[破解交流] 壳的入口代码

lijingli10

E网入门

Rank: 5 Rank: 5

UID: 16102
帖子: 7
精华: 0
积分: 14
威望: 13
E币: 50
阅读权限: 20
在线时间: 0 小时

发短消息
加为好友
当前离线

1^# 大中小发表于 2008-1-9 15:39 只看该作者

壳的入口代码

壳的入口代码
================================

常见壳特征：

A)ASPack

00ECD001  60             PUSHAD
00ECD002  E8 03000000    CALL 00ECD00A
00ECD007  -E9 EB045D45    JMP 4649D4F7
00ECD00C  55             PUSH EBP
00ECD00D  C3             RETN
......

00ECD3AF  61             POPAD
00ECD3B0  75 08          JNZ SHORT 00ECD3BA
00ECD3B2  B8 01000000    MOV EAX,1
00ECD3B7  C2 0C00       RETN 0C
00ECD3BA  68 00000000    PUSH 0
00ECD3BF  C3             RETN

偏移：3ae

B)UPX

00BEAE90  60             PUSHAD
00BEAE91  BE 00107E00    MOV ESI,7E1000
00BEAE96  8DBE 0000C2FF LEA EDI,DWORD PTR DS:[ESI+FFC20000]  ==4010000
00BEAE9C  57             PUSH EDI
00BEAE9D  83CD FF       OR EBP,FFFFFFFF
00BEAEA0  EB 10          JMP SHORT 00BEAEB2
......

00BEAFBF  61             POPAD
00BEAFC0  ^E9 3CE0D1FF    JMP 00909001

偏移：11c之后

C)ASProtect

00ED0060 > EB 00          JMP SHORT BmJapane.00ED0062
00ED0062  EB 2F          JMP SHORT BmJapane.00ED0093
00ED0064  53             PUSH EBX
00ED0065  68 61726577    PUSH 77657261
00ED006A  61             POPAD
......

00ED07A4  33FF          XOR EDI,EDI
00ED07A6  64:8F07       POP DWORD PTR FS:[EDI]
00ED07A9  8380 C4000000 08 ADD DWORD PTR DS:[EAX+C4],8
00ED07B0  8BB8 A4000000 MOV EDI,DWORD PTR DS:[EAX+A4]
00ED07B6  C1C7 07       ROL EDI,7                   ==edi=00ecd001
00ED07B9  89B8 B8000000 MOV DWORD PTR DS:[EAX+B8],EDI
00ED07BF  B8 00000000    MOV EAX,0
00ED07C4  5F             POP EDI
00ED07C5  C9             LEAVE
00ED07C6  C3             RETN

留意EDI。

D)SoftDefender demo version

00450000 > 74 07          JE SHORT SoftDefe.00450009
00450002  75 05          JNZ SHORT SoftDefe.00450009
00450004  1932          SBB DWORD PTR DS:[EDX],ESI
00450006  67:E8 E8741F75  CALL 756474F4                         ; Superfluous prefix
0045000C  1D E8683944    SBB EAX,443968E8
00450011  CD 00          INT 0
00450013  59             POP ECX
00450014  9C             PUSHFD

E)telock

0041FBD6 >^\E9 25E4FFFF JMP crackme1.0041E000

（向下看会有个POPAD，不会到达的，不要被迷惑）

0041FC62 61             POPAD
......

0041E000 90             NOP
0041E001 60             PUSHAD
0041E002 E8 02000000 CALL crackme1.0041E009
0041E007 E8 00E80000 CALL 0042C80C

F)未知壳1  2003.12.20

01016000 60             PUSHAD
01016001 E8 00000000 CALL Crackme1.01016006
01016006 5D             POP EBP
01016007 83ED 06       SUB EBP,6
......

0101625F 8B85 57050000  MOV EAX,DWORD PTR SS:[EBP+557]
01016265 0385 8B050000  ADD EAX,DWORD PTR SS:[EBP+58B]
0101626B 894424 1C    MOV DWORD PTR SS:[ESP+1C],EAX
0101626F 61             POPAD
01016270 FFE0          JMP EAX

偏移：26f

G)未知壳2

01013000 60             PUSHAD
01013001 E8 2B000000 CALL Crackme1.01013031
01013006 0D 0A0D0A0D OR EAX,0D0A0D0A
0101300B 0A52 65       OR DL,BYTE PTR DS:[EDX+65]
......

