Themida 1.8.X 脱壳之泡泡堂不死外挂3.16
Themida 1.8.X 脱壳之泡泡堂不死外挂3.16
Themida 1.8.X 脱壳之泡泡堂不死外挂3.16
首先用PEID查下壳:什么也没发现,看区段名有Themida 字样,初步估计应该是1.8.X的。
载入后隐藏我们的OD,在代码段下内存写入断点
0041D014 > B8 00000000 MOV EAX,0 ;载入点。注意看这些代码
0041D019 60 PUSHAD
0041D01A 0BC0 OR EAX,EAX ;明眼的就看出是Themida 壳了
0041D01C 74 68 JE SHORT 无敌外挂.0041D086
0041D01E E8 00000000 CALL 无敌外挂.0041D023
0041D023 58 POP EAX
0041D024 05 53000000 ADD EAX,53
0041D029 8038 E9 CMP BYTE PTR DS:[EAX],0E9
0041D02C 75 13 JNZ SHORT 无敌外挂.0041D041
0041D02E 61 POPAD
0041D02F EB 45 JMP SHORT 无敌外挂.0041D076
===============================================================================
SHIFT+F9运行,第一次中断在下面:
004F14A2 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[> ;F7一次后F8一次
004F14A4 C685 CD2A1B07 5>MOV BYTE PTR SS:[EBP+71B2ACD],56
004F14AB 68 396D1FD4 PUSH D41F6D39
004F14B0 FFB5 FD051B07 PUSH DWORD PTR SS:[EBP+71B05FD]
004F14B6 8D85 E87C1E07 LEA EAX,DWORD PTR SS:[EBP+71E7CE8]
004F14BC FFD0 CALL EAX
004F14BE 68 00800000 PUSH 8000
004F14C3 6A 00 PUSH 0
004F14C5 52 PUSH EDX
004F14C6 FFD0 CALL EAX
===============================================================================
SHIFT+F9继续运行,断在下面:
004F52E1 8908 MOV DWORD PTR DS:[EAX],ECX ;中断在这里,往上面找代码
===============================================================================
004F4A80 /0F84 17000000 JE 无敌外挂.004F4A9D
004F4A86 |83BD 310E1B07 0>CMP DWORD PTR SS:[EBP+71B0E31],0
004F4A8D |0F85 0A000000 JNZ 无敌外挂.004F4A9D 《====改成JMP 004F4A9D ==========
004F4A93 |C785 410C1B07 0>MOV DWORD PTR SS:[EBP+71B0C41],1
004F4A9D \61 POPAD
004F4A9E B9 46A60308 MOV ECX,803A646
004F4AA3 BA 9AD13616 MOV EDX,1636D19A
。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。
004F4BC4 5E POP ESI
004F4BC5 83BD 31011B07 0>CMP DWORD PTR SS:[EBP+71B0131],1
004F4BCC 0F84 39000000 JE 无敌外挂.004F4C0B 《====改成JMP 004F4BF6 ===========
004F4BD2 3B8D 29081B07 CMP ECX,DWORD PTR SS:[EBP+71B0829]
004F4BD8 0F84 2D000000 JE 无敌外挂.004F4C0B
004F4BDE 3B8D 1D171B07 CMP ECX,DWORD PTR SS:[EBP+71B171D]
004F4BE4 0F84 21000000 JE 无敌外挂.004F4C0B
004F4BEA 3B8D 552A1B07 CMP ECX,DWORD PTR SS:[EBP+71B2A55]
004F4BF0 0F84 15000000 JE 无敌外挂.004F4C0B
004F4BF6 8D9D E2FD2107 LEA EBX,DWORD PTR SS:[EBP+721FDE2]
004F4BFC FFD3 CALL EBX
004F4BFE 8BF8 MOV EDI,EAX
004F4C00 8985 1D2F1B07 MOV DWORD PTR SS:[EBP+71B2F1D],EAX
004F4C06 E9 B4060000 JMP 无敌外挂.004F52BF
004F4C0B 8D9D E2FD2107 LEA EBX,DWORD PTR SS:[EBP+721FDE2]
004F4C11 FFD3 CALL EBX
004F4C13 83BD 31011B07 0>CMP DWORD PTR SS:[EBP+71B0131],0
===============================================================================
改好上面2处跳转(目的是避开加密)后返回中断处,用HideOD申请一段内存地址(我的是2A30000)
