文章作者:fly
下载页面:http://www.oreans.com
软件大小:6.10M
加入时间:15-Nov-2005
软件简介:AdvancedWindowssoftwareprotectionsystem,developedforsoftwaredeveloperswhowishtoprotecttheirapplicationsagainstadvancedreverseengineeringandsoftwarecracking.
【作者声明】:只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教
【调试环境】:WinXP、OllyDBG、PEiD、LordPE、ImportREC
—————————————————————————————————
【脱壳过程】:
首先需要说明的是ThemidaV1.1.1.0没有使用驱动,可能只是暂时放弃吧。虽然2005.12.02升级成ThemidaV1.1.1.5,但是主页还只提供V1.1.1.0Demo下载。不要用本文的方法去OllyDBG调试有驱动的其他版本Themida,那样只会让你的电脑重启。
没有使用驱动的Themida几乎对OllyDBG没有反调试,直接用原版的OllyDBG即可运行起来。但是Themida的VirtualMachine非常强悍,要还原代码是困难的。感谢heXer和shoooo的帮忙。
下面以ThemidaV1.1.1.0Demo来加壳Win98记事本演示,无SDK、CodeReplace,强度相对来说降低很多。
—————————————————————————————————
一、EP
调试前需要修改一个地方,用WinHex打开ThemidaV1.1.1.0.Test.exe,修改PE+60处的SizeOfStackReserve值为00380000,或者直接用PETools修改,这是为了方便后面补区段。
设置OllyDBG忽略所有异常选项。用IsDebug插件去掉OllyDBG的调试器标志。
0040D014B800000000moveax,0
//进入OllyDBG后暂停在这
0040D01960pushad
0040D01A0BC0oreax,eax
0040D01C7458jeshort0040D076
0040D01EE800000000call0040D023
0040D02358popeax
0040D0240543000000addeax,43
0040D0298038E9cmpbyteptrds:[eax],0E9
0040D02C7503jnzshort0040D031
0040D02E61popad
0040D02FEB35jmpshort0040D066
—————————————————————————————————
二、输入表处理
Alt+M打开内存察看窗口,在代码段设置内存写入断点。Shift+F9
0059E22DF3:A4repmovsbyteptres:[edi],byteptrds:[esi]
//中断,壳解压各段
0059E22FC68521201F0656movbyteptrss:[ebp+61F2021],56
0059E23668396D1FD4pushD41F6D39
0059E23BFFB5D9201F06pushdwordptrss:[ebp+61F20D9]
0059E2418D8538942606leaeax,dwordptrss:[ebp+6269438]
0059E247FFD0calleax
在0059E22D处我们要F7一次再F8,否则会长时间无反映
至0059E22F时再Shift+F9,会中断在壳处理输入表的005A1DA5处
下面这段代码很长,其实Themida的输入表处理还是比较简单的。
005A15358B9D51111F06movebx,dwordptrss:[ebp+61F1151]
005A153B8B0Bmovecx,dwordptrds:[ebx]
005A153D83F900cmpecx,0
005A15400F848D090000je005A1ED3
//输入表处理完成后此处跳转
005A154650pusheax
005A154751pushecx
005A154860pushad
005A154933C0xoreax,eax
005A154B8985C5181F06movdwordptrss:[ebp+61F18C5],eax
005A1551BE3C000000movesi,3C
005A155603742420addesi,dwordptrss:[esp+20]
005A155A66:ADlodswordptrds:[esi]
005A155C03442420addeax,dwordptrss:[esp+20]
005A15608B7078movesi,dwordptrds:[eax+78]
005A156303742420addesi,dwordptrss:[esp+20]
005A15678B7E18movedi,dwordptrds:[esi+18]
005A156A89BDF9141F06movdwordptrss:[ebp+61F14F9],edi
005A157085FFtestedi,edi
005A15720F850A000000jnz005A1582
005A1578E8630F0000call005A24E0
005A157DE991000000jmp005A1613
005A158251pushecx
005A15838BD7movedx,edi
005A15856BD204imuledx,edx,4
005A15888995750D1F06movdwordptrss:[ebp+61F0D75],edx
005A158E6A04push4
005A15906800100000push1000
005A159552pushedx
005A15966A00push0
005A1598FF95AD251F06calldwordptrss:[ebp+61F25AD]
005A159E8985AD2F1F06movdwordptrss:[ebp+61F2FAD],eax
005A15A48BD0movedx,eax
005A15A659popecx
005A15A7E8340F0000call005A24E0
005A15AC56pushesi
005A15ADADlodsdwordptrds:[esi]
005A15AE03442424addeax,dwordptrss:[esp+24]
005A15B297xchgeax,edi
005A15B38BDFmovebx,edi
005A15B557pushedi
005A15B632C0xoral,al
005A15B8AEscasbyteptres:[edi]
005A15B90F85F9FFFFFFjnz005A15B8
005A15BF5Epopesi
005A15C02BFBsubedi,ebx
005A15C252pushedx
005A15C38BD7movedx,edi
005A15C58BBDD9011F06movedi,dwordptrss:[ebp+61F01D9]
005A15CB83C9FForecx,FFFFFFFF
005A15CE33C0xoreax,eax
005A15D08A06moval,byteptrds:[esi]
005A15D232C1xoral,cl
005A15D446incesi
005A15D58B0487moveax,dwordptrds:[edi+eax*4]
005A15D8C1E908shrecx,8
005A15DB33C8xorecx,eax
005A15DD4Adecedx
005A15DE0F85EAFFFFFFjnz005A15CE
005A15E48BC1moveax,ecx
005A15E6F7D0noteax
005A15E85Apopedx
005A15E98902movdwordptrds:[edx],eax
005A15EB83C204addedx,4
005A15EE52pushedx
005A15EFFF85C5181F06incdwordptrss:[ebp+61F18C5]
005A15F58B95C5181F06movedx,dwordptrss:[ebp+61F18C5]
005A15FB3995F9141F06cmpdwordptrss:[ebp+61F14F9],edx
005A16010F840A000000je005A1611
005A16075Apopedx
005A16085Epopesi
005A160983C604addesi,4
005A160CE99BFFFFFFjmp005A15AC
005A16115Apopedx
005A16125Epopesi
005A161361popad
005A161459popecx
005A161558popeax
005A1616C785D9181F060000>movdwordptrss:[ebp+61F18D9],0
005A1620C785B9061F060000>movdwordptrss:[ebp+61F06B9],0
005A162A83BD70A72C0600cmpdwordptrss:[ebp+62CA770],0
