原文出自
http://www.chat001.com/forum/crackforum/258011.html原有信息:
序 号:258011
标 题:tElock 0.98b1 -> tE!的简单脱壳 (7千字)
发信人:小球[CCG]
时 间:2003-3-13 23:)21
阅读次数:35
详细信息:
tElock 0.98b1 -> tE!的简单脱壳。
说简单也简单,说难也难。难在没有明白tElock壳的原理,简单在有前人的脱壳教程。
今天来个***,不错的****工具,今天只说脱壳不谈破解。
常用工具trw、superbmp、ImportREC。
016F:00451BD4 ADD [EAX],AL
016F:00451BD6 JMP 00450000 ---------入口 (JUMP )
016F:00451BDB ADD [EAX],AL
016F:00451BDD ADD CL,CH
016F:00451BDF MOV AL,26
016F:00451BE1 PUSH EDX
016F:00451BE2 PUSH DS
016F:00451BE3 SBB AL,05
016F:00451BE5 ADD [EBX+003941B1],BL
016F:00451BEB ADD DH,DH
016F:00451BED MOV EDI,00051C3E
016F:00451BF2 SBB AL,05
016F:00451BF5 ADD [ESI],AH
016F:00451BF7 SBB AL,05
016F:00451BF9 ADD [EDX+00395943],DH
016F:00450044 ADD [EAX],AL
016F:00450046 RET ---------------当停到这里时不要动,向下看。
016F:00450047 SUB DWORD PTR [EBX+08],36
016F:0045004C OR AL,22
016F:0045004E LOOPNZ 004500AE
016F:00450050 INT 3B
016F:00450055 STC
016F:00450056 DIV DWORD PTR [ECX]
016F:00450058 RCR AH,1
016F:0045005A MOV ESI,EDX
016F:0045005C OUT 6E,EAX
016F:0045005E IRETD
016F:0045005F MOV CH,E3
016F:00450061 LOOPZ 00450086
016F:00450063 TEST BH,DL
016F:004500A3 NOP
016F:004500A4 NOP
016F:004500A5 XOR EBX,EBX
016F:004500A7 DIV EBX
016F:004500A9 POP DWORD PTR FS:[0000]
016F:004500AF ADD ESP,04
016F:004500B2 MOV SI,4647 -------让光标停在这里。
016F:004500B6 MOV DI,4A4D
016F:004500BA MOV AL,[EBP+00000099]
016F:004500C0 JMP 00450161 -------从这跳走。
016F:004500C5 MOV EAX,[ESP+04]
016F:004500C9 MOV ECX,[ESP+0C]
016F:004500CD INC DWORD PTR [ECX+000000B8]
016F:004500D3 MOV EAX,[EAX]
016F:004500D5 CMP EAX,C0000094
016F:00450161 SUB AL,04 ------到这时把Al改成4,然后继续向下走
016F:00450420 MOV EDI,ESI
016F:00450422 MOV ECX,000012D7
016F:00450427 LODSB
016F:00450428 XOR AL,BL
016F:0045042A INC AL
016F:0045042C XOR AL,AF
016F:0045042E CLC
016F:0045042F ROL AL,03
016F:00450432 STOSB
016F:00450433 MOV BL,AL
016F:00450435 LOOP 00450427
016F:00450437 CLC---------把光标移动到这,按F7到达,下面F8单步走。
016F:00450438 JAE 00450684
016F:0045043E ADD [ESI-0A],CH
016F:00450441 MOV EDI,KERNEL32!LoadLibraryA
016F:00450684 PUSHAD
016F:00450685 CALL 00450693
016F:0045068A MOV ESP,[ESP+08]
016F:0045068E JMP 00450691
016F:00450690 JMP 0045067D
016F:00450692 SBB EBP,[EBX]
016F:00450694 LEAVE
016F:00450695 JZ 00450699
016F:00450697 INT 20 VXDJmp EB31,7F64
016F:0045069D ADD CL,CH
016F:0045069F AND [ECX*4+ECX+21],AH
016F:004506A3 INC ECX
016F:004506A4 DEC ECX
016F:004506A5 JZ 004506A8------这里不要跳。
016F:004506A7 JMP 00450636
016F:00450ADE INT 20 VXDJmp EB01,6B9D
016F:00450AE4 CLC
016F:00450AE5 JAE 00450C05------这里也不要跳! (JUMP )
016F:00450AEB LEA EAX,[EBP+00000A84]
016F:00450AF1 MOV [ESP+04],EAX
016F:00450AF5 MOV FS:[0000],ESP
016F:00450AFB JMP 00450B00
016F:00450B00 JMP 00450B21
016F:00450B02 OR DWORD PTR [EBX+8B082464],6C
016F:00450B09 AND AL,08
016F:00450B0B LEA EAX,[EBP+00000AAF]
016F:00450B11 PUSH EAX
016F:00450B12 JMP 00450B16
016F:00450B14 INT 20 VXDJmp 1C59,3581
016F:00450B1A ADD [EAX],AL
016F:00450B21 SUB EAX,EAX
016F:00450B23 JZ 00450B27
好像下面还有陷阱,不管了,直接下bpx 4027FC。停下后suspend,再predump出,用ImportREC修复IAT,谢天谢地程序是VB的,IAT没有损坏,脱壳完成。4027FC的入口是用PEid找到的,省了不少事。
小球
2003.3.12