tElock 0.98b1 -> tE!的简单脱壳。 -pc6资讯

您的位置：首页 → 精文荟萃 → 破解文章 → tElock 0.98b1 -> tE!的简单脱壳。

tElock 0.98b1 -> tE!的简单脱壳。 时间：2004/10/15 0:56:00来源：本站整理作者：蓝点我要评论(0): 　
说简单也简单，说难也难。难在没有明白tElock壳的原理，简单在有前人的脱壳教程。:)
今天来个LocPlus1.05，不错的VB字符串替换工具，今天只说脱壳不谈破解。
常用工具trw、superbmp、ImportREC。
016F:00451BD4 ADD [EAX],AL
016F:00451BD6 JMP 00450000 －－－－－－－－－入口 (JUMP )
016F:00451BDB ADD [EAX],AL
016F:00451BDD ADD CL,CH
016F:00451BDF MOV AL,26
016F:00451BE1 PUSH EDX
016F:00451BE2 PUSH DS
016F:00451BE3 SBB AL,05
016F:00451BE5 ADD [EBX+003941B1],BL
016F:00451BEB ADD DH,DH
016F:00451BED MOV EDI,00051C3E
016F:00451BF2 SBB AL,05
016F:00451BF5 ADD [ESI],AH
016F:00451BF7 SBB AL,05
016F:00451BF9 ADD [EDX+00395943],DH

016F:00450044 ADD [EAX],AL
016F:00450046 RET －－－－－－－－－－－－－－－当停到这里时不要动，向下看。
016F:00450047 SUB DWORD PTR [EBX+08],36
016F:0045004C OR AL,22
016F:0045004E LOOPNZ 004500AE
016F:00450050 INT 3B
016F:00450055 STC
016F:00450056 DIV DWORD PTR [ECX]
016F:00450058 RCR AH,1
016F:0045005A MOV ESI,EDX
016F:0045005C OUT 6E,EAX
016F:0045005E IRETD
016F:0045005F MOV CH,E3
016F:00450061 LOOPZ 00450086
016F:00450063 TEST BH,DL

016F:004500A3 NOP
016F:004500A4 NOP
016F:004500A5 XOR EBX,EBX
016F:004500A7 DIV EBX
016F:004500A9 POP DWORD PTR FS:[0000]
016F:004500AF ADD ESP,04
016F:004500B2 MOV SI,4647 －－－－－－－让光标停在这里。
016F:004500B6 MOV DI,4A4D
016F:004500BA MOV AL,[EBP+00000099]
016F:004500C0 JMP 00450161 －－－－－－－从这跳走。
016F:004500C5 MOV EAX,[ESP+04]
016F:004500C9 MOV ECX,[ESP+0C]
016F:004500CD INC DWORD PTR [ECX+000000B8]
016F:004500D3 MOV EAX,[EAX]
016F:004500D5 CMP EAX,C0000094

016F:00450161 SUB AL,04 －－－－－－到这时把Al改成4，然后继续向下走

016F:00450420 MOV EDI,ESI
016F:00450422 MOV ECX,000012D7
016F:00450427 LODSB
016F:00450428 XOR AL,BL
016F:0045042A INC AL
016F:0045042C XOR AL,AF
016F:0045042E CLC
016F:0045042F ROL AL,03
016F:00450432 STOSB
016F:00450433 MOV BL,AL
016F:00450435 LOOP 00450427
016F:00450437 CLC－－－－－－－－－把光标移动到这，按F7到达，下面F8单步走。
016F:00450438 JAE 00450684
016F:0045043E ADD [ESI-0A],CH
016F:00450441 MOV EDI,KERNEL32!LoadLibraryA

016F:00450684 PUSHAD
016F:00450685 CALL 00450693
016F:0045068A MOV ESP,[ESP+08]
016F:0045068E JMP 00450691
016F:00450690 JMP 0045067D
016F:00450692 SBB EBP,[EBX]
016F:00450694 LEAVE
016F:00450695 JZ 00450699
016F:00450697 INT 20 VXDJmp EB31,7F64
016F:0045069D ADD CL,CH
016F:0045069F AND [ECX*4+ECX+21],AH
016F:004506A3 INC ECX
016F:004506A4 DEC ECX
016F:004506A5 JZ 004506A8－－－－－－这里不要跳。
016F:004506A7 JMP 00450636

016F:00450ADE INT 20 VXDJmp EB01,6B9D
016F:00450AE4 CLC
016F:00450AE5 JAE 00450C05－－－－－－这里也不要跳！ (JUMP )
016F:00450AEB LEA EAX,[EBP+00000A84]
016F:00450AF1 MOV [ESP+04],EAX
016F:00450AF5 MOV FS:[0000],ESP
016F:00450AFB JMP 00450B00
016F:00450B00 JMP 00450B21
016F:00450B02 OR DWORD PTR [EBX+8B082464],6C
016F:00450B09 AND AL,08
016F:00450B0B LEA EAX,[EBP+00000AAF]
016F:00450B11 PUSH EAX
016F:00450B12 JMP 00450B16
016F:00450B14 INT 20 VXDJmp 1C59,3581
016F:00450B1A ADD [EAX],AL
016F:00450B21 SUB EAX,EAX
016F:00450B23 JZ 00450B27
好像下面还有陷阱，不管了，直接下bpx 4027FC。停下后suspend，再predump出，用ImportREC修复IAT，谢天谢地程序是VB的，IAT没有损坏，脱壳完成。4027FC的入口是用PEid找到的，省了不少事。