005A16310F8408000000je005A163F
005A16378D9D913D2B06leaebx,dwordptrss:[ebp+62B3D91]
005A163DFFD3callebx
005A163FFF8589201F06incdwordptrss:[ebp+61F2089]
005A164583BD89201F0664cmpdwordptrss:[ebp+61F2089],64
005A164C0F8262000000jb005A16B4
005A1652C78589201F060100>movdwordptrss:[ebp+61F2089],1
005A165C60pushad
005A165D8DB504A82C06leaesi,dwordptrss:[ebp+62CA804]
005A16638DBDC6C02C06leaedi,dwordptrss:[ebp+62CC0C6]
005A16692BFEsubedi,esi
005A166B8BD7movedx,edi
005A166D8BBDD9011F06movedi,dwordptrss:[ebp+61F01D9]
005A167383C9FForecx,FFFFFFFF
005A167633C0xoreax,eax
005A16788A06moval,byteptrds:[esi]
005A167A32C1xoral,cl
005A167C46incesi
005A167D8B0487moveax,dwordptrds:[edi+eax*4]
005A1680C1E908shrecx,8
005A168333C8xorecx,eax
005A16854Adecedx
005A16860F85EAFFFFFFjnz005A1676
005A168C8BC1moveax,ecx
005A168EF7D0noteax
005A169039851D1D1F06cmpdwordptrss:[ebp+61F1D1D],eax
005A16960F8417000000je005A16B3
005A169C83BD9D1D1F0600cmpdwordptrss:[ebp+61F1D9D],0
005A16A30F850A000000jnz005A16B3
//自校验
//Patch①、jmp005A16B3★
005A16A9C785990C1F060100>movdwordptrss:[ebp+61F0C99],1
005A16B361popad
005A16B4B9BDEB8C32movecx,328CEBBD
005A16B9BAA0F0804Dmovedx,4D80F0A0
005A16BEADlodsdwordptrds:[esi]
005A16BF89B565031F06movdwordptrss:[ebp+61F0365],esi
005A16C5C746FC00000000movdwordptrds:[esi-4],0
005A16CC3DEEEEEEEEcmpeax,EEEEEEEE
005A16D10F8520000000jnz005A16F7
005A16D7813EDDDDDDDDcmpdwordptrds:[esi],DDDDDDDD
005A16DD0F8514000000jnz005A16F7
005A16E3C70600000000movdwordptrds:[esi],0
005A16E983C604addesi,4
005A16EC89B565031F06movdwordptrss:[ebp+61F0365],esi
005A16F2E9A7070000jmp005A1E9E
005A16F78BD8movebx,eax
005A16F93385990C1F06xoreax,dwordptrss:[ebp+61F0C99]
005A16FFC1C803roreax,3
005A17022BC2subeax,edx
005A1704C1C010roleax,10
005A170733C1xoreax,ecx
005A1709899D990C1F06movdwordptrss:[ebp+61F0C99],ebx
005A170F3D00000100cmpeax,10000
005A17140F8345000000jnb005A175F
005A171A813EBBBBBBBBcmpdwordptrds:[esi],BBBBBBBB
005A17200F8539000000jnz005A175F
005A1726C70600000000movdwordptrds:[esi],0
005A172C83C604addesi,4
005A172F89B565031F06movdwordptrss:[ebp+61F0365],esi
005A17358B9D51111F06movebx,dwordptrss:[ebp+61F1151]
005A173B8B0Bmovecx,dwordptrds:[ebx]
005A173D8BD0movedx,eax
005A173F60pushad
005A17408BC2moveax,edx
005A17422B8589281F06subeax,dwordptrss:[ebp+61F2889]
005A1748C1E002shleax,2
005A174B038591051F06addeax,dwordptrss:[ebp+61F0591]
005A175196xchgeax,esi
005A1752ADlodsdwordptrds:[esi]
005A175303C1addeax,ecx
005A17558944241Cmovdwordptrss:[esp+1C],eax
005A175961popad
005A175AE97C000000jmp005A17DB
005A175F51pushecx
005A176052pushedx
005A176133C9xorecx,ecx
005A17638B95AD2F1F06movedx,dwordptrss:[ebp+61F2FAD]
005A17693B02cmpeax,dwordptrds:[edx]
005A176B0F8438000000je005A17A9
005A177183C204addedx,4
005A177441incecx
005A17753B8DF9141F06cmpecx,dwordptrss:[ebp+61F14F9]
005A177B0F85E8FFFFFFjnz005A1769
005A17818DB52DA72C06leaesi,dwordptrss:[ebp+62CA72D]
005A17878DBDA51A1F06leaedi,dwordptrss:[ebp+61F1AA5]
005A178DAClodsbyteptrds:[esi]
005A178E84C0testal,al
005A17900F8406000000je005A179C
005A1796AAstosbyteptres:[edi]
005A1797E9F1FFFFFFjmp005A178D
005A179CB807000000moveax,7
005A17A18D8D174C1F06leaecx,dwordptrss:[ebp+61F4C17]
005A17A7FFE1jmpecx
005A17A9898DC5181F06movdwordptrss:[ebp+61F18C5],ecx
005A17AF5Apopedx
005A17B059popecx
005A17B156pushesi
005A17B28B9D51111F06movebx,dwordptrss:[ebp+61F1151]
005A17B88B0Bmovecx,dwordptrds:[ebx]
005A17BA8B85C5181F06moveax,dwordptrss:[ebp+61F18C5]
005A17C0D1E0shleax,1
005A17C20385011E1F06addeax,dwordptrss:[ebp+61F1E01]
005A17C833F6xoresi,esi
005A17CA96xchgeax,esi
005A17CB66:ADlodswordptrds:[esi]
005A17CDC1E002shleax,2
005A17D0038591051F06addeax,dwordptrss:[ebp+61F0591]
005A17D696xchgeax,esi
005A17D7ADlodsdwordptrds:[esi]
005A17D803C1addeax,ecx
005A17DA5Epopesi
005A17DB83BDDD151F0601cmpdwordptrss:[ebp+61F15DD],1
005A17E20F8439000000je005A1821
//下面判断是否是特殊DLL的特殊函数,是则加密。当然不希望其加密啦
//Patch②、jmp005A180C★
005A17E83B8DF1151F06cmpecx,dwordptrss:[ebp+61F15F1]
//Kernel32.DLL?
005A17EE0F842D000000je005A1821
005A17F43B8DB5011F06cmpecx,dwordptrss:[ebp+61F01B5]
//USER32.DLL?