004F52E1 8908 MOV DWORD PTR DS:[EAX],ECX ;中断处,改成 JMP 2A30000
004F52E3 AD LODS DWORD PTR DS:[ESI]
004F52E4 C746 FC 0000000>MOV DWORD PTR DS:[ESI-4],0
004F52EB 89B5 6D301B07 MOV DWORD PTR SS:[EBP+71B306D],ESI ;地址A,记下来
004F52F1 83F8 FF CMP EAX,-1
004F52F4 0F85 20000000 JNZ 无敌外挂.004F531A
004F52FA 813E DDDDDDDD CMP DWORD PTR DS:[ESI],DDDDDDDD
004F5300 0F85 14000000 JNZ 无敌外挂.004F531A
004F5306 C706 00000000 MOV DWORD PTR DS:[ESI],0
004F530C 83C6 04 ADD ESI,4
004F530F 89B5 6D301B07 MOV DWORD PTR SS:[EBP+71B306D],ESI
004F5315 ^ E9 E6F6FFFF JMP 无敌外挂.004F4A00
004F531A C1C0 03 ROL EAX,3
004F531D 0385 11171B07 ADD EAX,DWORD PTR SS:[EBP+71B1711]
004F5323 83BD 99221B07 0>CMP DWORD PTR SS:[EBP+71B2299],1
004F532A 0F84 9D000000 JE 无敌外挂.004F53CD
004F5330 813E AAAAAAAA CMP DWORD PTR DS:[ESI],AAAAAAAA
004F5336 0F85 12000000 JNZ 无敌外挂.004F534E
004F533C 83C6 04 ADD ESI,4
004F533F C746 FC 0000000>MOV DWORD PTR DS:[ESI-4],0
004F5346 97 XCHG EAX,EDI
004F5347 B0 E9 MOV AL,0E9
004F5349 E9 03000000 JMP 无敌外挂.004F5351
004F534E 97 XCHG EAX,EDI
004F534F B0 E8 MOV AL,0E8
004F5351 50 PUSH EAX
004F5352 83BD 31011B07 0>CMP DWORD PTR SS:[EBP+71B0131],1
004F5359 0F84 3E000000 JE 无敌外挂.004F539D
004F535F B8 00010000 MOV EAX,100
004F5364 83BD C7E82107 0>CMP DWORD PTR SS:[EBP+721E8C7],0
004F536B 0F84 08000000 JE 无敌外挂.004F5379
004F5371 8D9D 61712107 LEA EBX,DWORD PTR SS:[EBP+7217161]
004F5377 FFD3 CALL EBX
004F5379 803F 90 CMP BYTE PTR DS:[EDI],90
004F537C 0F84 08000000 JE 无敌外挂.004F538A
004F5382 83C7 05 ADD EDI,5
004F5385 E9 43000000 JMP 无敌外挂.004F53CD
004F538A 83F8 50 CMP EAX,50
004F538D 0F82 0A000000 JB 无敌外挂.004F539D
004F5393 B0 90 MOV AL,90
004F5395 AA STOS BYTE PTR ES:[EDI]
004F5396 58 POP EAX
004F5397 AA STOS BYTE PTR ES:[EDI]
004F5398 E9 24000000 JMP 无敌外挂.004F53C1 ;改成 JMP 2A30014
004F539D 58 POP EAX
004F539E AA STOS BYTE PTR ES:[EDI]
004F539F 807F FF E9 CMP BYTE PTR DS:[EDI-1],0E9
004F53A3 0F85 18000000 JNZ 无敌外挂.004F53C1 ;改成 JMP 2A30036
004F53A9 83BD C7E82107 0>CMP DWORD PTR SS:[EBP+721E8C7],0 ;地址C,记下来
004F53B0 0F84 08000000 JE 无敌外挂.004F53BE
004F53B6 8D9D 31712107 LEA EBX,DWORD PTR SS:[EBP+7217131]
004F53BC FFD3 CALL EBX
004F53BE 8847 04 MOV BYTE PTR DS:[EDI+4],AL ;这里NOP掉
004F53C1 8B85 1D2F1B07 MOV EAX,DWORD PTR SS:[EBP+71B2F1D] ;地址B,记下来
004F53C7 2BC7 SUB EAX,EDI
004F53C9 83E8 04 SUB EAX,4
004F53CC AB STOS DWORD PTR ES:[EDI] ;这里NOP掉
004F53CD AD LODS DWORD PTR DS:[ESI]
004F53CE C746 FC 0000000>MOV DWORD PTR DS:[ESI-4],0
004F53D5 ^ E9 11FFFFFF JMP 无敌外挂.004F52EB ;改成 JMP 02A3005F
004F53DA 89B5 6D301B07 MOV DWORD PTR SS:[EBP+71B306D],ESI
004F53E0 52 PUSH EDX
