标题:手动脱壳入门第十七篇 VGCrypt PE Encryptor V0.75
-------------------------------------------------------------------------------------------------------------------------------
时间:2006/8/28 17:24:45
-------------------------------------------------------------------------------------------------------------------------------
内容:
| cotine |
手动脱壳入门第十七篇 VGCrypt PE Encryptor V0.75 手动脱壳入门第十七篇 VGCrypt PE Encryptor V0.75 【脱文标题】 手动脱壳入门第十七篇 VGCrypt PE Encryptor V0.75 【脱文作者】 weiyi75[Dfcg] 【作者邮箱】 weiyi75@sohu.com 【作者主页】 Dfcg官方大本营 【使用工具】 Peid,Ollydbg,ImportREC 【脱壳平台】 Win2K/XP 【软件名称】 VGCrypt PE Encryptor V0.75 【软件简介】 This is a fairly simple PE encryptor I wrote up. I commented everything that is relavent to PE appendation or insertion, more so than I needed to even. The most interesting feature of this encryptor is that it attempts to find a location to insert itself between object virtual size and the next file alignment boundary, thus not changing the physical file size. 【软件大小】 16 KB 【下载地址】 http://member.netease.com/~fsdb/source/vgcrypt.zip 或 本地下载 【加壳方式】 Virogen Crypt 0.75 【保护方式】 Virogen Crypt资源保护壳 【脱壳声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:) -------------------------------------------------------------------------------- 【脱壳内容】 下载这个程序,用 Vgcrypt Notepad.exe 的命令行方法压缩了一个Win98的记事本,倒,原文件大小等于压缩后大小52K,程序也没有加密IAT,仅仅搞乱了Code段,让你无法反汇编,用资源编辑软件发现可以编辑资源。 加壳记事本 本地下载 首先Peid查壳,为Virogen Crypt 0.75,OD载入运行,无任何异常,判断其为压缩壳。 0040584C > 9C PUSHFD //记事本外壳入口。 0040584D 55 PUSH EBP 0040584E E8 EC000000 CALL 1.0040593F 00405853 87D5 XCHG EBP,EDX 00405855 5D POP EBP 00405856 60 PUSHAD //从这这句过后用ESP定律吧, 00405857 87D5 XCHG EBP,EDX //到这里ESP=12ffa0 00405859 80BD 15274000 0>CMP BYTE PTR SS:[EBP+402715],1 00405860 74 39 JE SHORT 1.0040589B 00405862 C685 15274000 0>MOV BYTE PTR SS:[EBP+402715],1 00405869 E9 E4000000 JMP 1.00405952 0040586E - E9 79DAFF90 JMP 914032EC 00405873 D6 SALC 00405874 64:CE INTO ; 多余的前缀 00405876 E4 3C IN AL,3C ; I/O 命令 00405878 40 INC EAX 00405879 94 XCHG EAX,ESP 0040587A 65:EC IN AL,DX ; I/O 命令 0040587C ^ 78 8D JS SHORT 1.0040580B ............................................................. dd 12ffa0 下硬件访问-Dword断点。 F9运行 硬件中断。 004058A8 9D POPFD //堆栈平衡 004058A9 8B9A 09274000 MOV EBX,DWORD PTR DS:[EDX+402709] 004058AF 898A 09274000 MOV DWORD PTR DS:[EDX+402709],ECX 004058B5 FFE3 JMP EBX //跳往OEP 4010CC 004010CC 55 DB 55 //右键清除分析 004010CD 8B DB 8B 004010CE EC DB EC 004010CF 83 DB 83 004010D0 EC DB EC 004010D1 44 DB 44 ; CHAR 'D' 004010D2 56 DB 56 ; CHAR 'V' 004010D3 FF DB FF 004010D4 15 DB 15 004010D5 . E4634000 DD <&KERNEL32.GetCommandLineA> 004010D9 8B DB 8B 004010DA F0 DB F0 004010DB 8A DB 8A 004010DC 00 DB 00 004010DD 3C DB 3C ; CHAR '<' 004010DE 22 DB 22 ; CHAR '"' 004010DF 75 DB 75 ; CHAR 'u' ................................................................................ 