拍花,QQ545235297 今天讲解ollydbg脱壳和破解教程
看操作吧,字已经打好了.
首先
SoftSentry 2.11 -> 20/20 Software 脱壳
ollydbg设置:在选项---调试选项--异常中 选择除了内存访问异常外的其它全部异常(推荐大多数壳都可以采用该设置)。
用ollydbg载入,无需隐藏,因为SoftSentry 2.11并不检测ollydbg.
00439E90 > 55 PUSH EBP //载入时的地址 底下未作说明的f8过
00439E91 8BEC MOV EBP,ESP
00439E93 83EC 64 SUB ESP,64
00439E96 53 PUSH EBX
00439E97 56 PUSH ESI
00439E98 57 PUSH EDI
00439E99 E9 50000000 JMP XFM.00439EEE
00439E9E 0000 ADD BYTE PTR DS:[EAX],AL
00439EA0 90 NOP
00439EA1 9E SAHF
00439EA2 0300 ADD EAX,DWORD PTR DS:[EAX]
00439EA4 0000 ADD BYTE PTR DS:[EAX],AL
00439EA6 40 INC EAX
00439EA7 00C1 ADD CL,AL
00439EA9 00F8 ADD AL,BH
00439EAB 2101 AND DWORD PTR DS:[ECX],EAX
00439EAD 0066 3D ADD BYTE PTR DS:[ESI+3D],AH
00439EB0 0100 ADD DWORD PTR DS:[EAX],EAX
00439EB2 66:3D 0100 CMP AX,1
00439EB6 66:3D 0100 CMP AX,1
00439EBA 66:3D 0100 CMP AX,1
00439EBE 66:3D 0100 CMP AX,1
00439EC2 66:3D 0100 CMP AX,1
00439EC6 66:3D 0100 CMP AX,1
00439ECA 66:3D 0100 CMP AX,1
00439ECE 66:3D 0100 CMP AX,1
00439ED2 66:3D 0100 CMP AX,1
00439ED6 66:3D 0100 CMP AX,1
00439EDA 66:3D 0100 CMP AX,1
00439EDE 66:3D 0100 CMP AX,1
00439EE2 66:3D 0100 CMP AX,1
00439EE6 66:3D 0100 CMP AX,1
00439EEA 66:3D 0100 CMP AX,1
00439EEE C745 E8 0000000>MOV DWORD PTR SS:[EBP-18],0
00439EF5 8D45 BC LEA EAX,DWORD PTR SS:[EBP-44]
00439EF8 50 PUSH EAX
00439EF9 FF15 F8334400 CALL DWORD PTR DS:[<&KERNEL32.GetStartup>
00439EFF F645 E8 01 TEST BYTE PTR SS:[EBP-18],1
00439F03 0F84 10000000 JE XFM.00439F19
00439F09 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
00439F0C 25 FFFF0000 AND EAX,0FFFF
00439F11 8945 14 MOV DWORD PTR SS:[EBP+14],EAX
00439F14 E9 07000000 JMP XFM.00439F20
00439F19 C745 14 0A00000>MOV DWORD PTR SS:[EBP+14],0A
00439F20 6A 00 PUSH 0
00439F22 FF15 00344400 CALL DWORD PTR DS:[<&KERNEL32.GetModuleH>
00439F28 8945 08 MOV DWORD PTR SS:[EBP+8],EAX ; XFM.00400000
00439F2B C745 0C 0000000>MOV DWORD PTR SS:[EBP+C],0
00439F32 FF15 E4334400 CALL DWORD PTR DS:[<&KERNEL32.GetCommand>
00439F38 8945 10 MOV DWORD PTR SS:[EBP+10],EAX
00439F3B 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00439F3E 8945 B4 MOV DWORD PTR SS:[EBP-4C],EAX
00439F41 66:C705 B8F1430>MOV WORD PTR DS:[43F1B8],0
00439F4A 66:C705 322D440>MOV WORD PTR DS:[442D32],0
00439F53 837D 0C 00 CMP DWORD PTR SS:[EBP+C],0
00439F57 0F85 17000000 JNZ XFM.00439F74
00439F5D 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
00439F60 E8 9B0E0000 CALL XFM.0043AE00
00439F65 85C0 TEST EAX,EAX
00439F67 0F85 07000000 JNZ XFM.00439F74
00439F6D 33C0 XOR EAX,EAX
00439F6F E9 DC030000 JMP XFM.0043A350
00439F74 68 04010000 PUSH 104
00439F79 68 602B4400 PUSH XFM.00442B60
00439F7E 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00439F81 50 PUSH EAX
00439F82 FF15 E8334400 CALL DWORD PTR DS:[<&KERNEL32.GetModuleF>
00439F88 85C0 TEST EAX,EAX
00439F8A /0F85 07000000 JNZ XFM.00439F97
00439F90 |33C0 XOR EAX,EAX
00439F92 |E9 B9030000 JMP XFM.0043A350
00439F97 8B55 14 MOV EDX,DWORD PTR SS:[EBP+14]
