrds:[XXXXXXXX]<BR>005B9029EB06jmpshort005B9031<BR>005B902B66:C747FAFF25movwordptrds:[edi-6],25FF<BR>//否则是jmpdwordptrds:[XXXXXXXX]<BR>005B903158popeax<BR>005B9032E90026FFFFjmp005AB637<BR>//继续流程<BR><BR>————————————————————————<BR><BR>005A1E670F8518000000jnz005A1E85<BR>//Patch⑤、jmp005AF036★<BR><BR>Patch代码:<BR>005AF03650pusheax<BR>005AF037A100F45A00moveax,dwordptrds:[5AF400]<BR>005AF03C894701movdwordptrds:[edi+1],eax<BR>005AF03F807FFFE8cmpbyteptrds:[edi-1],0E8<BR>005AF0437508jnzshort005AF04D<BR>005AF04566:C747FFFF15movwordptrds:[edi-1],15FF<BR>005AF04BEB06jmpshort005AF053<BR>005AF04D66:C747FFFF25movwordptrds:[edi-1],25FF<BR>005AF05358popeax<BR>005AF0540F852B2EFFFFjnz005A1E85<BR>005AF05AE90E2EFFFFjmp005A1E6D<BR><BR>————————————————————————<BR><BR>005A1E90ABstosdwordptres:[edi]<BR>//Patch⑦、NOP★去掉加密填充<BR>005A1E91ADlodsdwordptrds:[esi]<BR>005A1E92C746FC00000000movdwordptrds:[esi-4],0<BR>005A1E99E911FFFFFFjmp005A1DAF<BR>//循环处理每个DLL的函数<BR>//Patch⑧、jmp005AF05F★<BR><BR>Patch代码:<BR>005AF05F83C704addedi,4<BR>005AF062E9482DFFFFjmp005A1DAF<BR>//继续流程<BR><BR>————————————————————————<BR>Patch代码汇总<BR><BR><BR>005AF000A300F45A00movdwordptrds:[5AF400],eax<BR>005AF0058908movdwordptrds:[eax],ecx<BR>005AF007ADlodsdwordptrds:[esi]<BR>005AF008C746FC00000000movdwordptrds:[esi-4],0<BR>005AF00FE99B2DFFFFjmp005A1DAF<BR>005AF01450pusheax<BR>005AF015A100F45A00moveax,dwordptrds:[5AF400]<BR>005AF01A8907movdwordptrds:[edi],eax<BR>005AF01C807FFFE8cmpbyteptrds:[edi-1],0E8<BR>005AF0207508jnzshort005AF02A<BR>005AF02266:C747FEFF15movwordptrds:[edi-2],15FF<BR>005AF028EB06jmpshort005AF030<BR>005AF02A66:C747FEFF25movwordptrds:[edi-2],25FF<BR>005AF03058popeax<BR>005AF031E94F2EFFFFjmp005A1E85<BR>005AF03650pusheax<BR>005AF037A100F45A00moveax,dwordptrds:[5AF400]<BR>005AF03C894701movdwordptrds:[edi+1],eax<BR>005AF03F807FFFE8cmpbyteptrds:[edi-1],0E8<BR>005AF0437508jnzshort005AF04D<BR>005AF04566:C747FFFF15movwordptrds:[edi-1],15FF<BR>005AF04BEB06jmpshort005AF053<BR>005AF04D66:C747FFFF25movwordptrds:[edi-1],25FF<BR>005AF05358popeax<BR>005AF0540F852B2EFFFFjnz005A1E85<BR>005AF05AE90E2EFFFFjmp005A1E6D<BR>005AF05F83C704addedi,4<BR>005AF062E9482DFFFFjmp005A1DAF<BR><BR>从OllyDBG中二进制代码复制如下:<BR>A300F45A008908ADC746FC00000000E99B2DFFFF50A100F45A008907807FFFE8<BR>750866C747FEFF15EB0666C747FEFF2558E94F2EFFFF50A100F45A0089470180<BR>7FFFE8750866C747FFFF15EB0666C747FFFF25580F852B2EFFFFE90E2EFFFF83<BR>C704E9482DFFFF<BR><BR><BR>—————————————————————————————————<BR>三、OEP<BR><BR><BR>005A1ED3E94B060000jmp005A2523<BR>//此处下断,输入表处理完成后中断在这里<BR><BR>对于Themida处理后的OEP查找的确有点麻烦,目前还没有发现更简便的方法。