005A17FA0F8421000000je005A1821
005A18003B8D410F1F06cmpecx,dwordptrss:[ebp+61F0F41]
//ADVAPI32.DLL?
005A18060F8415000000je005A1821
005A180C8D9DE4B82C06leaebx,dwordptrss:[ebp+62CB8E4]
005A1812FFD3callebx
005A18148BF8movedi,eax
005A18168985ED091F06movdwordptrss:[ebp+61F09ED],eax
005A181CE962050000jmp005A1D83
//跳开下面的比较和加密
005A18218D9DE4B82C06leaebx,dwordptrss:[ebp+62CB8E4]
005A1827FFD3callebx
005A182983BDDD151F0600cmpdwordptrss:[ebp+61F15DD],0
005A18300F841D000000je005A1853
005A18363B85C9201F06cmpeax,dwordptrss:[ebp+61F20C9]
005A183C0F840C000000je005A184E
005A18423B85ED0D1F06cmpeax,dwordptrss:[ebp+61F0DED]
005A18480F8505000000jnz005A1853
005A184EE9B9FFFFFFjmp005A180C
005A18533B8555121F06cmpeax,dwordptrss:[ebp+61F1255]
005A18590F8518000000jnz005A1877
005A185F83BD45141F0600cmpdwordptrss:[ebp+61F1445],0
005A18660F850B000000jnz005A1877
005A186C8D85A89A2C06leaeax,dwordptrss:[ebp+62C9AA8]
005A1872E995FFFFFFjmp005A180C
005A18773B8555121F06cmpeax,dwordptrss:[ebp+61F1255]
005A187D0F8489FFFFFFje005A180C
005A188383BD29A72C0601cmpdwordptrss:[ebp+62CA729],1
005A188A0F8517000000jnz005A18A7
005A18903B8588A72C06cmpeax,dwordptrss:[ebp+62CA788]
005A18960F850B000000jnz005A18A7
005A189C8D8564E35700leaeax,dwordptrss:[ebp+57E364]
005A18A2E96DFFFFFFjmp005A1814
005A18A733FFxoredi,edi
005A18A983BD39301F0600cmpdwordptrss:[ebp+61F3039],0
005A18B00F840D020000je005A1AC3
005A18B63B8574A72C06cmpeax,dwordptrss:[ebp+62CA774]
005A18BC7507jnzshort005A18C5
005A18BE8B8509221F06moveax,dwordptrss:[ebp+61F2209]
005A18C447incedi
005A18C53B857CA72C06cmpeax,dwordptrss:[ebp+62CA77C]
005A18CB7507jnzshort005A18D4
005A18CD8B85151A1F06moveax,dwordptrss:[ebp+61F1A15]
005A18D347incedi
005A18D43B8578A72C06cmpeax,dwordptrss:[ebp+62CA778]
005A18DA7507jnzshort005A18E3
005A18DC8B8595131F06moveax,dwordptrss:[ebp+61F1395]
005A18E247incedi
005A18E33B8580A72C06cmpeax,dwordptrss:[ebp+62CA780]
005A18E97507jnzshort005A18F2
005A18EB8B85C12B1F06moveax,dwordptrss:[ebp+61F2BC1]
005A18F147incedi
005A18F23B8584A72C06cmpeax,dwordptrss:[ebp+62CA784]
005A18F87507jnzshort005A1901
005A18FA8B85DD271F06moveax,dwordptrss:[ebp+61F27DD]
005A190047incedi
005A19013B8588A72C06cmpeax,dwordptrss:[ebp+62CA788]
005A19077507jnzshort005A1910
005A19098B85512A1F06moveax,dwordptrss:[ebp+61F2A51]
005A190F47incedi
005A19103B858CA72C06cmpeax,dwordptrss:[ebp+62CA78C]
005A19167507jnzshort005A191F
005A19188B85110A1F06moveax,dwordptrss:[ebp+61F0A11]
005A191E47incedi
005A191F3B8590A72C06cmpeax,dwordptrss:[ebp+62CA790]
005A19257507jnzshort005A192E
005A19278B858D141F06moveax,dwordptrss:[ebp+61F148D]
005A192D47incedi
005A192E3B8594A72C06cmpeax,dwordptrss:[ebp+62CA794]
005A19347507jnzshort005A193D
005A19368B8561221F06moveax,dwordptrss:[ebp+61F2261]
005A193C47incedi
005A193D3B8598A72C06cmpeax,dwordptrss:[ebp+62CA798]
005A19437507jnzshort005A194C
005A19458B8525131F06moveax,dwordptrss:[ebp+61F1325]
005A194B47incedi
005A194C3B85A0A72C06cmpeax,dwordptrss:[ebp+62CA7A0]
005A19527507jnzshort005A195B
005A19548B85550F1F06moveax,dwordptrss:[ebp+61F0F55]
005A195A47incedi
005A195B3B859CA72C06cmpeax,dwordptrss:[ebp+62CA79C]
005A19617507jnzshort005A196A
005A19638B855D2F1F06moveax,dwordptrss:[ebp+61F2F5D]
005A196947incedi
005A196A3B85A4A72C06cmpeax,dwordptrss:[ebp+62CA7A4]
005A19707507jnzshort005A1979
005A19728B857D2A1F06moveax,dwordptrss:[ebp+61F2A7D]
005A197847incedi
005A19793B85A8A72C06cmpeax,dwordptrss:[ebp+62CA7A8]
005A197F7507jnzshort005A1988
005A19818B850D281F06moveax,dwordptrss:[ebp+61F280D]
005A198747incedi
005A19883B85ACA72C06cmpeax,dwordptrss:[ebp+62CA7AC]
005A198E7507jnzshort005A1997
005A19908B85A1111F06moveax,dwordptrss:[ebp+61F11A1]
005A199647incedi
005A19973B85B0A72C06cmpeax,dwordptrss:[ebp+62CA7B0]
005A199D7507jnzshort005A19A6
005A199F8B85ED251F06moveax,dwordptrss:[ebp+61F25ED]
005A19A547incedi
005A19A63B85B4A72C06cmpeax,dwordptrss:[ebp+62CA7B4]
005A19AC7507jnzshort005A19B5
005A19AE8B8595001F06moveax,dwordptrss:[ebp+61F0095]
005A19B447incedi
005A19B53B85B8A72C06cmpeax,dwordptrss:[ebp+62CA7B8]
