手动脱壳入门第十七篇 VGCrypt PE Encryptor V0.75
【脱文标题】 手动脱壳入门第十七篇 VGCrypt PE Encryptor V0.75<br />【脱文作者】 weiyi75 <br />
【作者邮箱】 weiyi75@sohu.com <br />
【作者主页】 Dfcg官方大本营 <br />
【使用工具】 Peid,Ollydbg,ImportREC<br />
【脱壳平台】 Win2K/XP<br />
【软件名称】 VGCrypt PE Encryptor V0.75<br />
【软件简介】 This is a fairly simple PE encryptor I wrote up. I commented everything that is relavent to PE appendation or insertion, more so than I needed to even. The most interesting feature of this encryptor is that it attempts to find a location to insert itself between object virtual size and the next file alignment boundary, thus not changing the physical file size. <br />
【软件大小】 16 KB <br />
【下载地址】 本地下载<br />
Vgcrypt.rar<br />
【加壳方式】 Virogen Crypt 0.75<br />
【保护方式】 Virogen Crypt资源保护壳<br />
【脱壳声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)<br />
-------------------------------------------------------------------------------- <br />
【脱壳内容】 <br />
下载这个程序,用 Vgcrypt Notepad.exe的命令行方法压缩了一个Win98的记事本,倒,原文件大小等于压缩后大小52K,程序也没有加密IAT,仅仅搞乱了Code段,让你无法反汇编,用资源编辑软件发现可以编辑资源。<br />
加壳记事本<br />
本地下载<br />
Notepad.rar<br />
首先Peid查壳,为Virogen Crypt 0.75,OD载入运行,无任何异常,判断其为压缩壳。<br />
0040584C >9C PUSHFD //记事本外壳入口。<br />
0040584D 55 PUSH EBP<br />
0040584E E8 EC000000 CALL 1.0040593F<br />
00405853 87D5 XCHG EBP,EDX<br />
00405855 5D POP EBP<br />
00405856 60 PUSHAD //从这这句过后用ESP定律吧,<br />
00405857 87D5 XCHG EBP,EDX//到这里ESP=12ffa0<br />
00405859 80BD 15274000 0>CMP BYTE PTR SS:,1<br />
00405860 74 39 JE SHORT 1.0040589B<br />
00405862 C685 15274000 0>MOV BYTE PTR SS:,1<br />
00405869 E9 E4000000 JMP 1.00405952<br />
0040586E- E9 79DAFF90 JMP 914032EC<br />
00405873 D6 SALC<br />
00405874 64:CE INTO ; 多余的前缀<br />
00405876 E4 3C IN AL,3C ; I/O 命令<br />
00405878 40 INC EAX<br />
00405879 94 XCHG EAX,ESP<br />
0040587A 65:EC IN AL,DX ; I/O 命令<br />
0040587C^ 78 8D JS SHORT 1.0040580B<br />
.............................................................<br />
dd 12ffa0<br />
下硬件访问-Dword断点。<br />
F9运行<br />
硬件中断。<br />
004058A8 9D POPFD//堆栈平衡<br />
004058A9 8B9A 09274000 MOV EBX,DWORD PTR DS:<br />
004058AF 898A 09274000 MOV DWORD PTR DS:,ECX<br />
004058B5 FFE3 JMP EBX//跳往OEP 4010CC<br />
004010CC 55 DB 55 //右键清除分析<br />
004010CD 8B DB 8B<br />
004010CE EC DB EC<br />
004010CF 83 DB 83<br />
004010D0 EC DB EC<br />
004010D1 44 DB 44 ;CHAR 'D'<br />
004010D2 56 DB 56 ;CHAR 'V'<br />
004010D3 FF DB FF<br />
004010D4 15 DB 15<br />
004010D5 .E4634000 DD <br />
004010D9 8B DB 8B<br />
004010DA F0 DB F0<br />
004010DB 8A DB 8A<br />
004010DC 00 DB 00<br />
004010DD 3C DB 3C ;CHAR '; KERNEL32.GetCommandLineA<br />
004010D9 8BF0 MOV ESI,EAX<br />
004010DB 8A00 MOV AL,BYTE PTR DS:<br />
004010DD 3C 22 CMP AL,22<br />
004010DF 75 1B JNZ SHORT 1.004010FC<br />
004010E1 56 PUSH ESI<br />
004010E2 FF15 F4644000 CALL DWORD PTR DS:[]; USER32.CharNextA<br />
004010E8 8BF0 MOV ESI,EAX<br />
004010EA 8A00 MOV AL,BYTE PTR DS:<br />
004010EC 84C0 TEST AL,AL<br />
004010EE 74 04 JE SHORT 1.004010F4<br />
004010F0 3C 22 CMP AL,22<br />
004010F2^ 75 ED JNZ SHORT 1.004010E1<br />
004010F4 803E 22 CMP BYTE PTR DS:,22<br />
................................................................................<br />
运行ImportREC,选择这个进程。把OEP改为000010cc,点IT AutoSearch,点“Get Import”,函数都是有效的。FixDump,无法运行。倒,用Loadpe重建Pe,正常运行。<br />
继续OD载入它的主程序。<br />
00408000 >9C PUSHFD//主程序外壳入口。<br />
00408001 55 PUSH EBP<br />
00408002 E8 EC000000 CALL Vgcrypt.004080F3<br />
00408007 87D5 XCHG EBP,EDX<br />
00408009 5D POP EBP<br />
0040800A 60 PUSHAD //从这这句过后用ESP定律吧,<br />
0040800B 87D5 XCHG EBP,EDX //到这里ESP=12ffa0<br />
0040800D 80BD 15274000 0>CMP BYTE PTR SS:,1<br />
00408014 74 39 JE SHORT Vgcrypt.0040804F<br />
00408016 C685 15274000 0>MOV BYTE PTR SS:,1<br />
<br />
頁:
[1]