 |
 |
|---|
|
| 破文作者:wzwgp 脱壳文件:Zealot All Video Joiner 2.41 下载地址:http://www.onlinedown.net/soft/22763.htm 加壳方式:ASPack 2.12 -> Alexey Solodovnikov 作者声明:只是感兴趣,没有其他目的。错误之处敬请诸位前辈不吝赐教 调试环境:Winxp、OllyDBD、PEiD 软件信息:All Video Joiner是一款多媒体视频文件合并工具,可以帮助你将几个AVI视频片断,MPEG视频片断和另外的WMV/ASF视频片断合并在一起,从来形成一个新的视频文件。 脱壳过程:常在论坛学习,脱了一次PECompact 2.x的壳,得到论坛前辈的鼓励,增加了学习的兴趣。
一、脱壳
PEiD查壳:ASPack 2.12 -> Alexey Solodovnikov
OD载入,提示“入口点超出代码范围......”确定后,提示“代码段可能被压缩、加密....”选否。停在下面:
00507001 > 60 PUSHAD ; 入口代码
00507002 E8 03000000 CALL VideoJoi.0050700A ; F7
00507007 - E9 EB045D45 JMP 45AD74F7
0050700C 55 PUSH EBP
0050700D C3 RETN
00507002 处 F7 到下面:
0050700A 5D POP EBP ; 来到此处
0050700B 45 INC EBP ; EBP=00507007+1
0050700C 55 PUSH EBP
0050700D C3 RETN ; 返回到 00507008
00507008 /EB 04 JMP SHORT VideoJoi.0050700E
0050700A |5D POP EBP
0050700B |45 INC EBP
0050700C |55 PUSH EBP
0050700D |C3 RETN
0050700E \E8 01000000 CALL VideoJoi.00507014 ; F7
0050700E 处 F7 到下面:
00507014 5D pop EBP
00507015 BB EDFFFFFF MOV EBX,-13
0050701A 03DD ADD EBX,EBP
0050701C 81EB 00701000 SUB EBX,107000 ; EBX=400000(MZP)
00507022 83BD 22040000 0>CMP DWORD PTR SS:[EBP+422],0
00507029 899D 22040000 MOV DWORD PTR SS:[EBP+422],EBX ; [EBP+422]=400000 存放基址
0050702F 0F85 65030000 JNZ VideoJoi.0050739A
00507035 8D85 2E040000 LEA EAX,DWORD PTR SS:[EBP+42E] ; EAX=507441"kernel32.dll"
0050703B 50 PUSH EAX
0050703C FF95 4D0F0000 CALL NEAR DWORD PTR SS:[EBP+F4D] ; kernel32.GetModuleHandleA
00507042 8985 26040000 MOV DWORD PTR SS:[EBP+426],EAX
00507048 8BF8 MOV EDI,EAX
0050704A 8D5D 5E LEA EBX,DWORD PTR SS:[EBP+5E] ; EBX=00507071"VirtualAlloc"
0050704D 53 PUSH EBX
0050704E 50 PUSH EAX
0050704F FF95 490F0000 CALL NEAR DWORD PTR SS:[EBP+F49] ; kernel32.GetProcAddress
00507055 8985 4D050000 MOV DWORD PTR SS:[EBP+54D],EAX
0050705B 8D5D 6B LEA EBX,DWORD PTR SS:[EBP+6B] ; EBX=0050707E "VirtualFree"
0050705E 53 PUSH EBX
0050705F 57 PUSH EDI ; EDI=7C800000 (kernel32.7C800000)
00507060 FF95 490F0000 CALL NEAR DWORD PTR SS:[EBP+F49] ; kernel32.GetProcAddress
00507066 8985 51050000 MOV DWORD PTR SS:[EBP+551],EAX ; VirtualFree地址存入ebp+511处
0050706C 8D45 77 LEA EAX,DWORD PTR SS:[EBP+77] ; EAX=0050708A
0050706F FFE0 JMP NEAR EAX ; 跳往 0050708A
0050708A 8B9D 31050000 MOV EBX,DWORD PTR SS:[EBP+531] ; JMP到此
00507090 0BDB OR EBX,EBX
00507092 74 0A JE SHORT VideoJoi.0050709E ; 没跳
00507094 8B03 MOV EAX,DWORD PTR DS:[EBX]
00507096 8785 35050000 XCHG DWORD PTR SS:[EBP+535],EAX
0050709C 8903 MOV DWORD PTR DS:[EBX],EAX
0050709E 8DB5 69050000 LEA ESI,DWORD PTR SS:[EBP+569]
005070A4 833E 00 CMP DWORD PTR DS:[ESI],0
005070A7 0F84 21010000 JE VideoJoi.005071CE