005A19BB7507jnzshort005A19C4
005A19BD8B859D251F06moveax,dwordptrss:[ebp+61F259D]
005A19C347incedi
005A19C43B85BCA72C06cmpeax,dwordptrss:[ebp+62CA7BC]
005A19CA7507jnzshort005A19D3
005A19CC8B85511D1F06moveax,dwordptrss:[ebp+61F1D51]
005A19D247incedi
005A19D33B85C0A72C06cmpeax,dwordptrss:[ebp+62CA7C0]
005A19D97507jnzshort005A19E2
005A19DB8B8555271F06moveax,dwordptrss:[ebp+61F2755]
005A19E147incedi
005A19E23B85C4A72C06cmpeax,dwordptrss:[ebp+62CA7C4]
005A19E87507jnzshort005A19F1
005A19EA8B85C1131F06moveax,dwordptrss:[ebp+61F13C1]
005A19F047incedi
005A19F13B85CCA72C06cmpeax,dwordptrss:[ebp+62CA7CC]
005A19F77507jnzshort005A1A00
005A19F98B8515011F06moveax,dwordptrss:[ebp+61F0115]
005A19FF47incedi
005A1A003B85C8A72C06cmpeax,dwordptrss:[ebp+62CA7C8]
005A1A067507jnzshort005A1A0F
005A1A088B859D271F06moveax,dwordptrss:[ebp+61F279D]
005A1A0E47incedi
005A1A0F3B85D0A72C06cmpeax,dwordptrss:[ebp+62CA7D0]
005A1A157507jnzshort005A1A1E
005A1A178B8531111F06moveax,dwordptrss:[ebp+61F1131]
005A1A1D47incedi
005A1A1E3B85D4A72C06cmpeax,dwordptrss:[ebp+62CA7D4]
005A1A247507jnzshort005A1A2D
005A1A268B85390D1F06moveax,dwordptrss:[ebp+61F0D39]
005A1A2C47incedi
005A1A2D3B85D8A72C06cmpeax,dwordptrss:[ebp+62CA7D8]
005A1A337507jnzshort005A1A3C
005A1A358B8565281F06moveax,dwordptrss:[ebp+61F2865]
005A1A3B47incedi
005A1A3C3B85DCA72C06cmpeax,dwordptrss:[ebp+62CA7DC]
005A1A427507jnzshort005A1A4B
005A1A448B85A9101F06moveax,dwordptrss:[ebp+61F10A9]
005A1A4A47incedi
005A1A4B3B85E0A72C06cmpeax,dwordptrss:[ebp+62CA7E0]
005A1A517507jnzshort005A1A5A
005A1A538B855D121F06moveax,dwordptrss:[ebp+61F125D]
005A1A5947incedi
005A1A5A3B85E4A72C06cmpeax,dwordptrss:[ebp+62CA7E4]
005A1A607507jnzshort005A1A69
005A1A628B8535101F06moveax,dwordptrss:[ebp+61F1035]
005A1A6847incedi
005A1A693B85E8A72C06cmpeax,dwordptrss:[ebp+62CA7E8]
005A1A6F7507jnzshort005A1A78
005A1A718B85D1211F06moveax,dwordptrss:[ebp+61F21D1]
005A1A7747incedi
005A1A783B85ECA72C06cmpeax,dwordptrss:[ebp+62CA7EC]
005A1A7E7507jnzshort005A1A87
005A1A808B858D2A1F06moveax,dwordptrss:[ebp+61F2A8D]
005A1A8647incedi
005A1A873B85DD161F06cmpeax,dwordptrss:[ebp+61F16DD]
005A1A8D7507jnzshort005A1A96
005A1A8F8B85D11E1F06moveax,dwordptrss:[ebp+61F1ED1]
005A1A9547incedi
005A1A963B85F0A72C06cmpeax,dwordptrss:[ebp+62CA7F0]
005A1A9C7507jnzshort005A1AA5
005A1A9E8B858D061F06moveax,dwordptrss:[ebp+61F068D]
005A1AA447incedi
005A1AA53B85F4A72C06cmpeax,dwordptrss:[ebp+62CA7F4]
005A1AAB7507jnzshort005A1AB4
005A1AAD8B85C91D1F06moveax,dwordptrss:[ebp+61F1DC9]
005A1AB347incedi
005A1AB43B85F8A72C06cmpeax,dwordptrss:[ebp+62CA7F8]
005A1ABA7507jnzshort005A1AC3
005A1ABC8B85AD2A1F06moveax,dwordptrss:[ebp+61F2AAD]
005A1AC247incedi
005A1AC30BFForedi,edi
005A1AC50F8405000000je005A1AD0
005A1ACBE944FDFFFFjmp005A1814
005A1AD03B8529231F06cmpeax,dwordptrss:[ebp+61F2329]
005A1AD60F850B000000jnz005A1AE7
005A1ADC8D85A46E2B06leaeax,dwordptrss:[ebp+62B6EA4]
005A1AE2E92DFDFFFFjmp005A1814
005A1AE73B85912F1F06cmpeax,dwordptrss:[ebp+61F2F91]
005A1AED0F8518000000jnz005A1B0B
005A1AF383BD29A72C0601cmpdwordptrss:[ebp+62CA729],1
005A1AFA0F850B000000jnz005A1B0B
005A1B008D85E7E25700leaeax,dwordptrss:[ebp+57E2E7]
005A1B06E909FDFFFFjmp005A1814
005A1B0B3B8564A72C06cmpeax,dwordptrss:[ebp+62CA764]
005A1B110F840C000000je005A1B23
005A1B173B8568A72C06cmpeax,dwordptrss:[ebp+62CA768]
005A1B1D0F8505000000jnz005A1B28
005A1B23E9ECFCFFFFjmp005A1814
005A1B28BE00000000movesi,0
005A1B2D83FE01cmpesi,1
005A1B300F8545000000jnz005A1B7B
005A1B363B8558A72C06cmpeax,dwordptrss:[ebp+62CA758]
005A1B3C0F850B000000jnz005A1B4D
005A1B428D857F755700leaeax,dwordptrss:[ebp+57757F]
005A1B48E9C7FCFFFFjmp005A1814
005A1B4D3B855CA72C06cmpeax,dwordptrss:[ebp+62CA75C]
005A1B530F850B000000jnz005A1B64
005A1B598D85F5755700leaeax,dwordptrss:[ebp+5775F5]
005A1B5FE9B0FCFFFFjmp005A1814
005A1B643B8560A72C06cmpeax,dwordptrss:[ebp+62CA760]
005A1B6A0F850B000000jnz005A1B7B
005A1B708D853A765700leaeax,dwordptrss:[ebp+57763A]
005A1B76E999FCFFFFjmp005A1814
005A1B7B8BC0moveax,eax
005A1B7DBE01000000movesi,1