004F53E1 68 00800000 PUSH 8000
004F53E6 6A 00 PUSH 0
004F53E8 FFB5 F5211B07 PUSH DWORD PTR SS:[EBP+71B21F5]
004F53EE FF95 49131B07 CALL DWORD PTR SS:[EBP+71B1349]
004F53F4 5A POP EDX
004F53F5 8B8D 9D121B07 MOV ECX,DWORD PTR SS:[EBP+71B129D]
004F53FB C701 00000000 MOV DWORD PTR DS:[ECX],0
004F5401 83C1 04 ADD ECX,4
004F5404 898D 9D121B07 MOV DWORD PTR SS:[EBP+71B129D],ECX
004F540A ^ E9 10F5FFFF JMP 无敌外挂.004F491F
004F540F E9 A4060000 JMP 无敌外挂.004F5AB8 ;这里F2下个断点
004F5414 60 PUSHAD
004F5415 8B8D 9D121B07 MOV ECX,DWORD PTR SS:[EBP+71B129D]
004F541B 8B09 MOV ECX,DWORD PTR DS:[ECX]
004F541D 898D C3E82107 MOV DWORD PTR SS:[EBP+721E8C3],ECX
004F5423 8138 4E54444C CMP DWORD PTR DS:[EAX],4C44544E
。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。
CTRL+G 来到2A30000处,写如下代码:
02A30000 A3 0004A302 MOV DWORD PTR DS:[2A30400],EAX
02A30005 8908 MOV DWORD PTR DS:[EAX],ECX
02A30007 AD LODS DWORD PTR DS:[ESI]
02A30008 C746 FC 0000000>MOV DWORD PTR DS:[ESI-4],0
02A3000F - E9 D752ACFD JMP 无敌外挂.004F52EB ;地址A
02A30014 50 PUSH EAX
02A30015 A1 0004A302 MOV EAX,DWORD PTR DS:[2A30400]
02A3001A 8907 MOV DWORD PTR DS:[EDI],EAX
02A3001C 807F FF E8 CMP BYTE PTR DS:[EDI-1],0E8
02A30020 75 08 JNZ SHORT 02A3002A
02A30022 66:C747 FE FF15 MOV WORD PTR DS:[EDI-2],15FF
02A30028 EB 06 JMP SHORT 02A30030
02A3002A 66:C747 FE FF25 MOV WORD PTR DS:[EDI-2],25FF
02A30030 58 POP EAX
02A30031 - E9 8B53ACFD JMP 无敌外挂.004F53C1 ;地址B
02A30036 50 PUSH EAX
02A30037 A1 0004A302 MOV EAX,DWORD PTR DS:[2A30400]
02A3003C 8947 01 MOV DWORD PTR DS:[EDI+1],EAX
02A3003F 807F FF E8 CMP BYTE PTR DS:[EDI-1],0E8
02A30043 75 08 JNZ SHORT 02A3004D
02A30045 66:C747 FF FF15 MOV WORD PTR DS:[EDI-1],15FF
02A3004B EB 06 JMP SHORT 02A30053
02A3004D 66:C747 FF FF25 MOV WORD PTR DS:[EDI-1],25FF
02A30053 58 POP EAX
02A30054 - 0F85 6753ACFD JNZ 无敌外挂.004F53C1 ;地址B
02A3005A - E9 4A53ACFD JMP 无敌外挂.004F53A9 ;地址C
02A3005F 83C7 04 ADD EDI,4
02A30062 - E9 8452ACFD JMP 无敌外挂.004F52EB ;地址A
02A30067 90 NOP
(二进制代码)
A3 00 04 A3 02 89 08 AD C7 46 FC 00 00 00 00 E9 D7 52 AC FD 50 A1 00 04 A3 02 89 07 80 7F FF E8
75 08 66 C7 47 FE FF 15 EB 06 66 C7 47 FE FF 25 58 E9 8B 53 AC FD 50 A1 00 04 A3 02 89 47 01 80
7F FF E8 75 08 66 C7 47 FF FF 15 EB 06 66 C7 47 FF FF 25 58 0F 85 67 53 AC FD E9 4A 53 AC FD 83
C7 04 E9 84 52 AC FD 90
================================================================================
写好代码后,删除先前在代码段下的内存写入断点,shift+F9,中断在004F540F,到这里已经获得了IAT,现在
找OEP.,在这里我采用世面上流传的找THEMIDA OEP方法:
取消004F540F处断点,ALT+M打开内存察看窗口,直接在代码段F2下断点。Shift+F9就中断在OEP处了
004013A8 - FF25 DC104000 JMP DWORD PTR DS:[4010DC] ; MSVBVM60.ThunRTMain