005070AD 6A 04 PUSH 4
005070AF 68 00100000 PUSH 1000
005070B4 68 00180000 PUSH 1800
005070B9 6A 00 PUSH 0
005070BB FF95 4D050000 CALL NEAR DWORD PTR SS:[EBP+54D] ; kernel32.VirtualAlloc
005070C1 8985 56010000 MOV DWORD PTR SS:[EBP+156],EAX
005070C7 8B46 04 MOV EAX,DWORD PTR DS:[ESI+4]
005070CA 05 0E010000 ADD EAX,10E
005070CF 6A 04 PUSH 4
005070D1 68 00100000 PUSH 1000
005070D6 50 PUSH EAX
005070D7 6A 00 PUSH 0
005070D9 FF95 4D050000 CALL NEAR DWORD PTR SS:[EBP+54D] ; kernel32.VirtualAlloc
005070DF 8985 52010000 MOV DWORD PTR SS:[EBP+152],EAX
005070E5 56 PUSH ESI
005070E6 8B1E MOV EBX,DWORD PTR DS:[ESI]
005070E8 039D 22040000 ADD EBX,DWORD PTR SS:[EBP+422] ; EBX=401000
005070EE FFB5 56010000 PUSH DWORD PTR SS:[EBP+156]
005070F4 FF76 04 PUSH DWORD PTR DS:[ESI+4]
005070F7 50 PUSH EAX
005070F8 53 PUSH EBX
005070F9 E8 6E050000 CALL VideoJoi.0050766C
005070FE B3 01 MOV BL,1
00507100 80FB 00 CMP BL,0
00507103 75 5E JNZ SHORT VideoJoi.00507163
00507105 FE85 EC000000 INC BYTE PTR SS:[EBP+EC]
0050710B 8B3E MOV EDI,DWORD PTR DS:[ESI]
0050710D 03BD 22040000 ADD EDI,DWORD PTR SS:[EBP+422] ; EDI=401000
00507113 FF37 PUSH DWORD PTR DS:[EDI]
00507115 C607 C3 MOV BYTE PTR DS:[EDI],0C3 ; 把0x401000处的代码改为RET
00507118 FFD7 CALL NEAR EDI
0050711A 8F07 POP DWORD PTR DS:[EDI] ; 恢复0x401000处的代码
0050711C 50 PUSH EAX
0050711D 51 PUSH ECX
0050711E 56 PUSH ESI
0050711F 53 PUSH EBX
00507120 8BC8 MOV ECX,EAX
00507122 83E9 06 SUB ECX,6
00507125 8BB5 52010000 MOV ESI,DWORD PTR SS:[EBP+152]
0050712B 33DB XOR EBX,EBX
0050712D 0BC9 OR ECX,ECX
0050712F 74 2E JE SHORT VideoJoi.0050715F
00507131 78 2C JS SHORT VideoJoi.0050715F
00507133 AC LODS BYTE PTR DS:[ESI]
00507134 3C E8 CMP AL,0E8
00507136 74 0A JE SHORT VideoJoi.00507142
00507138 EB 00 JMP SHORT VideoJoi.0050713A
0050713A 3C E9 CMP AL,0E9
0050713C 74 04 JE SHORT VideoJoi.00507142
0050713E 43 INC EBX
0050713F 49 DEC ECX
00507140 ^ EB EB JMP SHORT VideoJoi.0050712D ; 回跳
00507142 8B06 MOV EAX,DWORD PTR DS:[ESI] ; F4
00507144 /EB 00 JMP SHORT VideoJoi.00507146
00507146 \803E 16 CMP BYTE PTR DS:[ESI],16
00507149 ^ 75 F3 JNZ SHORT VideoJoi.0050713E ; 回跳
0050714B 24 00 AND AL,0 ; F4
0050714D C1C0 18 ROL EAX,18 ; 解码
00507150 2BC3 SUB EAX,EBX ; 解码
00507152 8906 MOV DWORD PTR DS:[ESI],EAX ; 存入esi指向的地方
00507154 83C3 05 ADD EBX,5
00507157 83C6 04 ADD ESI,4
0050715A 83E9 05 SUB ECX,5
0050715D ^ EB CE JMP SHORT VideoJoi.0050712D ; 回跳
0050715F 5B POP EBX ; VideoJoi.00401000
00507160 5E POP ESI
00507161 59 POP ECX
00507162 58 POP EAX
00507163 /EB 08 JMP SHORT VideoJoi.0050716D ; 跳
0050716D 8BC8 MOV ECX,EAX ; 跳到这里
0050716F 8B3E MOV EDI,DWORD PTR DS:[ESI] ; [ESI]=00001000