005A1B820BF6oresi,esi
005A1B840F8505000000jnz005A1B8F
005A1B8AE97DFCFFFFjmp005A180C
005A1B8F8BF0movesi,eax
005A1B9189B571231F06movdwordptrss:[ebp+61F2371],esi
005A1B9789B5210C1F06movdwordptrss:[ebp+61F0C21],esi
005A1B9D803EE9cmpbyteptrds:[esi],0E9
005A1BA00F8526000000jnz005A1BCC
005A1BA68B7E01movedi,dwordptrds:[esi+1]
005A1BA903FEaddedi,esi
005A1BAB8BDEmovebx,esi
005A1BAD81C300400000addebx,4000
005A1BB33BBD71231F06cmpedi,dwordptrss:[ebp+61F2371]
005A1BB90F8208000000jb005A1BC7
005A1BBF3BFBcmpedi,ebx
005A1BC10F8605000000jbe005A1BCC
005A1BC7E940FCFFFFjmp005A180C
005A1BCC8BBD190E1F06movedi,dwordptrss:[ebp+61F0E19]
005A1BD2C78549101F060000>movdwordptrss:[ebp+61F1049],0
005A1BDC60pushad
005A1BDD89B5210C1F06movdwordptrss:[ebp+61F0C21],esi
005A1BE38D9D6CBE2C06leaebx,dwordptrss:[ebp+62CBE6C]
005A1BE9FFD3callebx
005A1BEB0F8222000000jb005A1C13
005A1BF18D9D604D2A06leaebx,dwordptrss:[ebp+62A4D60]
005A1BF7FFD3callebx
005A1BF90F83DEFFFFFFjnb005A1BDD
005A1BFF8BB5210C1F06movesi,dwordptrss:[ebp+61F0C21]
005A1C0589B549101F06movdwordptrss:[ebp+61F1049],esi
005A1C0B8D9DE23D2B06leaebx,dwordptrss:[ebp+62B3DE2]
005A1C11FFD3callebx
005A1C138B8571231F06moveax,dwordptrss:[ebp+61F2371]
005A1C198985210C1F06movdwordptrss:[ebp+61F0C21],eax
005A1C1F61popad
005A1C208D9D99BA2C06leaebx,dwordptrss:[ebp+62CBA99]
005A1C26FFD3callebx
005A1C288D9D1CBB2C06leaebx,dwordptrss:[ebp+62CBB1C]
005A1C2EFFD3callebx
005A1C308D9DBDBD2C06leaebx,dwordptrss:[ebp+62CBDBD]
005A1C36FFD3callebx
005A1C380F830C000000jnb005A1C4A
005A1C3E8385210C1F0605adddwordptrss:[ebp+61F0C21],5
005A1C45E9D6FFFFFFjmp005A1C20
005A1C4A8D9DE6BD2C06leaebx,dwordptrss:[ebp+62CBDE6]
005A1C50FFD3callebx
005A1C520F8308000000jnb005A1C60
005A1C5883C204addedx,4
005A1C5BE932000000jmp005A1C92
005A1C608D9D604D2A06leaebx,dwordptrss:[ebp+62A4D60]
005A1C66FFD3callebx
005A1C680F830B000000jnb005A1C79
005A1C6E8BB5210C1F06movesi,dwordptrss:[ebp+61F0C21]
005A1C74E927070000jmp005A23A0
005A1C798B8D210C1F06movecx,dwordptrss:[ebp+61F0C21]
005A1C7F89B5210C1F06movdwordptrss:[ebp+61F0C21],esi
005A1C852BCEsubecx,esi
005A1C87F7D9negecx
005A1C892BF1subesi,ecx
005A1C8BF3:A4repmovsbyteptres:[edi],byteptrds:[esi]
005A1C8DE98EFFFFFFjmp005A1C20
005A1C928D9D913D2B06leaebx,dwordptrss:[ebp+62B3D91]
005A1C98FFD3callebx
005A1C9A8BC7moveax,edi
005A1C9C2B85190E1F06subeax,dwordptrss:[ebp+61F0E19]
005A1CA2898559241F06movdwordptrss:[ebp+61F2459],eax
005A1CA88B85190E1F06moveax,dwordptrss:[ebp+61F0E19]
005A1CAE57pushedi
005A1CAF50pusheax
005A1CB08D8D9C3E2B06leaecx,dwordptrss:[ebp+62B3E9C]
005A1CB6FFD1callecx
005A1CB88B85E1201F06moveax,dwordptrss:[ebp+61F20E1]
005A1CBE50pusheax
005A1CBF57pushedi
005A1CC08B85190E1F06moveax,dwordptrss:[ebp+61F0E19]
005A1CC650pusheax
005A1CC78D8DC3402B06leaecx,dwordptrss:[ebp+62B40C3]
005A1CCDFFD1callecx
005A1CCF8BD0movedx,eax
005A1CD18BC8movecx,eax
005A1CD32B8DE1201F06subecx,dwordptrss:[ebp+61F20E1]
005A1CD983BD5D0A1F0600cmpdwordptrss:[ebp+61F0A5D],0
005A1CE00F842B000000je005A1D11
005A1CE68B8501041F06moveax,dwordptrss:[ebp+61F0401]
005A1CEC2B855D0A1F06subeax,dwordptrss:[ebp+61F0A5D]
005A1CF23BC1cmpeax,ecx
005A1CF40F8617000000jbe005A1D11
005A1CFA8B85B50E1F06moveax,dwordptrss:[ebp+61F0EB5]
005A1D0003855D0A1F06addeax,dwordptrss:[ebp+61F0A5D]
005A1D068985ED091F06movdwordptrss:[ebp+61F09ED],eax
005A1D0CE943000000jmp005A1D54
005A1D1151pushecx
005A1D128BC1moveax,ecx
005A1D1448deceax
005A1D150DFF0F0000oreax,0FFF
005A1D1A40inceax
005A1D1B898501041F06movdwordptrss:[ebp+61F0401],eax
005A1D210185DD091F06adddwordptrss:[ebp+61F09DD],eax
005A1D27C7855D0A1F060000>movdwordptrss:[ebp+61F0A5D],0
005A1D316A40push40
005A1D336800100000push1000
005A1D3851pushecx
005A1D396A00push0
005A1D3BFF95AD251F06calldwordptrss:[ebp+61F25AD]
005A1D41FF9569201F06calldwordptrss:[ebp+61F2069]
005A1D478985B50E1F06movdwordptrss:[ebp+61F0EB5],eax
005A1D4D8985ED091F06movdwordptrss:[ebp+61F09ED],eax
005A1D5359popecx
005A1D54FFB5ED091F06pushdwordptrss:[ebp+61F09ED]
005A1D5AFFB5E1201F06pushdwordptrss:[ebp+61F20E1]