004013AE 0000 ADD BYTE PTR DS:[EAX],AL
004013B0 DA00 FIADD DWORD PTR DS:[EAX]
004013B2 5C POP ESP
004013B3 A7 CMPS DWORD PTR DS:[ESI],DWORD PTR ES:[ED>
004013B4 9E SAHF
004013B5 D20F ROR BYTE PTR DS:[EDI],CL
004013B7 EE OUT DX,AL ; I/O 命令
004013B8 8BED MOV EBP,EBP
004013BA 0000 ADD BYTE PTR DS:[EAX],AL
004013BC 0000 ADD BYTE PTR DS:[EAX],AL
004013BE 0000 ADD BYTE PTR DS:[EAX],AL
004013C0 3000 XOR BYTE PTR DS:[EAX],AL
004013C2 0000 ADD BYTE PTR DS:[EAX],AL
004013C4 3800 CMP BYTE PTR DS:[EAX],AL
004013C6 0000 ADD BYTE PTR DS:[EAX],AL
004013C8 0000 ADD BYTE PTR DS:[EAX],AL
004013CA 0000 ADD BYTE PTR DS:[EAX],AL
004013CC D9F2 FPTAN
通过上面的代码,我们很明显发现程序是用VB编译的,而且OEP已经被THEMIDA偷掉了,让我们来
手动修复他的OEP吧。我们先找一个没加壳的VB程序用OD载入进行对比一下就明白了。
004011D0 $- FF25 80104000 JMP DWORD PTR DS:[<&MSVBVM60.#100>] ; MSVBVM60.ThunRTMain
004011D6 00 DB 00
004011D7 00 DB 00
004011D8 > $ 68 7C184000 PUSH Variant.0040187C ;注意这里,(搜索VB5!)
004011DD . E8 EEFFFFFF CALL <JMP.&MSVBVM60.#100> ;这个CALL是指向上面的JMP
004011E2 . 0000 ADD BYTE PTR DS:[EAX],AL
004011E4 . 0000 ADD BYTE PTR DS:[EAX],AL
004011E6 . 0000 ADD BYTE PTR DS:[EAX],AL
004011E8 . 3000 XOR BYTE PTR DS:[EAX],AL
004011EA . 0000 ADD BYTE PTR DS:[EAX],AL
004011EC . 40 INC EAX
004011ED . 0000 ADD BYTE PTR DS:[EAX],AL
004011EF . 0000 ADD BYTE PTR DS:[EAX],AL
004011F1 . 0000 ADD BYTE PTR DS:[EAX],AL
004011F3 . 0058 2C ADD BYTE PTR DS:[EAX+2C],BL
004011F6 . 114A DB ADC DWORD PTR DS:[EDX-25],ECX
004011F9 . 43 INC EBX
004011FA . 8645 BA XCHG BYTE PTR SS:[EBP-46],AL
004011FD . 1822 SBB BYTE PTR DS:[EDX],AH
004011FF . 6D INS DWORD PTR ES:[EDI],DX ; I/O 命令
00401200 . CE INTO
00401201 . C3 RETN
。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。
改成如下代码就手动修复OEP了:
004013A8 - FF25 DC104000 JMP DWORD PTR DS:[4010DC] ; MSVBVM60.ThunRTMain
004013AE 0000 ADD BYTE PTR DS:[EAX],AL
004013B0 68 D07E4000 PUSH 无敌外挂.00407ED0 ; ASCII "VB5!6&vb6chs.dll"
004013B5 E8 EEFFFFFF CALL 无敌外挂.004013A8 ; JMP 到 MSVBVM60.ThunRTMain
004013BA 0000 ADD BYTE PTR DS:[EAX],AL
004013BC 0000 ADD BYTE PTR DS:[EAX],AL
004013BE 0000 ADD BYTE PTR DS:[EAX],AL
004013C0 3000 XOR BYTE PTR DS:[EAX],AL
004013C2 0000 ADD BYTE PTR DS:[EAX],AL
004013C4 3800 CMP BYTE PTR DS:[EAX],AL
004013C6 0000 ADD BYTE PTR DS:[EAX],AL
004013C8 0000 ADD BYTE PTR DS:[EAX],AL
004013CA 0000 ADD BYTE PTR DS:[EAX],AL
004013CC D9F2 FPTAN
===============================================================================
到这里修复后就可以用LOAD PE 脱壳,ImportREC修复输入表
OEP:000013AE
RVA:00001000
大小:00000118
剪取掉一个无效指针后修复。试运行一下脱壳修复好的程序,正常。
PEID查壳 Microsoft Visual Basic 5.0 / 6
发现脱壳后的文件巨大,用LOAD PE 清除 Themida 这个区段,保存,在用LOAD PE 重建。