00507171 03BD 22040000 ADD EDI,DWORD PTR SS:[EBP+422] ; EDI=400000+1000
00507177 8BB5 52010000 MOV ESI,DWORD PTR SS:[EBP+152] ; ESI=01560000
0050717D C1F9 02 SAR ECX,2
00507180 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR >; ECX=0002B780
00507182 8BC8 MOV ECX,EAX
00507184 83E1 03 AND ECX,3
00507187 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS>; ECX=00000000
00507189 5E POP ESI
0050718A 68 00800000 PUSH 8000
0050718F 6A 00 PUSH 0
00507191 FFB5 52010000 PUSH DWORD PTR SS:[EBP+152]
00507197 FF95 51050000 CALL NEAR DWORD PTR SS:[EBP+551] ; kernel32.VirtualFree
00507197 FF95 51050000 CALL NEAR DWORD PTR SS:[EBP+551]
0050719D 83C6 08 ADD ESI,8
005071A0 833E 00 CMP DWORD PTR DS:[ESI],0
005071A3 ^\0F85 1EFFFFFF JNZ VideoJoi.005070C7 ; 回跳005070C7
005071A9 68 00800000 PUSH 8000 ; F4
005071AE 6A 00 PUSH 0
005071B0 FFB5 56010000 PUSH DWORD PTR SS:[EBP+156]
005071B6 FF95 51050000 CALL NEAR DWORD PTR SS:[EBP+551] ; kernel32.VirtualFree
005071BC 8B9D 31050000 MOV EBX,DWORD PTR SS:[EBP+531]
005071C2 0BDB OR EBX,EBX
005071C4 74 08 JE SHORT VideoJoi.005071CE
005071C6 8B03 MOV EAX,DWORD PTR DS:[EBX]
005071C8 8785 35050000 XCHG DWORD PTR SS:[EBP+535],EAX
005071CE 8B95 22040000 MOV EDX,DWORD PTR SS:[EBP+422] ; EDX=00400000
005071D4 8B85 2D050000 MOV EAX,DWORD PTR SS:[EBP+52D] ; EAX=0x400000
005071DA 2BD0 SUB EDX,EAX ; EDX=0
005071DC 74 79 JE SHORT VideoJoi.00507257 ; 跳
00507257 8B95 22040000 MOV EDX,DWORD PTR SS:[EBP+422] ; 跳到此 EDX=400000, 基地址(MZP)
0050725D 8BB5 41050000 MOV ESI,DWORD PTR SS:[EBP+541] ; ESI=000000
00507263 0BF6 OR ESI,ESI
00507265 74 11 JE SHORT VideoJoi.00507278 ; 跳
00507267 03F2 ADD ESI,EDX
00507269 AD LODS DWORD PTR DS:[ESI]
0050726A 0BC0 OR EAX,EAX
0050726C 74 0A JE SHORT VideoJoi.00507278
0050726E 03C2 ADD EAX,EDX
00507270 8BF8 MOV EDI,EAX
00507272 66:AD LODS WORD PTR DS:[ESI]
00507274 66:AB STOS WORD PTR ES:[EDI]
00507276 ^ EB F1 JMP SHORT VideoJoi.00507269
00507278 BE 00300B00 MOV ESI,0B3000 ; 跳到此
0050727D 8B95 22040000 MOV EDX,DWORD PTR SS:[EBP+422]
00507283 03F2 ADD ESI,EDX
00507285 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C]
00507288 85C0 TEST EAX,EAX
0050728A 0F84 0A010000 JE VideoJoi.0050739A
00507290 03C2 ADD EAX,EDX
00507292 8BD8 MOV EBX,EAX
00507294 50 PUSH EAX
00507295 FF95 4D0F0000 CALL NEAR DWORD PTR SS:[EBP+F4D] ; kernel32.GetModuleHandleA
0050729B 85C0 TEST EAX,EAX
0050729D 75 07 JNZ SHORT VideoJoi.005072A6 ; 跳
0050729F 53 PUSH EBX
005072A0 FF95 510F0000 CALL NEAR DWORD PTR SS:[EBP+F51]
005072A6 8985 45050000 MOV DWORD PTR SS:[EBP+545],EAX ; 跳到此
005072AC C785 49050000 0>MOV DWORD PTR SS:[EBP+549],0
