关于Armadillo 3.**的脱壳
MyTheatre是一个播放电影(电视)的软件。主程序下载地址:
完整版(15M):[color=#2f5fa1]http://www.hippo.ru/~sorgelig/files/MyTheatre.v3.12.exe[/color]
迷你版(6M):[color=#2f5fa1]http://www.hippo.ru/~sorgelig/files/MyTheatre.v3.12.lite.exe[/color]
使用工具WIN2000,ollydbg1.10a,import Rec 1.6,PIED092,LordPE。
我采取的步骤:
1、使用PIED092查看主程序MyTheatre.exe为:Armadillo 1.xx - 2.xx -> Silicon Realms Toolworks [Overlay]
2、ollydbg载入,设置BP OpenMutexA ,补丁设隐藏。
3、断下后在401000改为:609C68DCFB120033C05050E8E694A6779D61E98F9FA777,
即:
00401000 60 PUSHAD
00401001 9C PUSHFD
00401002 68 DCFB1200 PUSH 12FBDC ; ASCII "480::DAEE2CA7C8"
00401007 33C0 XOR EAX,EAX
00401009 50 PUSH EAX
0040100A 50 PUSH EAX
0040100B E8 E694A677 CALL KERNEL32.CreateMutexA
00401010 9D POPFD
00401011 61 POPAD
00401012 - E9 8F9FA777 JMP KERNEL32.OpenMutexA
4、设BP GetModuleHandleA,经过
0012EFCC 78001E96 /CALL to GetModuleHandleA from MSVCRT.78001E90
0012EFD0 780322D4 \pModule = "KERNEL32"
0012F054 77A03F02 /CALL to GetModuleHandleA from OLEAUT32.77A03EFC
0012F058 779A0630 \pModule = "kernel32.dll"
0012F048 77A072DB /CALL to GetModuleHandleA from OLEAUT32.77A072D5
0012F04C 779A0994 \pModule = "KERNEL32"
0012EF80 779A83DB /CALL to GetModuleHandleA from OLEAUT32.779A83D5
0012EF84 77A1ADA8 \pModule = "KERNEL32.DLL"
0012EF80 779A83DB /CALL to GetModuleHandleA from OLEAUT32.779A83D5
0012EF84 77A1ADA8 \pModule = "KERNEL32.DLL"
0012F540 008C3248 /CALL to GetModuleHandleA from MyTheatr.008C3242
0012F544 00000000 \pModule = NULL
返回到:
008C3240 |> \6A 00 PUSH 0 ; /pModule = NULL
008C3242 |. FF15 84F18F00 CALL DWORD PTR DS:[<&KERNEL32.GetModuleHandleA>] ; \GetModuleHandleA
008C3248 |. 8945 A4 MOV DWORD PTR SS:[EBP-5C],EAX ; MyTheatr.00400000
008C324B |> 8B55 A4 MOV EDX,DWORD PTR SS:[EBP-5C]
008C324E |. 8955 E4 MOV DWORD PTR SS:[EBP-1C],EDX
008C3251 |. A1 5CF28F00 MOV EAX,DWORD PTR DS:[8FF25C]
008C3256 |. 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
008C3259 |. C745 EC FFFFFFFF MOV DWORD PTR SS:[EBP-14],-1
008C3260 |. 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C]
008C3263 |. 51 PUSH ECX
008C3264 |. FF55 F0 CALL DWORD PTR SS:[EBP-10]
008C3267 |. 83C4 04 ADD ESP,4
008C326A |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
008C326D |. 837D EC FF CMP DWORD PTR SS:[EBP-14],-1
008C3271 |. 74 0B JE SHORT MyTheatr.008C327E
008C3273 |. 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
008C3276 |. 8915 58549000 MOV DWORD PTR DS:[905458],EDX
008C327C |. EB 10 JMP SHORT MyTheatr.008C328E
008C327E |> 837D FC 01 CMP DWORD PTR SS:[EBP-4],1
008C3282 |. 74 0A JE SHORT MyTheatr.008C328E
008C3284 |. C705 58549000 01000000 MOV DWORD PTR DS:[905458],1
008C328E |> 837D B0 00 CMP DWORD PTR SS:[EBP-50],0