再次打开重建后的程序,运行正常,文件大小98.1KB 到这里就脱壳+修复+优化完毕了。
首先用PEID查下壳:什么也没发现,看区段名有Themida 字样,初步估计应该是1.8.X的。
载入后隐藏我们的OD,在代码段下内存写入断点
0041D014 > B8 00000000 MOV EAX,0 ;载入点。注意看这些代码
0041D019 60 PUSHAD
0041D01A 0BC0 OR EAX,EAX ;明眼的就看出是Themida 壳了
0041D01C 74 68 JE SHORT 无敌外挂.0041D086
0041D01E E8 00000000 CALL 无敌外挂.0041D023
0041D023 58 POP EAX
0041D024 05 53000000 ADD EAX,53
0041D029 8038 E9 CMP BYTE PTR DS:[EAX],0E9
0041D02C 75 13 JNZ SHORT 无敌外挂.0041D041
0041D02E 61 POPAD
0041D02F EB 45 JMP SHORT 无敌外挂.0041D076
===============================================================================
SHIFT+F9运行,第一次中断在下面:
004F14A2 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[> ;F7一次后F8一次
004F14A4 C685 CD2A1B07 5>MOV BYTE PTR SS:[EBP+71B2ACD],56
004F14AB 68 396D1FD4 PUSH D41F6D39
004F14B0 FFB5 FD051B07 PUSH DWORD PTR SS:[EBP+71B05FD]
004F14B6 8D85 E87C1E07 LEA EAX,DWORD PTR SS:[EBP+71E7CE8]
004F14BC FFD0 CALL EAX
004F14BE 68 00800000 PUSH 8000
004F14C3 6A 00 PUSH 0
004F14C5 52 PUSH EDX
004F14C6 FFD0 CALL EAX
===============================================================================
SHIFT+F9继续运行,断在下面:
004F52E1 8908 MOV DWORD PTR DS:[EAX],ECX ;中断在这里,往上面找代码
===============================================================================
004F4A80 /0F84 17000000 JE 无敌外挂.004F4A9D
004F4A86 |83BD 310E1B07 0>CMP DWORD PTR SS:[EBP+71B0E31],0
004F4A8D |0F85 0A000000 JNZ 无敌外挂.004F4A9D 《====改成JMP 004F4A9D ==========
004F4A93 |C785 410C1B07 0>MOV DWORD PTR SS:[EBP+71B0C41],1
004F4A9D \61 POPAD
004F4A9E B9 46A60308 MOV ECX,803A646
004F4AA3 BA 9AD13616 MOV EDX,1636D19A
。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。
004F4BC4 5E POP ESI
004F4BC5 83BD 31011B07 0>CMP DWORD PTR SS:[EBP+71B0131],1
004F4BCC 0F84 39000000 JE 无敌外挂.004F4C0B 《====改成JMP 004F4BF6 ===========
004F4BD2 3B8D 29081B07 CMP ECX,DWORD PTR SS:[EBP+71B0829]
004F4BD8 0F84 2D000000 JE 无敌外挂.004F4C0B
004F4BDE 3B8D 1D171B07 CMP ECX,DWORD PTR SS:[EBP+71B171D]
004F4BE4 0F84 21000000 JE 无敌外挂.004F4C0B
004F4BEA 3B8D 552A1B07 CMP ECX,DWORD PTR SS:[EBP+71B2A55]
004F4BF0 0F84 15000000 JE 无敌外挂.004F4C0B
004F4BF6 8D9D E2FD2107 LEA EBX,DWORD PTR SS:[EBP+721FDE2]
004F4BFC FFD3 CALL EBX
004F4BFE 8BF8 MOV EDI,EAX
004F4C00 8985 1D2F1B07 MOV DWORD PTR SS:[EBP+71B2F1D],EAX
004F4C06 E9 B4060000 JMP 无敌外挂.004F52BF
004F4C0B 8D9D E2FD2107 LEA EBX,DWORD PTR SS:[EBP+721FDE2]
004F4C11 FFD3 CALL EBX
004F4C13 83BD 31011B07 0>CMP DWORD PTR SS:[EBP+71B0131],0
===============================================================================
改好上面2处跳转(目的是避开加密)后返回中断处,用HideOD申请一段内存地址(我的是2A30000)
004F52E1 8908 MOV DWORD PTR DS:[EAX],ECX ;中断处,改成 JMP 2A30000