004010CC 55 PUSH EBP //在这里用Loadpe直接脱壳 004010CD 8BEC MOV EBP,ESP 004010CF 83EC 44 SUB ESP,44 004010D2 56 PUSH ESI 004010D3 FF15 E4634000 CALL DWORD PTR DS:[<&KERNEL32.GetCommand>; KERNEL32.GetCommandLineA 004010D9 8BF0 MOV ESI,EAX 004010DB 8A00 MOV AL,BYTE PTR DS:[EAX] 004010DD 3C 22 CMP AL,22 004010DF 75 1B JNZ SHORT 1.004010FC 004010E1 56 PUSH ESI 004010E2 FF15 F4644000 CALL DWORD PTR DS:[<&USER32.CharNextA>] ; USER32.CharNextA 004010E8 8BF0 MOV ESI,EAX 004010EA 8A00 MOV AL,BYTE PTR DS:[EAX] 004010EC 84C0 TEST AL,AL 004010EE 74 04 JE SHORT 1.004010F4 004010F0 3C 22 CMP AL,22 004010F2 ^ 75 ED JNZ SHORT 1.004010E1 004010F4 803E 22 CMP BYTE PTR DS:[ESI],22 ................................................................................ 运行ImportREC,选择这个进程。把OEP改为000010cc,点IT AutoSearch,点“Get Import”,函数都是有效的。FixDump,无法运行。倒,用Loadpe重建Pe,正常运行。 继续OD载入它的主程序。 00408000 > 9C PUSHFD //主程序外壳入口。 00408001 55 PUSH EBP 00408002 E8 EC000000 CALL Vgcrypt.004080F3 00408007 87D5 XCHG EBP,EDX 00408009 5D POP EBP 0040800A 60 PUSHAD //从这这句过后用ESP定律吧, 0040800B 87D5 XCHG EBP,EDX //到这里ESP=12ffa0 0040800D 80BD 15274000 0>CMP BYTE PTR SS:[EBP+402715],1 00408014 74 39 JE SHORT Vgcrypt.0040804F 00408016 C685 15274000 0>MOV BYTE PTR SS:[EBP+402715],1 0040801D E9 E4000000 JMP Vgcrypt.00408106 00408022 - E9 93819AFE JMP FEDB01BA ................................................................................ dd 12ffa0 下硬件访问-Dword断点。 F9运行 硬件中断。 0040805C 9D POPFD //堆栈平衡 0040805D 8B9A 09274000 MOV EBX,DWORD PTR DS:[EDX+402709] 00408063 898A 09274000 MOV DWORD PTR DS:[EDX+402709],ECX 00408069 FFE3 JMP EBX //外壳出口,跳向Oep吗? 00407000 9C PUSHFD //到这里,和最外层入口一样,原来有多层壳。 00407001 55 PUSH EBP 00407002 E8 EC000000 CALL Vgcrypt.004070F3 00407007 87D5 XCHG EBP,EDX 00407009 5D POP EBP 0040700A 60 PUSHAD //还是Esp定律,不过硬件断点不变。 0040700B 87D5 XCHG EBP,EDX //F8单步到这里按F9 0040700D 80BD 15274000 0>CMP BYTE PTR SS:[EBP+402715],1 00407014 74 39 JE SHORT Vgcrypt.0040704F 00407016 C685 15274000 0>MOV BYTE PTR SS:[EBP+402715],1 0040701D E9 E4000000 JMP Vgcrypt.00407106 00407022 - E9 E3C097F2 JMP F2D8310A 00407027 5F POP EDI 00407028 9A 45F25421 197>CALL FAR 7B19:2154F245 ; 远距呼叫 ................................................................................ 0040705C 9D POPFD 0040705D 8B9A 09274000 MOV EBX,DWORD PTR DS:[EDX+402709] 00407063 898A 09274000 MOV DWORD PTR DS:[EDX+402709],ECX 00407069 FFE3 JMP EBX //进入第三层壳。 00406000 9C PUSHFD 00406001 55 PUSH EBP 00406002 E8 EC000000 CALL Vgcrypt.004060F3 00406007 87D5 XCHG EBP,EDX 00406009 5D POP EBP 0040600A 60 PUSHAD //还是Esp定律,不过硬件断点不变。 