<BR>保持此OllyDBG,新开一个OllyDBG,载入ThemidaV1.1.1.0.Test.eXe<BR>直接Shift+F9让其运行起来,然后Ctrl+G:005A1ED3,来到输入表处理结束的地方<BR>Ctrl+B在整个段块搜索Hex值:9DC3E9<BR><BR>005A8C299Dpopfd<BR>//找到这里<BR>005A8C2AC3retn<BR>005A8C2BE908000000jmp005A8C38<BR><BR>现在可以关闭后开的OllyDBG了,在第一个OllyDBG里面下断:HE005A8C29<BR>单击Themida的启动Nag,OllyDBG中断在005A8C29处<BR><BR>005A8C299Dpopfd<BR>//中断在这里<BR>005A8C2AC3retn<BR>//返回005A08D3飞向“光明之巅”<BR><BR><BR>005A08D368ACE9750Cpush0C75E9AC<BR>//作为OEP吧下面Themida就开始OEP处理了<BR>005A08D8E92BFBFFFFjmp005A0408<BR>005A08DD6848F5D325push25D3F548<BR>005A08E2E921FBFFFFjmp005A0408<BR><BR>运行ImportREC,填入OEPRVA=001A08D3、IATRVA=000062E0、IATSize=0000023C,获取输入表。<BR>运行LordPE先dumpfull此进程,存为dump.eXe,修复输入表。<BR><BR>Themida的VirtualMachine是不容易还原的,补上这部分壳代码吧<BR>OllyDBG中Alt+M察看内存:<BR><BR>地址大小(十进制)物主区段包含<BR>0040000000001000(4096.)Themida_00400000PEheader<BR>0040100000006000(24576.)Themida_00400000code<BR>0040700000005000(20480.)Themida_00400000.rsrcdata,resources<BR>0040C00000001000(4096.)Themida_00400000.idataimports<BR>0040D000001A5000(1724416.)Themida_00400000ThemidaSFX<BR>005C000000009000(36864.)005C0000<BR>006C00000003D000(249856.)006C0000<BR>0070000000041000(266240.)00700000<BR>0075000000006000(24576.)00750000<BR>0076000000041000(266240.)00760000<BR>007B000000009000(36864.)007B0000<BR>0087000000002000(8192.)007B0000<BR>0088000000103000(1060864.)00880000<BR>0099000000006000(24576.)00990000<BR>009A00000016A000(1482752.)009A0000<BR>00CA000000003000(12288.)00CA0000<BR>00CB000000008000(32768.)00CB0000<BR>00CC000000001000(4096.)00CC0000<BR>00CD000000001000(4096.)00CD0000<BR>00CE000000004000(16384.)00CE0000<BR>00CF000000002000(8192.)00CF0000<BR>00D0000000001000(4096.)00D00000<BR>00D1000000001000(4096.)00D10000<BR>00D2000000001000(4096.)00D20000<BR>00D3000000010000(65536.)00D30000<BR>00D4000000010000(65536.)00D40000<BR>00D5000000010000(65536.)00D50000<BR>00D6000000010000(65536.)00D60000<BR>00D7000000010000(65536.)00D70000<BR>00D8000000010000(65536.)00D80000<BR>00D9000000010000(65536.)00D90000<BR>00DA000000010000(65536.)00DA0000<BR>00DB000000001000(4096.)00DB0000<BR><BR>用LordPEDumpRegion以下壳区段:<BR>00CF0000-00CF2000.dmp<BR>00D00000-00D01000.dmp<BR>00D10000-00D11000.dmp<BR>00D20000-00D21000.dmp<BR>00D30000-00DB1000.dmp<BR>用LordPE把这些区段load入dump.eXe,注意修正各区段的Voffset<BR>只保留“ValidatePE”选项来Rebuilderdump.eXe<BR><BR>F7继续走,看看为何应该补这些壳代码段<BR><BR>005A04086A00push0<BR>005A040A9Cpushfd<BR>005A040B60pushad<BR>005A040CE800000000call005A0411<BR>005A04115Dpopebp<BR>005A041281ED1D9E2C06subebp,62C9E1D<BR>005A0418B8F3A22C06moveax,62CA2F3<BR>005A041D03C5addeax,ebp<BR>005A041F50pusheax<BR>005A04208BB57D131F06movesi,dwordptrss:[ebp+61F137D]<BR>005A0426BB01000000movebx,1<BR>005A042B8D4628leaeax,dwordptrds:[esi+28]<BR>005A042EF0:8618lockxchgbyteptrds:[eax],bl<BR>005A04310ADBorbl,bl<BR>005A04337502jnzshort005A0437<BR>005A0435EB0Cjmpshort005A0443<BR>005A043760pushad<BR>005A04386A00push0<BR>005A043AFF95B9291F06calldwordptrss:[ebp+61F29B9]<BR>005A044061popad<BR>005A0441EBEBjmpshort005A042E<BR>005A044358popeax<BR>005A0444894668movdwordptrds:[esi+68],eax<BR>005A0447B802000000moveax,2<BR>005A044C89466Cmovdwordptrds:[esi+6C],eax<BR>005A044FC7442424D9401F06movdwordptrss:[esp+24],61F40D9<BR>005A0457016C2424adddwordptrss:[esp+24],ebp<BR>005A045B61popad<BR>005A045C9Dpopfd<BR>005A045DC3retn<BR>//返回到004CA6CD<BR><BR>004CA6CD9Cpushfd<BR>004CA6CE60pushad<BR>004CA6CFE800000000call004CA6D4<BR>004CA6D45Dpopebp<BR>004CA6D581EDE0401F06subebp,61F40E0<BR>004CA6DB8BB57D131F06movesi,dwordptrss:[ebp+61F137D]<BR>004CA6E18B0424moveax,dwordptrss:[esp]<BR>004CA6E489869C000000movdwordptrds:[esi+9C],eax<BR>004CA6EA8B442404moveax,dwordptrss:[esp+4]<BR>004CA6EE898694000000movdwordptrds:[esi+94],eax<BR>004CA6F48B442408moveax,dwordptrss:[esp+8]<BR>004CA6F88986A4000000movdwordptrds:[esi+A4],eax<BR>004CA6FE8B44240Cmoveax,dwordptrss:[esp+C]<BR>004CA70283C008addeax,8<BR>004CA7058986AC000000movdwordptrds:[esi+AC],eax<BR>004CA70B8B442410moveax,dwordptrss:[esp+10]<BR>004CA70F89467Cmovdwordptrds:[esi+7C],eax<BR>004CA7128B442414moveax,dwordptrss:[esp+14]<BR>004CA71689868C000000movdwordptrds:[esi+8C],eax<BR>004CA71C8B442418moveax,dwordptrss:[esp+18]<BR>004CA720898684000000movdwordptrds:[esi+84],eax<BR>004CA7268B44241Cmoveax,dwordptrss:[esp+1C]<BR>004CA72A894674movdwordptrds:[esi+74],eax<BR>004CA72D8B442420moveax,dwordptrss:[esp+20]<BR>004CA731894670movdwordptrds:[esi+70],eax<BR>004CA73466:8CC8movax,cs<BR>004CA73766:8986E4000000movwordptrds:[esi+E4],ax<BR>004CA73E66:8CD8movax,ds<BR>004CA74166:8986E6000000movwordptrds:[esi+E6],ax<BR>004CA74866:8CC0movax,es<BR>004CA74B66:8986E8000000movwordptrds:[esi+E8],ax<BR>004CA75266:8CD0movax,ss<BR>004CA75566:8986EA000000movwordptrds:[esi+EA],ax<BR>004CA75CC74638000000F0movdwordptrds:[esi+38],F0000000<BR>004CA7638BB57D131F06movesi,dwordptrss:[ebp+61F137D]<BR>004CA7698B7E68movedi,dwordptrds:[esi+68]<BR>004CA76C8B07moveax,dwordptrds:[edi]<BR>004CA76E03C5addeax,ebp<BR>004CA77089464Cmovdwordptrds:[esi+4C],eax<BR>004CA773034704addeax,dwordptrds:[edi+4]<BR>004CA776894650movdwordptrds:[esi+50],eax<BR>004CA7798B442424moveax,dwordptrss:[esp+24]<BR>004CA77D8B7668movesi,dwordptrds:[esi+68]<BR>004CA78083C608addesi,8<BR>004CA783E903000000jmp004CA78B<BR>004CA78883C60Caddesi,0C<BR>004CA78B3906cmpdwordptrds:[esi],eax<BR>004CA78D0F85F5FFFFFFjnz004CA788<BR>004CA7938B4604moveax,dwordptrds:[esi+4]<BR>004CA79603C5addeax,ebp<BR>004CA7988BBD7D131F06movedi,dwordptrss:[ebp+61F137D]<BR>004CA79E8907movdwordptrds:[edi],eax<BR>004CA7A08BA5D5401F06movesp,dwordptrss:[ebp+61F40D5]<BR>004CA7A681C4FC1F0000addesp,1FFC<BR>004CA7ACFF6758jmpdwordptrds:[edi+58]<BR>//走到这里★<BR>//[edi+58]=[00DB0058]=00DB07D0修补代码结束地址所在段★<BR>//ESP=00CF1FFC修补代码开始地址所在段★<BR><BR>注意:如果刚开始时没有修改SizeOfStackReserve值为00380000,则此程序这里的值低于基址,导致不好处理。<BR>修补区段后导致dumped_.eXe巨大,呵呵,此脱壳没啥意义,聊作游戏。<BR><BR>最后再申明:不要用本文的方法去OllyDBG调试有驱动的其他版本Themida,那样只会让你的电脑重启。</FONT><BR></P>
页:
[1]