应用olldbg脱telock加壳之菜鸟篇 -pc6资讯

您的位置：首页 → 精文荟萃 → 破解文章 → 应用olldbg脱telock加壳之菜鸟篇

应用olldbg脱telock加壳之菜鸟篇 时间：2004/10/15 0:58:00来源：本站整理作者：蓝点我要评论(0): 　软件目标：http://count.skycn.com/softdown.php?id=9987&;url=http://hndown.skycn.com/down/cookbookxchy.exe（名称自己去看吧）
软件大小：1380 KB
应用平台： Win95/98/NT/2000/XP
破解工具：ollydbg 1.09汉化版、peid8cn、Hex Workshop 4.0、peditor、Lordpe工作平台WINXP（98死得惨）
破解方法：学习如何脱壳
声明：此文仅用于学习之用，转载请注明出处。本人对读者阅读本文之后的行为不负任何责任。

脱壳过程：
一、查壳找入口点，用peid8cn打开主程序，结果是telock0.98，入口点:5a172c（关键入口点用PEID8CN右下下拉菜单中的OEP查找搞定）
二、用OLLYDBG载入主程序，第一对话框点确定，第二对话框点否，来到这儿
0064FBD6 >^E9 25E4FFFF      JMP cookbook.0064E000
0064FBDB  0000            ADD BYTE PTR DS:[EAX],AL
0064FBDD  003E            ADD BYTE PTR DS:[ESI],BH
0064FBDF  4F              DEC EDI
0064FBE0  BB B71EFC24      MOV EBX,24FC1EB7
0064FBE5  0000            ADD BYTE PTR DS:[EAX],AL
0064FBE7  0000            ADD BYTE PTR DS:[EAX],AL
0064FBE9  0000            ADD BYTE PTR DS:[EAX],AL
0064FBEB  0000            ADD BYTE PTR DS:[EAX],AL
0064FBED  003E            ADD BYTE PTR DS:[ESI],BH
0064FBEF  FC              CLD
0064FBF0  24 00            AND AL,0
0064FBF2  2E:FC            CLD                                      ; Superfluous prefix
0064FBF4  24 00            AND AL,0
0064FBF6  26:FC            CLD                                      ; Superfluous prefix
0064FBF8  24 00            AND AL,0
0064FBFA  0000            ADD BYTE PTR DS:[EAX],AL
0064FBFC  0000            ADD BYTE PTR DS:[EAX],AL
0064FBFE  0000            ADD BYTE PTR DS:[EAX],AL
0064FC00  0000            ADD BYTE PTR DS:[EAX],AL
0064FC02  4B              DEC EBX
0064FC03  FC              CLD
0064FC04  24 00            AND AL,0
0064FC06  36:FC            CLD                                      ; Superfluous prefix
0064FC08  24 00            AND AL,0
0064FC0A  0000            ADD BYTE PTR DS:[EAX],AL
0064FC0C  0000            ADD BYTE PTR DS:[EAX],AL
F9运行，SHIFT＋F9进行到这时停下
0064EBA6  CD 68            INT 68  //记住此处一定不要过了，否则不好玩
0064EBA8  66:05 7B0C      ADD AX,0C7B
0064EBAC  66:48            DEC AX
0064EBAE  74 55            JE SHORT cookbook.0064EC05
0064EBB0  8D85 450B0000    LEA EAX,DWORD PTR SS:[EBP+B45]
0064EBB6  894424 04        MOV DWORD PTR SS:[ESP+4],EAX
0064EBBA  64:67:8926 0000  MOV DWORD PTR FS:[0],ESP
0064EBC0  EB 1F            JMP SHORT cookbook.0064EBE1
0064EBC2  CD20 8B642408    VxDCall 824648B
0064EBC8  8B6C24 08        MOV EBP,DWORD PTR SS:[ESP+8]
0064EBCC  8D85 7A0B0000    LEA EAX,DWORD PTR SS:[EBP+B7A]
0064EBD2  50              PUSH EAX
0064EBD3  EB 01            JMP SHORT cookbook.0064EBD6
0064EBD5  E8 81AD591C      CALL 1CBE995B