0040600B 87D5 XCHG EBP,EDX //F8单步到这里按F9 0040600D 80BD 15274000 0>CMP BYTE PTR SS:[EBP+402715],1 00406014 74 39 JE SHORT Vgcrypt.0040604F 00406016 C685 15274000 0>MOV BYTE PTR SS:[EBP+402715],1 0040601D E9 E4000000 JMP Vgcrypt.00406106 00406022 - E9 E0B4662D JMP 2DA71507 ................................................................................ 0040605C 9D POPFD 0040605D 8B9A 09274000 MOV EBX,DWORD PTR DS:[EDX+402709] 00406063 898A 09274000 MOV DWORD PTR DS:[EDX+402709],ECX 00406069 FFE3 JMP EBX //进入第四层壳。 00405000 9C PUSHFD 00405001 55 PUSH EBP 00405002 E8 EC000000 CALL Vgcrypt.004050F3 00405007 87D5 XCHG EBP,EDX 00405009 5D POP EBP 0040500A 60 PUSHAD //还是Esp定律,不过硬件断点不变。 0040500B 87D5 XCHG EBP,EDX //F8单步到这里按F9 0040500D 80BD 15274000 0>CMP BYTE PTR SS:[EBP+402715],1 00405014 74 39 JE SHORT Vgcrypt.0040504F 00405016 C685 15274000 0>MOV BYTE PTR SS:[EBP+402715],1 0040501D E9 E4000000 JMP Vgcrypt.00405106 00405022 - E9 BBE11B00 JMP 005C31E2 00405027 94 XCHG EAX,ESP 00405028 6D INS DWORD PTR ES:[EDI],DX ; I/O 命令 ................................................................................ 0040505C 9D POPFD 0040505D 8B9A 09274000 MOV EBX,DWORD PTR DS:[EDX+402709] 00405063 898A 09274000 MOV DWORD PTR DS:[EDX+402709],ECX 00405069 FFE3 JMP EBX //EBX=401000,程序OEP入口。 00401000 E8 DB E8 //这里右键清除分析。 00401001 51 DB 51 ; CHAR 'Q' 00401002 06 DB 06 00401003 00 DB 00 00401004 00 DB 00 00401005 0B DB 0B 00401006 C0 DB C0 00401007 0F DB 0F 00401008 84 DB 84 00401009 D8 DB D8 0040100A 00 DB 00 0040100B 00 DB 00 0040100C 00 DB 00 0040100D 96 DB 96 0040100E 80 DB 80 0040100F 3E DB 3E ; CHAR '>' 00401010 00 DB 00 ................................................................................ 00401000 E8 51060000 CALL <JMP.&KERNEL32.GetCommandLineA> //汇编语言入口,这里用Loadpe直接脱壳。 00401005 0BC0 OR EAX,EAX 00401007 0F84 D8000000 JE Vgcrypt.004010E5 0040100D 96 XCHG EAX,ESI 0040100E 803E 00 CMP BYTE PTR DS:[ESI],0 00401011 0F84 CE000000 JE Vgcrypt.004010E5 00401017 C1E0 08 SHL EAX,8 0040101A AC LODS BYTE PTR DS:[ESI] 0040101B 3D 74707972 CMP EAX,72797074 00401020 75 05 JNZ SHORT Vgcrypt.00401027 00401022 803E 2E CMP BYTE PTR DS:[ESI],2E 00401025 75 0E JNZ SHORT Vgcrypt.00401035 00401027 3D 6578652E CMP EAX,2E657865 0040102C 74 07 JE SHORT Vgcrypt.00401035 0040102E 3D 4558452E CMP EAX,2E455845 00401033 ^ 75 D9 JNZ SHORT Vgcrypt.0040100E 00401035 AC LODS BYTE PTR DS:[ESI] 00401036 3C 20 CMP AL,20 ................................................................................ 运行ImportREC,选择这个进程。把OEP改为00001000,点IT AutoSearch,点“Get Import”,函数都是有效的。FixDump,正常运行。 "手动脱壳入门第十七篇"脱壳动画! <<<上一篇 下一篇>>> |