dos脱壳文章（英文） -pc6资讯

您的位置：首页 → 精文荟萃 → 破解文章 → dos脱壳文章（英文）

dos脱壳文章（英文） 时间：2004/10/15 0:58:00来源：本站整理作者：蓝点我要评论(1)

　As DOS for unpacking wykorzystac TR exe-packerow GustawKit
Theme : As DOS for unpacking wykorzystac TR exe-packerow GustawKit
tools: The SUPER TRACER Version 2.50

http://www.netease.com/~ayliutt)
PKLite v1.50:
tr pk150.exe

    PUSH      AX                      ;2978:0100  50
    MOV      AX,01B9                  ;2978:0101  B8B901
    MOV      DX,000B                  ;2978:0104  BA0B00
    ADD      AX,2988                  ;2978:0107  058829
    CMP      AX,[0002]                ;2978:010A  3B060200
    JB        013A                    ;2978:010E  722A
    MOV      AH,09                    ;2978:0110  B409
    MOV      DX,011C                  ;2978:0112  BA1C01
    INT      21                      ;2978:0115  CD21
    MOV      AX,4C01                  ;2978:0117  B8014C
    ..................
    ..................
    PUSH      CX                      ;2978:0140  51
    SUB      AX,0019                  ;2978:0141  2D1900    ---> AX = 2B08
    MOV      ES,AX                    ;2978:0144  8EC0            Address unpacked percent.
    PUSH      AX                      ;2978:0146  50
    MOV      CX,00C5                  ;2978:0147  B9C500
    XOR      DI,DI                    ;2978:014A  33FF
    PUSH      DI                      ;2978:014C  57
    MOV      SI,0154                  ;2978:014D  BE5401
    CLD                                ;2978:0150  FC
    REPZ                              ;2978:0151  F3
    MOVSW                              ;2978:0152  A5
    RETF                              ;2978:0153  CB

PUSH AX ;2978:0100 50 ----------->RETF ;2978:0153 CB
bpx RETF(1) g
F8

here:
    STD                                ;2B08:0000  FD
    MOV      BX,DS                    ;2B08:0001  8CDB
    PUSH      BX                      ;2B08:0003  53
    ADD      BX,2E                    ;2B08:0004  83C32E
    NOP                                ;2B08:0007  90
    ADD      BX,DX                    ;2B08:0008  03DA
    MOV      BP,CS                    ;2B08:000A  8CCD
    MOV      AX,DX                    ;2B08:000C  8BC2
    AND      AH,0F                    ;2B08:000E  80E40F
    MOV      CL,04                    ;2B08:0011  B104
    MOV      SI,DX                    ;2B08:0013  8BF2
    SHL      SI,CL                    ;2B08:0015  D3E6
    ...................
    ...................
    XOR      BX,BX                    ;2B08:0155  33DB
    MOV      CX,BX                    ;2B08:0157  8BCB
    MOV      DX,BX                    ;2B08:0159  8BD3
    MOV      BP,BX                    ;2B08:015B  8BEB
    MOV      SI,BX                    ;2B08:015D  8BF3
    MOV      DI,BX                    ;2B08:015F  8BFB
    RETF                              ;2B08:0161  CB

bpx RETF(2) g
F8

here:
    PUSH      AX                      ;2988:0000  50--->oep
    PUSH      BX                      ;2988:0001  53
    MOV      AX,DS                    ;2988:0002  8CD8
    MOV      BX,CS                    ;2988:0004  8CCB
    SUB      BX,10                    ;2988:0006  83EB10
    CMP      AX,BX                    ;2988:0009  3BC3
    JNE      0016                    ;2988:000B  7509
    MOV      AX,2988                  ;2988:000D  B88829
    MOV      DS,AX                    ;2988:0010  8ED8
    INC      [BYTE 00A7]              ;2988:0012  FE06A700
    MOV      AX,2988                  ;2988:0016  B88829
    MOV      DS,AX                    ;2988:0019  8ED8
    POP      BX                      ;2988:001B  5B
    POP      AX                      ;2988:001C  58

ok! we can find app oep here,we will do:
EXE1
RELOAD
pret
pret
t
WEXE1

EXE2
RELOAD
pret
pret
t
WEXE2
q

we can get two files like:
mem1.dat mem2.dat

exit the tr2.5 return the dos:
run mkexe,it can read two files and make linke: mem.exe (unpacked)

or we lets the tr2.5 auto do:
exe1
reload
goknl count (count pack?) here: 1
wexe1
exe2
reload
goknl count
wexe2
q

also get the mkexe.exe

wwpack:
tr wwpack.exe here:
    CALL      0143                    ;2D88:000F  E83101
    CMP      CX,DX                    ;2D88:0012  39D1
    SUB      [BYTE DI+0031],82        ;2D88:0014  826D3182
    XCHG      AX,DX                    ;2D88:0018  92
    OR        [WORD DI+8248],6A        ;2D88:0019  838D48826A
    INC      DI                      ;2D88:001E  47
    STOSB                              ;2D88:001F  AA
    XCHG      AX,SI                    ;2D88:0020  96
    ADC      [WORD SI+BP+6596],8F6B  ;2D88:0021  819296656B8F
    MOV      AX,0024                  ;2CFE:0001  B82400
    MOV      DX,CS                    ;2CFE:0004  8CCA
    ADD      DX,AX                    ;2CFE:0006  03D0
    MOV      CX,CS                    ;2CFE:0008  8CC9
    ADD      CX,0087                  ;2CFE:000A  81C18700
    PUSH      CX                      ;2CFE:000E  51
    ......................
    REPZ                              ;2CFE:0031  F3
    MOVSW                              ;2CFE:0032  A5
    DEC      AX                      ;2CFE:0033  48
    JNS      0024                    ;2CFE:0034  79EE
    MOV      DS,BP                    ;2CFE:0036  8EDD
    PUSH      CS                      ;2CFE:0038  0E
    POP      ES                      ;2CFE:0039  07
    XOR      DI,DI                    ;2CFE:003A  33FF
    MOV      SI,0008                  ;2CFE:003C  BE0800
    RETF                              ;2CFE:003F  CB--->F8
note: RETF CS:017D we can find anther RETF!

here:
    PUSH      AX                      ;2988:0000  50
    PUSH      BX                      ;2988:0001  53
    MOV      AX,DS                    ;2988:0002  8CD8
    MOV      BX,CS                    ;2988:0004  8CCB
    SUB      BX,10                    ;2988:0006  83EB10
    CMP      AX,BX                    ;2988:0009  3BC3
    JNE      0016                    ;2988:000B  7509
    MOV      AX,2988                  ;2988:000D  B88829
    MOV      DS,AX                    ;2988:0010  8ED8
    INC      [BYTE 00A7]              ;2988:0012  FE06A700
    MOV      AX,2988                  ;2988:0016  B88829
    MOV      DS,AX                    ;2988:0019  8ED8
    POP      BX                      ;2988:001B  5B
    POP      AX                      ;2988:001C  58

do:
EXE1
RELOAD
pret
g 17d
t
pret
WEXE1

EXE2
RELOAD
g 17d
t
pret
WEXE2

GustawKit [CrackPl]
t
he tuts is polish!
translator: peterdocter
group: FCG

peterdocter:
ok! Upacking for dos tips:
1.tr *.exe or *.com
2.find tow pret or mores and f8
3.notes we can find linke "REPZ" on the first pret
4.oep flag:
    PUSH      AX
    PUSH      BX
    then track:
    POP      BX
    POP      AX
5. on the PUSH      AX do:
EXE1
RELOAD
pret
pret
t
WEXE1