008C3292 74 0A JE SHORT MyTheatr.008C329E
008C3294 |. 8B45 B0 MOV EAX,DWORD PTR SS:[EBP-50]
008C3297 |. 50 PUSH EAX ; /hWnd
008C3298 |. FF15 0CF28F00 CALL DWORD PTR DS:[<&USER32.DestroyWindow>] ; \DestroyWindow
008C329E |> 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
008C32A1 |> 8BE5 MOV ESP,EBP
008C32A3 |. 5D POP EBP
008C32A4 \. C3 RETN
此处没找到 ★Magic Jump ★
5、按ALT+M设断401000,F9后找到入口地址:
00568CE4 55 PUSH EBP
00568CE5 8BEC MOV EBP,ESP
00568CE7 B9 0C000000 MOV ECX,0C
00568CEC 6A 00 PUSH 0
00568CEE 6A 00 PUSH 0
00568CF0 49 DEC ECX
00568CF1 ^ 75 F9 JNZ SHORT MyTheatr.00568CEC
00568CF3 B8 A4875600 MOV EAX,MyTheatr.005687A4
00568CF8 E8 73E5E9FF CALL MyTheatr.00407270
00568CFD 33C0 XOR EAX,EAX
00568CFF 55 PUSH EBP
00568D00 68 E2985600 PUSH MyTheatr.005698E2
00568D05 64:FF30 PUSH DWORD PTR FS:[EAX]
00568D08 64:8920 MOV DWORD PTR FS:[EAX],ESP
00568D0B 64:8B05 18000000 MOV EAX,DWORD PTR FS:[18]
00568D12 8B40 30 MOV EAX,DWORD PTR DS:[EAX+30]
00568D15 31C9 XOR ECX,ECX
00568D17 8848 02 MOV BYTE PTR DS:[EAX+2],CL
00568D1A 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
00568D1D A1 C8215700 MOV EAX,DWORD PTR DS:[5721C8]
00568D22 8B00 MOV EAX,DWORD PTR DS:[EAX]
00568D24 E8 BFB8F2FF CALL MyTheatr.004945E8
00568D29 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
00568D2C 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
00568D2F E8 9019EAFF CALL MyTheatr.0040A6C4
00568D34 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18]
00568D37 A1 881E5700 MOV EAX,DWORD PTR DS:[571E88]
00568D3C E8 AFBEE9FF CALL MyTheatr.00404BF0
00568D41 68 0C1B5700 PUSH MyTheatr.00571B0C
00568D46 68 24845600 PUSH MyTheatr.00568424
00568D4B E8 E4EFE9FF CALL MyTheatr.00407D34 ; JMP to USER32.EnumWindows
00568D50 8B15 341C5700 MOV EDX,DWORD PTR DS:[571C34] ; MyTheatr.006FD7AC
00568D56 A1 64215700 MOV EAX,DWORD PTR DS:[572164]
00568D5B 8B00 MOV EAX,DWORD PTR DS:[EAX]
00568D5D E8 169DFDFF CALL MyTheatr.00542A78
00568D62 A1 341C5700 MOV EAX,DWORD PTR DS:[571C34]
00568D67 8B00 MOV EAX,DWORD PTR DS:[EAX]
00568D69 33D2 XOR EDX,EDX
00568D6B 8B08 MOV ECX,DWORD PTR DS:[EAX]
00568D6D FF51 48 CALL DWORD PTR DS:[ECX+48]
00568D70 A1 E41A5700 MOV EAX,DWORD PTR DS:[571AE4]
00568D75 A3 0C1B5700 MOV DWORD PTR DS:[571B0C],EAX
00568D7A 33C0 XOR EAX,EAX
00568D7C A3 101B5700 MOV DWORD PTR DS:[571B10],EAX
00568D81 B9 F8985600 MOV ECX,MyTheatr.005698F8 ; ASCII "MyTheatre_Common"
00568D86 33D2 XOR EDX,EDX
00568D88 B8 14995600 MOV EAX,MyTheatr.00569914 ; ASCII "SeparateProfiles"
00568D8D E8 1AB1FCFF CALL MyTheatr.00533EAC
00568D92 84C0 TEST AL,AL
00568D94 0F84 F1000000 JE MyTheatr.00568E8B
女子雇私家侦探勾引二奶为挽回婚姻
*** 作者被禁止或删除 内容自动屏蔽 ***页:
[1]