005072B6 8B95 22040000 MOV EDX,DWORD PTR SS:[EBP+422]
005072BC 8B06 MOV EAX,DWORD PTR DS:[ESI]
005072BE 85C0 TEST EAX,EAX
005072C0 75 03 JNZ SHORT VideoJoi.005072C5
005072C2 8B46 10 MOV EAX,DWORD PTR DS:[ESI+10]
005072C5 03C2 ADD EAX,EDX
005072C7 0385 49050000 ADD EAX,DWORD PTR SS:[EBP+549]
005072CD 8B18 MOV EBX,DWORD PTR DS:[EAX]
005072CF 8B7E 10 MOV EDI,DWORD PTR DS:[ESI+10]
005072D2 03FA ADD EDI,EDX
005072D4 03BD 49050000 ADD EDI,DWORD PTR SS:[EBP+549]
005072DA 85DB TEST EBX,EBX
005072DC 0F84 A2000000 JE VideoJoi.00507384
005072E2 F7C3 00000080 TEST EBX,80000000
005072E8 75 04 JNZ SHORT VideoJoi.005072EE
005072EA 03DA ADD EBX,EDX
005072EC 43 INC EBX
005072ED 43 INC EBX
005072EE 53 PUSH EBX ; "DeleteCriticalSection"
005072EF 81E3 FFFFFF7F AND EBX,7FFFFFFF
005072F5 53 PUSH EBX
005072F6 FFB5 45050000 PUSH DWORD PTR SS:[EBP+545]
005072FC FF95 490F0000 CALL NEAR DWORD PTR SS:[EBP+F49] ; kernel32.GetProcAddress
00507302 85C0 TEST EAX,EAX
00507304 5B POP EBX
00507305 75 6F JNZ SHORT VideoJoi.00507376 ; 跳
跳到此:
00507376 8907 MOV DWORD PTR DS:[EDI],EAX ; ntdll.RtlDeleteCriticalSection
00507378 8385 49050000 0>ADD DWORD PTR SS:[EBP+549],4
0050737F ^ E9 32FFFFFF JMP VideoJoi.005072B6 ; 回跳
00507384 8906 MOV DWORD PTR DS:[ESI],EAX ; F4
00507386 8946 0C MOV DWORD PTR DS:[ESI+C],EAX
00507389 8946 10 MOV DWORD PTR DS:[ESI+10],EAX
0050738C 83C6 14 ADD ESI,14
0050738F 8B95 22040000 MOV EDX,DWORD PTR SS:[EBP+422]
00507395 ^ E9 EBFEFFFF JMP VideoJoi.00507285 ; 回跳
0050739A B8 C4E60A00 MOV EAX,0AE6C4 ; F4 EAX=AE6C4(OEP)
0050739F 50 PUSH EAX
005073A0 0385 22040000 ADD EAX,DWORD PTR SS:[EBP+422] ; EAX=AE6C4+400000
005073A6 59 POP ECX
005073A7 0BC9 OR ECX,ECX
005073A9 8985 A8030000 MOV DWORD PTR SS:[EBP+3A8],EAX
005073AF 61 POPAD ; 出口关键词
005073B0 75 08 JNZ SHORT VideoJoi.005073BA ; 跳
005073B2 B8 01000000 MOV EAX,1
005073B7 C2 0C00 RETN 0C
005073BA 68 C4E64A00 PUSH VideoJoi.004AE6C4 ; 跳到此
005073BF C3 RETN ; 返回到 004AE6C4 (OEP)
004AE6C4 55 PUSH EBP
004AE6C5 8BEC MOV EBP,ESP
004AE6C7 B9 0B000000 MOV ECX,0B
004AE6CC 6A 00 PUSH 0
004AE6CE 6A 00 PUSH 0
004AE6D0 49 DEC ECX
004AE6D1 ^ 75 F9 JNZ SHORT VideoJoi.004AE6CC
在004AE6C4处, 用OD的OllyDump插件, Dump出程序,
运行出现“Access violtion at address 00595DB8.Read of address 00595DB8”的出错提示,点“确定”后程序可以启动。
二、修复IAT
请出ImportREC, 填入OEP的004AE6C4值,点IATAutoSearch, 提示发现了IAT地址,
再点GetImport,有近2000个无效的API,
我晕。启动LordPE, 比较脱壳前后文件的导入表,发现脱壳后的文件少了一个libmcl-4.3.0.dll,API名称MclRGB。
找到地址是10DE17,用UltraEdit打开脱壳后的文件,在10DE17处补上“4D 63 6C 52 47 42”,
然后再用LordPE的PE编辑器打开脱壳后的文件,在导入表中添加导入函数,dll=libmcl-4.3.0 API=MclRGB 保存后,
运行程序一切正常。
PEiD再查:Borland Delphi 6.0 - 7.0 第一次手工修复IAT,很开心。
|
|
|---|