00439F9A 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
00439F9D E8 AE0E0000 CALL XFM.0043AE50
00439FA2 85C0 TEST EAX,EAX
00439FA4 0F85 1B000000 JNZ XFM.00439FC5
00439FAA 6A 00 PUSH 0
00439FAC 68 B8F04300 PUSH XFM.0043F0B8
00439FB1 68 04F34300 PUSH XFM.0043F304 ; ASCII "InitInstance FALSE"
00439FB6 6A 00 PUSH 0
00439FB8 FF15 84344400 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>
00439FBE 33C0 XOR EAX,EAX
00439FC0 E9 8B030000 JMP XFM.0043A350
00439FC5 C745 B0 0100000>MOV DWORD PTR SS:[EBP-50],1
00439FCC 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
00439FCF A3 C02A4400 MOV DWORD PTR DS:[442AC0],EAX
00439FD4 BA 402B4400 MOV EDX,XFM.00442B40
00439FD9 8D0D A12A4400 LEA ECX,DWORD PTR DS:[442AA1]
00439FDF E8 DC2B0000 CALL XFM.0043CBC0
00439FE4 E8 072C0000 CALL XFM.0043CBF0
00439FE9 85C0 TEST EAX,EAX
00439FEB 0F84 18000000 JE XFM.0043A009
00439FF1 66:C705 B8F1430>MOV WORD PTR DS:[43F1B8],1
00439FFA C705 68F14300 0>MOV DWORD PTR DS:[43F168],1
0043A004 /E9 AE020000 JMP XFM.0043A2B7
0043A009 |EB 12 JMP SHORT XFM.0043A01D
0043A00B 68 ECF24300 PUSH XFM.0043F2EC ; ASCII "NOT FOR DISTRIBUTION"
0043A010 68 E0F14300 PUSH XFM.0043F1E0 ; ASCII "This product is protected with an evaluation copy of softSENTRY. This message will not display with a purchased copy. Please report unauthorized use of softSENTRY to 20/20 Software at 800-735-2020 or 503-520-0504."
0043A015 6A 00 PUSH 0
0043A017 FF15 84344400 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>
0043A01D B9 01000000 MOV ECX,1
0043A022 E8 792A0000 CALL XFM.0043CAA0
0043A027 33C0 XOR EAX,EAX
0043A029 66:A1 322D4400 MOV AX,WORD PTR DS:[442D32]
0043A02F F6C4 C0 TEST AH,0C0
0043A032 0F85 2E000000 JNZ XFM.0043A066 ..................// 改为nop
0043A038 33C0 XOR EAX,EAX
0043A03A 66:A1 322D4400 MOV AX,WORD PTR DS:[442D32]
0043A040 F6C4 10 TEST AH,10
0043A043 0F84 1D000000 JE XFM.0043A066 .................. // 改为nop
0043A049 6A 00 PUSH 0
0043A04B 68 03800000 PUSH 8003
0043A050 68 11010000 PUSH 111
0043A055 A1 802C4400 MOV EAX,DWORD PTR DS:[442C80]
0043A05A 50 PUSH EAX
0043A05B FF15 94344400 CALL DWORD PTR DS:[<&USER32.SendMessageA>
0043A061 E9 05000000 JMP XFM.0043A06B
按ctrl+b 输入 FF D7 6A 00
0043A3AB |FFD7 CALL EDI //来到这里,f2下断点,shift+f9运行,断下来后,然后取消断点,按f7进入
0043A3AD 6A 00 PUSH 0
0043A3AF 68 28F34300 PUSH XFM.0043F328 ; ASCII "softSENTRY"
0043A3B4 68 18F34300 PUSH XFM.0043F318 ; ASCII "Failed to run!"
------------------------------------
0040B600 55 DB 55 ; CHAR U//在这里就可以dump了,
0040B601 8B DB 8B
0040B602 EC DB EC
0040B603 6A DB 6A ; CHAR j
0040B604 FF DB FF
0040B605 68 DB 68 ; CHAR h
0040B606 00204100 DD XFM.00412000
0040B60A 68 DB 68 ; CHAR h
0040B60B 38 DB 38 ; CHAR 8
0040B60C EF DB EF
按ctrl+a 取消代码分析:
0040B600 . 55 PUSH EBP //这样就十分熟悉了
0040B601 . 8BEC MOV EBP,ESP
0040B603 . 6A FF PUSH -1
0040B605 . 68 00204100 PUSH XFM.00412000
0040B60A . 68 38EF4000 PUSH XFM.0040EF38 ; SE handler installation
0040B60F . 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
修复就不说了,很简单的。