004F52E3 AD LODS DWORD PTR DS:[ESI]
004F52E4 C746 FC 0000000>MOV DWORD PTR DS:[ESI-4],0
004F52EB 89B5 6D301B07 MOV DWORD PTR SS:[EBP+71B306D],ESI ;地址A,记下来
004F52F1 83F8 FF CMP EAX,-1
004F52F4 0F85 20000000 JNZ 无敌外挂.004F531A
004F52FA 813E DDDDDDDD CMP DWORD PTR DS:[ESI],DDDDDDDD
004F5300 0F85 14000000 JNZ 无敌外挂.004F531A
004F5306 C706 00000000 MOV DWORD PTR DS:[ESI],0
004F530C 83C6 04 ADD ESI,4
004F530F 89B5 6D301B07 MOV DWORD PTR SS:[EBP+71B306D],ESI
004F5315 ^ E9 E6F6FFFF JMP 无敌外挂.004F4A00
004F531A C1C0 03 ROL EAX,3
004F531D 0385 11171B07 ADD EAX,DWORD PTR SS:[EBP+71B1711]
004F5323 83BD 99221B07 0>CMP DWORD PTR SS:[EBP+71B2299],1
004F532A 0F84 9D000000 JE 无敌外挂.004F53CD
004F5330 813E AAAAAAAA CMP DWORD PTR DS:[ESI],AAAAAAAA
004F5336 0F85 12000000 JNZ 无敌外挂.004F534E
004F533C 83C6 04 ADD ESI,4
004F533F C746 FC 0000000>MOV DWORD PTR DS:[ESI-4],0
004F5346 97 XCHG EAX,EDI
004F5347 B0 E9 MOV AL,0E9
004F5349 E9 03000000 JMP 无敌外挂.004F5351
004F534E 97 XCHG EAX,EDI
004F534F B0 E8 MOV AL,0E8
004F5351 50 PUSH EAX
004F5352 83BD 31011B07 0>CMP DWORD PTR SS:[EBP+71B0131],1
004F5359 0F84 3E000000 JE 无敌外挂.004F539D
004F535F B8 00010000 MOV EAX,100
004F5364 83BD C7E82107 0>CMP DWORD PTR SS:[EBP+721E8C7],0
004F536B 0F84 08000000 JE 无敌外挂.004F5379
004F5371 8D9D 61712107 LEA EBX,DWORD PTR SS:[EBP+7217161]
004F5377 FFD3 CALL EBX
004F5379 803F 90 CMP BYTE PTR DS:[EDI],90
004F537C 0F84 08000000 JE 无敌外挂.004F538A
004F5382 83C7 05 ADD EDI,5
004F5385 E9 43000000 JMP 无敌外挂.004F53CD
004F538A 83F8 50 CMP EAX,50
004F538D 0F82 0A000000 JB 无敌外挂.004F539D
004F5393 B0 90 MOV AL,90
004F5395 AA STOS BYTE PTR ES:[EDI]
004F5396 58 POP EAX
004F5397 AA STOS BYTE PTR ES:[EDI]
004F5398 E9 24000000 JMP 无敌外挂.004F53C1 ;改成 JMP 2A30014
004F539D 58 POP EAX
004F539E AA STOS BYTE PTR ES:[EDI]
004F539F 807F FF E9 CMP BYTE PTR DS:[EDI-1],0E9
004F53A3 0F85 18000000 JNZ 无敌外挂.004F53C1 ;改成 JMP 2A30036
004F53A9 83BD C7E82107 0>CMP DWORD PTR SS:[EBP+721E8C7],0 ;地址C,记下来
004F53B0 0F84 08000000 JE 无敌外挂.004F53BE
004F53B6 8D9D 31712107 LEA EBX,DWORD PTR SS:[EBP+7217131]
004F53BC FFD3 CALL EBX
004F53BE 8847 04 MOV BYTE PTR DS:[EDI+4],AL ;这里NOP掉
004F53C1 8B85 1D2F1B07 MOV EAX,DWORD PTR SS:[EBP+71B2F1D] ;地址B,记下来
004F53C7 2BC7 SUB EAX,EDI
004F53C9 83E8 04 SUB EAX,4
004F53CC AB STOS DWORD PTR ES:[EDI] ;这里NOP掉
004F53CD AD LODS DWORD PTR DS:[ESI]
004F53CE C746 FC 0000000>MOV DWORD PTR DS:[ESI-4],0
004F53D5 ^ E9 11FFFFFF JMP 无敌外挂.004F52EB ;改成 JMP 02A3005F
004F53DA 89B5 6D301B07 MOV DWORD PTR SS:[EBP+71B306D],ESI
004F53E0 52 PUSH EDX
004F53E1 68 00800000 PUSH 8000
004F53E6 6A 00 PUSH 0