0064EBDA  0000            ADD BYTE PTR DS:[EAX],AL
0064EBDC  88B465 CCC3EB01  MOV BYTE PTR SS:[EBP+1EBC3CC],DH
0064EBE3  EB 33            JMP SHORT cookbook.0064EC18
0064EBE5  DB              ???                                      ; Unknown command
0064EBE6  8BC3            MOV EAX,EBX
0064EBE8  66:BE 4746      MOV SI,4647
0064EBEC  66:BF 4D4A      MOV DI,4A4D
0064EBF0  CC              INT3
0064EBF1  90              NOP
0064EBF2  66:81FE 4746    CMP SI,4647
0064EBF7  75 0C            JNZ SHORT cookbook.0064EC05
0064EBF9  64:67:8F06 0000  POP DWORD PTR FS:[0]
0064EBFF  83C4 04          ADD ESP,4
按CTRL＋F查找TEST ESI，ESI到这儿(我们要找的可不是这儿）
0064F17D  85F6            TEST ESI,ESI
0064F17F  0F84 8B000000    JE cookbook.0064F210
0064F185  8B95 62D34000    MOV EDX,DWORD PTR SS:[EBP+40D362]
0064F18B  03F2            ADD ESI,EDX
0064F18D  2B95 66D34000    SUB EDX,DWORD PTR SS:[EBP+40D366]
0064F193  74 7B            JE SHORT cookbook.0064F210
0064F195  8BDA            MOV EBX,EDX
0064F197  C1EB 10          SHR EBX,10
0064F19A  8B06            MOV EAX,DWORD PTR DS:[ESI]
0064F19C  85C0            TEST EAX,EAX
0064F19E  74 70            JE SHORT cookbook.0064F210
0064F1A0  8B4E 04          MOV ECX,DWORD PTR DS:[ESI+4]
0064F1A3  83E9 08          SUB ECX,8
0064F1A6  D1E9            SHR ECX,1
0064F1A8  8BBD 62D34000    MOV EDI,DWORD PTR SS:[EBP+40D362]
0064F1AE  03F8            ADD EDI,EAX
0064F1B0  83C6 08          ADD ESI,8
0064F1B3  0FB706          MOVZX EAX,WORD PTR DS:[ESI]
0064F1B6  C1C8 0C          ROR EAX,0C
0064F1B9  FEC8            DEC AL
0064F1BB  78 4C            JS SHORT cookbook.0064F209
0064F1BD  74 0E            JE SHORT cookbook.0064F1CD
0064F1BF  FEC8            DEC AL
0064F1C1  74 13            JE SHORT cookbook.0064F1D6
0064F1C3  FEC8            DEC AL
0064F1C5  74 3C            JE SHORT cookbook.0064F203
0064F1C7  FEC8            DEC AL
再来一次CRTL+L到此
0064F21C  85F6            TEST ESI,ESI  //关键部位到了F2设断切记，目的是DUM出完好的输入表
0064F21E  0F84 06040000    JE cookbook.0064F62A
0064F224  03F2            ADD ESI,EDX
0064F226  83A5 52D44000 00 AND DWORD PTR SS:[EBP+40D452],0
0064F22D  8B46 0C          MOV EAX,DWORD PTR DS:[ESI+C]
0064F230  8366 0C 00      AND DWORD PTR DS:[ESI+C],0  //telock加壳死穴，亦可查找此关键点
0064F234  85C0            TEST EAX,EAX
0064F236  0F84 EE030000    JE cookbook.0064F62A
0064F23C  03C2            ADD EAX,EDX
0064F23E  8BD8            MOV EBX,EAX
0064F240  50              PUSH EAX
0064F241  FF95 D0D24000    CALL DWORD PTR SS:[EBP+40D2D0]
0064F247  85C0            TEST EAX,EAX
0064F249  0F85 BA000000    JNZ cookbook.0064F309
0064F24F  53              PUSH EBX