005A1D6057pushedi
005A1D61FFB5190E1F06pushdwordptrss:[ebp+61F0E19]
005A1D678D8557432B06leaeax,dwordptrss:[ebp+62B4357]
005A1D6DFFD0calleax
005A1D6F018D5D0A1F06adddwordptrss:[ebp+61F0A5D],ecx
005A1D758BBDED091F06movedi,dwordptrss:[ebp+61F09ED]
005A1D7B8BB5E1201F06movesi,dwordptrss:[ebp+61F20E1]
005A1D81F3:A4repmovsbyteptres:[edi],byteptrds:[esi]
005A1D838BB565031F06movesi,dwordptrss:[ebp+61F0365]
005A1D89ADlodsdwordptrds:[esi]
005A1D8AC746FC00000000movdwordptrds:[esi-4],0
005A1D91C1C005roleax,5
005A1D9405BDEB8C32addeax,328CEBBD
005A1D990385D9211F06addeax,dwordptrss:[ebp+61F21D9]
005A1D9F8B8DED091F06movecx,dwordptrss:[ebp+61F09ED]
005A1DA58908movdwordptrds:[eax],ecx;SHELL32.ShellExecuteA
//上面Shift+F9后中断在这里
//Patch③、jmp005AF000★
005A1DA7ADlodsdwordptrds:[esi]
005A1DA8C746FC00000000movdwordptrds:[esi-4],0
005A1DAF89B565031F06movdwordptrss:[ebp+61F0365],esi
005A1DB583F8FFcmpeax,-1
005A1DB80F8520000000jnz005A1DDE
005A1DBE813EDDDDDDDDcmpdwordptrds:[esi],DDDDDDDD
005A1DC40F8514000000jnz005A1DDE
005A1DCAC70600000000movdwordptrds:[esi],0
005A1DD083C604addesi,4
005A1DD389B565031F06movdwordptrss:[ebp+61F0365],esi
005A1DD9E938F8FFFFjmp005A1616
005A1DDEC1C003roleax,3
005A1DE10385D9211F06addeax,dwordptrss:[ebp+61F21D9]
005A1DE783BD212B1F0601cmpdwordptrss:[ebp+61F2B21],1
005A1DEE0F849D000000je005A1E91
005A1DF4813EAAAAAAAAcmpdwordptrds:[esi],AAAAAAAA
005A1DFA0F8512000000jnz005A1E12
005A1E0083C604addesi,4
005A1E03C746FC00000000movdwordptrds:[esi-4],0
005A1E0A97xchgeax,edi
005A1E0BB0E9moval,0E9
005A1E0DE903000000jmp005A1E15
005A1E1297xchgeax,edi
005A1E13B0E8moval,0E8
005A1E1550pusheax
005A1E1683BDDD151F0601cmpdwordptrss:[ebp+61F15DD],1
005A1E1D0F843E000000je005A1E61
005A1E23B800010000moveax,100
005A1E2883BD70A72C0600cmpdwordptrss:[ebp+62CA770],0
005A1E2F0F8408000000je005A1E3D
005A1E358D9DB0462B06leaebx,dwordptrss:[ebp+62B46B0]
005A1E3BFFD3callebx
005A1E3D803F90cmpbyteptrds:[edi],90
005A1E400F8408000000je005A1E4E
005A1E4683C705addedi,5
005A1E49E943000000jmp005A1E91
005A1E4E83F850cmpeax,50
005A1E510F820A000000jb005A1E61
005A1E57B090moval,90
005A1E59AAstosbyteptres:[edi]
005A1E5A58popeax
005A1E5BAAstosbyteptres:[edi]
005A1E5CE924000000jmp005A1E85
//Patch④、jmp005AF014★
005A1E6158popeax
005A1E62AAstosbyteptres:[edi]
005A1E63807FFFE9cmpbyteptrds:[edi-1],0E9
005A1E670F8518000000jnz005A1E85
//Patch⑤、jmp005AF036★
005A1E6D83BD70A72C0600cmpdwordptrss:[ebp+62CA770],0
005A1E740F8408000000je005A1E82
005A1E7A8D9D80462B06leaebx,dwordptrss:[ebp+62B4680]
005A1E80FFD3callebx
005A1E82884704movbyteptrds:[edi+4],al
//Patch⑥、NOP★去掉加密填充
005A1E858B85ED091F06moveax,dwordptrss:[ebp+61F09ED]
005A1E8B2BC7subeax,edi
005A1E8D83E804subeax,4
005A1E90ABstosdwordptres:[edi]
//Patch⑦、NOP★去掉加密填充
005A1E91ADlodsdwordptrds:[esi]
005A1E92C746FC00000000movdwordptrds:[esi-4],0
005A1E99E911FFFFFFjmp005A1DAF
//循环处理每个DLL的函数
//Patch⑧、jmp005AF05F★
005A1E9E89B565031F06movdwordptrss:[ebp+61F0365],esi
005A1EA452pushedx
005A1EA56800800000push8000
005A1EAA6A00push0
005A1EACFFB5AD2F1F06pushdwordptrss:[ebp+61F2FAD]
005A1EB2FF95B1241F06calldwordptrss:[ebp+61F24B1]
005A1EB85Apopedx
005A1EB98B8D51111F06movecx,dwordptrss:[ebp+61F1151]
005A1EBFC70100000000movdwordptrds:[ecx],0
005A1EC583C104addecx,4
005A1EC8898D51111F06movdwordptrss:[ebp+61F1151],ecx
005A1ECEE962F6FFFFjmp005A1535
//循环处理所有DLL的函数
005A1ED3E94B060000jmp005A2523
//此处下断,输入表处理完成后中断在这里
————————————————————————
在下面找一段空地写Patch代码,放005AF000处吧
005A1DA58908movdwordptrds:[eax],ecx;SHELL32.ShellExecuteA
//Patch③、jmp005AF000★
Patch代码:
005AF000A300F45A00movdwordptrds:[5AF400],eax
//保存EAX值于[5AF400]
005AF0058908movdwordptrds:[eax],ecx
//005A1DA5及其下3行代码挪这里执行
005AF007ADlodsdwordptrds:[esi]
005AF008C746FC00000000movdwordptrds:[esi-4],0
005AF00FE99B2DFFFFjmp005A1DAF
//返回去继续流程
————————————————————————
005A1E5CE924000000jmp005A1E85
//Patch④、jmp005AF014★
Patch代码:
005B901450pusheax
005B9015A100945B00moveax,dwordptrds:[5B9400]
005B901A8947FCmovdwordptrds:[edi-4],eax
//放入正确的API保存地址
005B901D807FFBE8cmpbyteptrds:[edi-5],0E8
//E8?