004F53E8 FFB5 F5211B07 PUSH DWORD PTR SS:[EBP+71B21F5]
004F53EE FF95 49131B07 CALL DWORD PTR SS:[EBP+71B1349]
004F53F4 5A POP EDX
004F53F5 8B8D 9D121B07 MOV ECX,DWORD PTR SS:[EBP+71B129D]
004F53FB C701 00000000 MOV DWORD PTR DS:[ECX],0
004F5401 83C1 04 ADD ECX,4
004F5404 898D 9D121B07 MOV DWORD PTR SS:[EBP+71B129D],ECX
004F540A ^ E9 10F5FFFF JMP 无敌外挂.004F491F
004F540F E9 A4060000 JMP 无敌外挂.004F5AB8 ;这里F2下个断点
004F5414 60 PUSHAD
004F5415 8B8D 9D121B07 MOV ECX,DWORD PTR SS:[EBP+71B129D]
004F541B 8B09 MOV ECX,DWORD PTR DS:[ECX]
004F541D 898D C3E82107 MOV DWORD PTR SS:[EBP+721E8C3],ECX
004F5423 8138 4E54444C CMP DWORD PTR DS:[EAX],4C44544E
。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。
CTRL+G 来到2A30000处,写如下代码:
02A30000 A3 0004A302 MOV DWORD PTR DS:[2A30400],EAX
02A30005 8908 MOV DWORD PTR DS:[EAX],ECX
02A30007 AD LODS DWORD PTR DS:[ESI]
02A30008 C746 FC 0000000>MOV DWORD PTR DS:[ESI-4],0
02A3000F - E9 D752ACFD JMP 无敌外挂.004F52EB ;地址A
02A30014 50 PUSH EAX
02A30015 A1 0004A302 MOV EAX,DWORD PTR DS:[2A30400]
02A3001A 8907 MOV DWORD PTR DS:[EDI],EAX
02A3001C 807F FF E8 CMP BYTE PTR DS:[EDI-1],0E8
02A30020 75 08 JNZ SHORT 02A3002A
02A30022 66:C747 FE FF15 MOV WORD PTR DS:[EDI-2],15FF
02A30028 EB 06 JMP SHORT 02A30030
02A3002A 66:C747 FE FF25 MOV WORD PTR DS:[EDI-2],25FF
02A30030 58 POP EAX
02A30031 - E9 8B53ACFD JMP 无敌外挂.004F53C1 ;地址B
02A30036 50 PUSH EAX
02A30037 A1 0004A302 MOV EAX,DWORD PTR DS:[2A30400]
02A3003C 8947 01 MOV DWORD PTR DS:[EDI+1],EAX
02A3003F 807F FF E8 CMP BYTE PTR DS:[EDI-1],0E8
02A30043 75 08 JNZ SHORT 02A3004D
02A30045 66:C747 FF FF15 MOV WORD PTR DS:[EDI-1],15FF
02A3004B EB 06 JMP SHORT 02A30053
02A3004D 66:C747 FF FF25 MOV WORD PTR DS:[EDI-1],25FF
02A30053 58 POP EAX
02A30054 - 0F85 6753ACFD JNZ 无敌外挂.004F53C1 ;地址B
02A3005A - E9 4A53ACFD JMP 无敌外挂.004F53A9 ;地址C
02A3005F 83C7 04 ADD EDI,4
02A30062 - E9 8452ACFD JMP 无敌外挂.004F52EB ;地址A
02A30067 90 NOP
(二进制代码)
A3 00 04 A3 02 89 08 AD C7 46 FC 00 00 00 00 E9 D7 52 AC FD 50 A1 00 04 A3 02 89 07 80 7F FF E8
75 08 66 C7 47 FE FF 15 EB 06 66 C7 47 FE FF 25 58 E9 8B 53 AC FD 50 A1 00 04 A3 02 89 47 01 80
7F FF E8 75 08 66 C7 47 FF FF 15 EB 06 66 C7 47 FF FF 25 58 0F 85 67 53 AC FD E9 4A 53 AC FD 83
C7 04 E9 84 52 AC FD 90
================================================================================
写好代码后,删除先前在代码段下的内存写入断点,shift+F9,中断在004F540F,到这里已经获得了IAT,现在
找OEP.,在这里我采用世面上流传的找THEMIDA OEP方法:
取消004F540F处断点,ALT+M打开内存察看窗口,直接在代码段F2下断点。Shift+F9就中断在OEP处了
004013A8 - FF25 DC104000 JMP DWORD PTR DS:[4010DC] ; MSVBVM60.ThunRTMain
004013AE 0000 ADD BYTE PTR DS:[EAX],AL