0064F250  FF95 E4BA4000    CALL DWORD PTR SS:[EBP+40BAE4]
0064F256  85C0            TEST EAX,EAX
0064F258  0F85 AB000000    JNZ cookbook.0064F309
0064F25E  8B95 62D34000    MOV EDX,DWORD PTR SS:[EBP+40D362]
0064F264  0195 2AD34000    ADD DWORD PTR SS:[EBP+40D32A],EDX
0064F26A  0195 36D34000    ADD DWORD PTR SS:[EBP+40D336],EDX
0064F270  6A 30            PUSH 30
0064F272  53              PUSH EBX
0064F273  FFB5 36D34000    PUSH DWORD PTR SS:[EBP+40D336]
0064F279  EB 53            JMP SHORT cookbook.0064F2CE
0064F27B  8B95 62D34000    MOV EDX,DWORD PTR SS:[EBP+40D362]
0064F281  0195 2AD34000    ADD DWORD PTR SS:[EBP+40D32A],EDX
按SHIFT+F9运行到此处，查看ESI的值为001AA000
然后在OLLYDBG左下角下命令D 005AA000(001AA000+400000)然后向下查找后面全部为00的地方来到5AD0F0
用系统自带计算器计算5AD0F0-5AA000=30F0，为什么到这呢，而不是其它地方，向下太多会出错，向上也会出错，不能太多，也不能太少哦
起动LordPe先主程序进程。点右键选部份脱壳，填上005AA000-------000030F0脱出输入表30F0.DMP备用，退出LORDPE，切换到OLLYDBG，F2取消断点，按SHIFT+F9继续到这
0064F6F1  8DC0            LEA EAX,EAX                              ; Illegal use of register
0064F6F3  EB 01            JMP SHORT cookbook.0064F6F6
0064F6F5  EB 68            JMP SHORT cookbook.0064F75F
0064F6F7  33C0            XOR EAX,EAX
0064F6F9  -EB FE            JMP SHORT cookbook.0064F6F9
0064F6FB  FFE4            JMP ESP
0064F6FD  CD20 8B642408    VxDCall 824648B
0064F703  33C0            XOR EAX,EAX
0064F705  FF6424 08        JMP DWORD PTR SS:[ESP+8]
0064F709  -E9 58508304      JMP 04E84766
0064F70E  24 37            AND AL,37
0064F710  FFE0            JMP EAX
0064F712  CD20 648F0058    VxDCall 58008F64
0064F718  EB 02            JMP SHORT cookbook.0064F71C
0064F71A  -E9 01585DEB      JMP EBC24F20
0064F71F  01B8 E8780000    ADD DWORD PTR DS:[EAX+78E8],EDI
0064F725  008F 5C55DB03    ADD BYTE PTR DS:[EDI+3DB555C],CL
0064F72B  9E              SAHF
0064F72C  79 22            JNS SHORT cookbook.0064F750
0064F72E  9A 26E92B6E 913F CALL FAR 3F91:6E2BE926                  ; Far call
0064F735  26:A0 1342047E  MOV AL,BYTE PTR ES:[7E044213]
0064F73B  40              INC EAX
0064F73C  0B03            OR EAX,DWORD PTR DS:[EBX]
0064F73E  2208            AND CL,BYTE PTR DS:[EAX]
0064F740  BC 923FBB1B      MOV ESP,1BBB3F92
0064F745  D223            SHL BYTE PTR DS:[EBX],CL
0064F747  5C              POP ESP
在左下角命令框下BP 5A172C(入口点哦)按SHIFT+F9运行到入口处，再次起动LORDPE选主程序点右键选完全脱壳脱出文件UNPACKED.EXE，退出OLLYDBG，
三、置入输入表
　　起动HEX　WORKSHOP程序分别打开刚脱出的两个文件，在30F0文件按CRTL＋A　COPY，然后选打开的UNPACKED文件按CRTL＋G填001AA000，在HEX　WORKSHOP编辑菜单下选中选择块填入1AD0F0，然后粘贴保存退出
四、修正入口点和输入表位置
　　起动揫PEDITOR，载入文件UNPACKED.EXE将入口改为001A172C，输入表位置改为001AA000，点重建输入表
五、试运行文件，一切正常，OK收活路，其它你想搞什么你自己玩去，886

文章评论

查看所有0条评论>>

热门文章 去除winrar注册框方法