005B90217508jnzshort005B902B
005B902366:C747FAFF15movwordptrds:[edi-6],15FF
//则是calldwordptrds:[XXXXXXXX]
005B9029EB06jmpshort005B9031
005B902B66:C747FAFF25movwordptrds:[edi-6],25FF
//否则是jmpdwordptrds:[XXXXXXXX]
005B903158popeax
005B9032E90026FFFFjmp005AB637
//继续流程
————————————————————————
005A1E670F8518000000jnz005A1E85
//Patch⑤、jmp005AF036★
Patch代码:
005AF03650pusheax
005AF037A100F45A00moveax,dwordptrds:[5AF400]
005AF03C894701movdwordptrds:[edi+1],eax
005AF03F807FFFE8cmpbyteptrds:[edi-1],0E8
005AF0437508jnzshort005AF04D
005AF04566:C747FFFF15movwordptrds:[edi-1],15FF
005AF04BEB06jmpshort005AF053
005AF04D66:C747FFFF25movwordptrds:[edi-1],25FF
005AF05358popeax
005AF0540F852B2EFFFFjnz005A1E85
005AF05AE90E2EFFFFjmp005A1E6D
————————————————————————
005A1E90ABstosdwordptres:[edi]
//Patch⑦、NOP★去掉加密填充
005A1E91ADlodsdwordptrds:[esi]
005A1E92C746FC00000000movdwordptrds:[esi-4],0
005A1E99E911FFFFFFjmp005A1DAF
//循环处理每个DLL的函数
//Patch⑧、jmp005AF05F★
Patch代码:
005AF05F83C704addedi,4
005AF062E9482DFFFFjmp005A1DAF
//继续流程
————————————————————————
Patch代码汇总
005AF000A300F45A00movdwordptrds:[5AF400],eax
005AF0058908movdwordptrds:[eax],ecx
005AF007ADlodsdwordptrds:[esi]
005AF008C746FC00000000movdwordptrds:[esi-4],0
005AF00FE99B2DFFFFjmp005A1DAF
005AF01450pusheax
005AF015A100F45A00moveax,dwordptrds:[5AF400]
005AF01A8907movdwordptrds:[edi],eax
005AF01C807FFFE8cmpbyteptrds:[edi-1],0E8
005AF0207508jnzshort005AF02A
005AF02266:C747FEFF15movwordptrds:[edi-2],15FF
005AF028EB06jmpshort005AF030
005AF02A66:C747FEFF25movwordptrds:[edi-2],25FF
005AF03058popeax
005AF031E94F2EFFFFjmp005A1E85
005AF03650pusheax
005AF037A100F45A00moveax,dwordptrds:[5AF400]
005AF03C894701movdwordptrds:[edi+1],eax
005AF03F807FFFE8cmpbyteptrds:[edi-1],0E8
005AF0437508jnzshort005AF04D
005AF04566:C747FFFF15movwordptrds:[edi-1],15FF
005AF04BEB06jmpshort005AF053
005AF04D66:C747FFFF25movwordptrds:[edi-1],25FF
005AF05358popeax
005AF0540F852B2EFFFFjnz005A1E85
005AF05AE90E2EFFFFjmp005A1E6D
005AF05F83C704addedi,4
005AF062E9482DFFFFjmp005A1DAF
从OllyDBG中二进制代码复制如下:
A300F45A008908ADC746FC00000000E99B2DFFFF50A100F45A008907807FFFE8
750866C747FEFF15EB0666C747FEFF2558E94F2EFFFF50A100F45A0089470180
7FFFE8750866C747FFFF15EB0666C747FFFF25580F852B2EFFFFE90E2EFFFF83
C704E9482DFFFF
—————————————————————————————————
三、OEP
005A1ED3E94B060000jmp005A2523
//此处下断,输入表处理完成后中断在这里
对于Themida处理后的OEP查找的确有点麻烦,目前还没有发现更简便的方法。
保持此OllyDBG,新开一个OllyDBG,载入ThemidaV1.1.1.0.Test.eXe
直接Shift+F9让其运行起来,然后Ctrl+G:005A1ED3,来到输入表处理结束的地方
Ctrl+B在整个段块搜索Hex值:9DC3E9
005A8C299Dpopfd
//找到这里
005A8C2AC3retn
005A8C2BE908000000jmp005A8C38
现在可以关闭后开的OllyDBG了,在第一个OllyDBG里面下断:HE005A8C29
单击Themida的启动Nag,OllyDBG中断在005A8C29处
005A8C299Dpopfd
//中断在这里
005A8C2AC3retn
//返回005A08D3飞向“光明之巅”
005A08D368ACE9750Cpush0C75E9AC
//作为OEP吧下面Themida就开始OEP处理了
005A08D8E92BFBFFFFjmp005A0408
005A08DD6848F5D325push25D3F548
005A08E2E921FBFFFFjmp005A0408
运行ImportREC,填入OEPRVA=001A08D3、IATRVA=000062E0、IATSize=0000023C,获取输入表。
运行LordPE先dumpfull此进程,存为dump.eXe,修复输入表。
Themida的VirtualMachine是不容易还原的,补上这部分壳代码吧
OllyDBG中Alt+M察看内存:
地址大小(十进制)物主区段包含
0040000000001000(4096.)Themida_00400000PEheader
0040100000006000(24576.)Themida_00400000code
0040700000005000(20480.)Themida_00400000.rsrcdata,resources
0040C00000001000(4096.)Themida_00400000.idataimports
0040D000001A5000(1724416.)Themida_00400000ThemidaSFX
005C000000009000(36864.)005C0000
006C00000003D000(249856.)006C0000
0070000000041000(266240.)00700000
0075000000006000(24576.)00750000
0076000000041000(266240.)00760000
007B000000009000(36864.)007B0000
0087000000002000(8192.)007B0000
0088000000103000(1060864.)00880000
0099000000006000(24576.)00990000
009A00000016A000(1482752.)009A0000
00CA000000003000(12288.)00CA0000
00CB000000008000(32768.)00CB0000
00CC000000001000(4096.)00CC0000
00CD000000001000(4096.)00CD0000
00CE000000004000(16384.)00CE0000
00CF000000002000(8192.)00CF0000