004013B0 DA00 FIADD DWORD PTR DS:[EAX]
004013B2 5C POP ESP
004013B3 A7 CMPS DWORD PTR DS:[ESI],DWORD PTR ES:[ED>
004013B4 9E SAHF
004013B5 D20F ROR BYTE PTR DS:[EDI],CL
004013B7 EE OUT DX,AL ; I/O 命令
004013B8 8BED MOV EBP,EBP
004013BA 0000 ADD BYTE PTR DS:[EAX],AL
004013BC 0000 ADD BYTE PTR DS:[EAX],AL
004013BE 0000 ADD BYTE PTR DS:[EAX],AL
004013C0 3000 XOR BYTE PTR DS:[EAX],AL
004013C2 0000 ADD BYTE PTR DS:[EAX],AL
004013C4 3800 CMP BYTE PTR DS:[EAX],AL
004013C6 0000 ADD BYTE PTR DS:[EAX],AL
004013C8 0000 ADD BYTE PTR DS:[EAX],AL
004013CA 0000 ADD BYTE PTR DS:[EAX],AL
004013CC D9F2 FPTAN
通过上面的代码,我们很明显发现程序是用VB编译的,而且OEP已经被THEMIDA偷掉了,让我们来
手动修复他的OEP吧。我们先找一个没加壳的VB程序用OD载入进行对比一下就明白了。
004011D0 $- FF25 80104000 JMP DWORD PTR DS:[<&MSVBVM60.#100>] ; MSVBVM60.ThunRTMain
004011D6 00 DB 00
004011D7 00 DB 00
004011D8 > $ 68 7C184000 PUSH Variant.0040187C ;注意这里,(搜索VB5!)
004011DD . E8 EEFFFFFF CALL <JMP.&MSVBVM60.#100> ;这个CALL是指向上面的JMP
004011E2 . 0000 ADD BYTE PTR DS:[EAX],AL
004011E4 . 0000 ADD BYTE PTR DS:[EAX],AL
004011E6 . 0000 ADD BYTE PTR DS:[EAX],AL
004011E8 . 3000 XOR BYTE PTR DS:[EAX],AL
004011EA . 0000 ADD BYTE PTR DS:[EAX],AL
004011EC . 40 INC EAX
004011ED . 0000 ADD BYTE PTR DS:[EAX],AL
004011EF . 0000 ADD BYTE PTR DS:[EAX],AL
004011F1 . 0000 ADD BYTE PTR DS:[EAX],AL
004011F3 . 0058 2C ADD BYTE PTR DS:[EAX+2C],BL
004011F6 . 114A DB ADC DWORD PTR DS:[EDX-25],ECX
004011F9 . 43 INC EBX
004011FA . 8645 BA XCHG BYTE PTR SS:[EBP-46],AL
004011FD . 1822 SBB BYTE PTR DS:[EDX],AH
004011FF . 6D INS DWORD PTR ES:[EDI],DX ; I/O 命令
00401200 . CE INTO
00401201 . C3 RETN
。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。
改成如下代码就手动修复OEP了:
004013A8 - FF25 DC104000 JMP DWORD PTR DS:[4010DC] ; MSVBVM60.ThunRTMain
004013AE 0000 ADD BYTE PTR DS:[EAX],AL
004013B0 68 D07E4000 PUSH 无敌外挂.00407ED0 ; ASCII "VB5!6&vb6chs.dll"
004013B5 E8 EEFFFFFF CALL 无敌外挂.004013A8 ; JMP 到 MSVBVM60.ThunRTMain
004013BA 0000 ADD BYTE PTR DS:[EAX],AL
004013BC 0000 ADD BYTE PTR DS:[EAX],AL
004013BE 0000 ADD BYTE PTR DS:[EAX],AL
004013C0 3000 XOR BYTE PTR DS:[EAX],AL
004013C2 0000 ADD BYTE PTR DS:[EAX],AL
004013C4 3800 CMP BYTE PTR DS:[EAX],AL
004013C6 0000 ADD BYTE PTR DS:[EAX],AL
004013C8 0000 ADD BYTE PTR DS:[EAX],AL
004013CA 0000 ADD BYTE PTR DS:[EAX],AL
004013CC D9F2 FPTAN
===============================================================================
到这里修复后就可以用LOAD PE 脱壳,ImportREC修复输入表
OEP:000013AE
RVA:00001000
大小:00000118
剪取掉一个无效指针后修复。试运行一下脱壳修复好的程序,正常。
PEID查壳 Microsoft Visual Basic 5.0 / 6
发现脱壳后的文件巨大,用LOAD PE 清除 Themida 这个区段,保存,在用LOAD PE 重建。
再次打开重建后的程序,运行正常,文件大小98.1KB 到这里就脱壳+修复+优化完毕了。