00D0000000001000(4096.)00D00000
00D1000000001000(4096.)00D10000
00D2000000001000(4096.)00D20000
00D3000000010000(65536.)00D30000
00D4000000010000(65536.)00D40000
00D5000000010000(65536.)00D50000
00D6000000010000(65536.)00D60000
00D7000000010000(65536.)00D70000
00D8000000010000(65536.)00D80000
00D9000000010000(65536.)00D90000
00DA000000010000(65536.)00DA0000
00DB000000001000(4096.)00DB0000
用LordPEDumpRegion以下壳区段:
00CF0000-00CF2000.dmp
00D00000-00D01000.dmp
00D10000-00D11000.dmp
00D20000-00D21000.dmp
00D30000-00DB1000.dmp
用LordPE把这些区段load入dump.eXe,注意修正各区段的Voffset
只保留“ValidatePE”选项来Rebuilderdump.eXe
F7继续走,看看为何应该补这些壳代码段
005A04086A00push0
005A040A9Cpushfd
005A040B60pushad
005A040CE800000000call005A0411
005A04115Dpopebp
005A041281ED1D9E2C06subebp,62C9E1D
005A0418B8F3A22C06moveax,62CA2F3
005A041D03C5addeax,ebp
005A041F50pusheax
005A04208BB57D131F06movesi,dwordptrss:[ebp+61F137D]
005A0426BB01000000movebx,1
005A042B8D4628leaeax,dwordptrds:[esi+28]
005A042EF0:8618lockxchgbyteptrds:[eax],bl
005A04310ADBorbl,bl
005A04337502jnzshort005A0437
005A0435EB0Cjmpshort005A0443
005A043760pushad
005A04386A00push0
005A043AFF95B9291F06calldwordptrss:[ebp+61F29B9]
005A044061popad
005A0441EBEBjmpshort005A042E
005A044358popeax
005A0444894668movdwordptrds:[esi+68],eax
005A0447B802000000moveax,2
005A044C89466Cmovdwordptrds:[esi+6C],eax
005A044FC7442424D9401F06movdwordptrss:[esp+24],61F40D9
005A0457016C2424adddwordptrss:[esp+24],ebp
005A045B61popad
005A045C9Dpopfd
005A045DC3retn
//返回到004CA6CD
004CA6CD9Cpushfd
004CA6CE60pushad
004CA6CFE800000000call004CA6D4
004CA6D45Dpopebp
004CA6D581EDE0401F06subebp,61F40E0
004CA6DB8BB57D131F06movesi,dwordptrss:[ebp+61F137D]
004CA6E18B0424moveax,dwordptrss:[esp]
004CA6E489869C000000movdwordptrds:[esi+9C],eax
004CA6EA8B442404moveax,dwordptrss:[esp+4]
004CA6EE898694000000movdwordptrds:[esi+94],eax
004CA6F48B442408moveax,dwordptrss:[esp+8]
004CA6F88986A4000000movdwordptrds:[esi+A4],eax
004CA6FE8B44240Cmoveax,dwordptrss:[esp+C]
004CA70283C008addeax,8
004CA7058986AC000000movdwordptrds:[esi+AC],eax
004CA70B8B442410moveax,dwordptrss:[esp+10]
004CA70F89467Cmovdwordptrds:[esi+7C],eax
004CA7128B442414moveax,dwordptrss:[esp+14]
004CA71689868C000000movdwordptrds:[esi+8C],eax
004CA71C8B442418moveax,dwordptrss:[esp+18]
004CA720898684000000movdwordptrds:[esi+84],eax
004CA7268B44241Cmoveax,dwordptrss:[esp+1C]
004CA72A894674movdwordptrds:[esi+74],eax
004CA72D8B442420moveax,dwordptrss:[esp+20]
004CA731894670movdwordptrds:[esi+70],eax
004CA73466:8CC8movax,cs
004CA73766:8986E4000000movwordptrds:[esi+E4],ax
004CA73E66:8CD8movax,ds
004CA74166:8986E6000000movwordptrds:[esi+E6],ax
004CA74866:8CC0movax,es
004CA74B66:8986E8000000movwordptrds:[esi+E8],ax
004CA75266:8CD0movax,ss
004CA75566:8986EA000000movwordptrds:[esi+EA],ax
004CA75CC74638000000F0movdwordptrds:[esi+38],F0000000
004CA7638BB57D131F06movesi,dwordptrss:[ebp+61F137D]
004CA7698B7E68movedi,dwordptrds:[esi+68]
004CA76C8B07moveax,dwordptrds:[edi]
004CA76E03C5addeax,ebp
004CA77089464Cmovdwordptrds:[esi+4C],eax
004CA773034704addeax,dwordptrds:[edi+4]
004CA776894650movdwordptrds:[esi+50],eax
004CA7798B442424moveax,dwordptrss:[esp+24]
004CA77D8B7668movesi,dwordptrds:[esi+68]
004CA78083C608addesi,8
004CA783E903000000jmp004CA78B
004CA78883C60Caddesi,0C
004CA78B3906cmpdwordptrds:[esi],eax
004CA78D0F85F5FFFFFFjnz004CA788
004CA7938B4604moveax,dwordptrds:[esi+4]
004CA79603C5addeax,ebp
004CA7988BBD7D131F06movedi,dwordptrss:[ebp+61F137D]
004CA79E8907movdwordptrds:[edi],eax
004CA7A08BA5D5401F06movesp,dwordptrss:[ebp+61F40D5]
004CA7A681C4FC1F0000addesp,1FFC
004CA7ACFF6758jmpdwordptrds:[edi+58]
//走到这里★
//[edi+58]=[00DB0058]=00DB07D0修补代码结束地址所在段★
//ESP=00CF1FFC修补代码开始地址所在段★
注意:如果刚开始时没有修改SizeOfStackReserve值为00380000,则此程序这里的值低于基址,导致不好处理。
修补区段后导致dumped_.eXe巨大,呵呵,此脱壳没啥意义,聊作游戏。
最后再申明:不要用本文的方法去OllyDBG调试有驱动的其他版本Themida,那样只会让你的电脑重启。