未能手脱

H)fsg

00517000 >  BB D0014000 MOV EBX,fsg.004001D0
00517005 BF 00104000 MOV EDI,fsg.00401000
0051700A BE 0C325100 MOV ESI,fsg.0051320C
0051700F 53             PUSH EBX
00517010 E8 0A000000 CALL fsg.0051701F
......

005170DD  /EB 09       JMP SHORT fsg.005170E8
005170DF  |FE0F          DEC BYTE PTR DS:[EDI]
005170E1  -|0F84 199FEEFF  JE fsg.00401000          ==OEP
005170E7  |57             PUSH EDI
005170E8  \55             PUSH EBP
005170E9 FF53 04       CALL DWORD PTR DS:[EBX+4]
005170EC 0906          OR DWORD PTR DS:[ESI],EAX
005170EE AD             LODS DWORD PTR DS:[ESI]
005170EF  ^ 75 DB       JNZ SHORT fsg.005170CC

移偏量：E1

I)PECompact  主程序

00425760 > /EB 06       JMP SHORT pecompac.00425768
00425762  |68 00500200 PUSH 25000
00425767  |C3             RETN
00425768  \9C             PUSHFD
00425769 60             PUSHAD
0042576A E8 02000000 CALL pecompac.00425771
0042576F 33C0          XOR EAX,EAX
......

0042854E  \61             POPAD
0042854F 9D             POPFD
00428550 50             PUSH EAX
00428551 68 00504200 PUSH pecompac.00425000
00428556 C2 0400       RETN 4
......

0042517E 61             POPAD
0042517F 9D             POPFD
00425180 68 00D04100 PUSH pecompac.0041D000
00425185 C3             RETN
......

0041D17E 61             POPAD
0041D17F 9D             POPFD
0041D180 68 61114000 PUSH pecompac.00401161
0041D185 C3             RETN

J) 变形ASPACK

00428001 >  60             PUSHAD
00428002 E9 3D040000 JMP ex1401.00428444
00428007  - E9 25050101 JMP 01438531
.......

004283AA 61             POPAD
004283AB 75 08       JNZ SHORT ex1401.004283B5
004283AD B8 01000000 MOV EAX,1
004283B2 C2 0C00       RETN 0C
004283B5 68 00104000 PUSH ex1401.00401000
004283BA C3             RETN

K) Armodillo 3.00a-3.40

00434000 >  60             PUSHAD
00434001 E8 00000000 CALL unbreaka.00434006
00434006 5D             POP EBP
00434007 50             PUSH EAX
00434008 51             PUSH ECX
00434009 EB 0F       JMP SHORT unbreaka.0043401A
......

L) FSG1.33

00418A15 > BE A4014000    MOV ESI,krykille.004001A4
00418A1A  AD             LODS DWORD PTR DS:[ESI]
00418A1B  93             XCHG EAX,EBX
00418A1C  AD             LODS DWORD PTR DS:[ESI]
00418A1D  97             XCHG EAX,EDI
00418A1E  AD             LODS DWORD PTR DS:[ESI]
00418A1F  56             PUSH ESI
00418A20  96             XCHG EAX,ESI
00418A21  B2 80          MOV DL,80
00418A23  A4             MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
00418A24  B6 80          MOV DH,80
00418A26  FF13          CALL DWORD PTR DS:[EBX]
00418A28  ^73 F9          JNB SHORT krykille.00418A23
00418A2A  33C9          XOR ECX,ECX
00418A2C  FF13          CALL DWORD PTR DS:[EBX]
00418A2E  73 16          JNB SHORT krykille.00418A46
00418A30  33C0          XOR EAX,EAX
00418A32  FF13          CALL DWORD PTR DS:[EBX]
00418A34  73 1F          JNB SHORT krykille.00418A55
......

00418AB6  - 0F84 4485FEFF  JE krykille.00401000  ==OEP
00418ABC 56             PUSH ESI
00418ABD 55             PUSH EBP
00418ABE FF53 04       CALL DWORD PTR DS:[EBX+4]
00418AC1 AB             STOS DWORD PTR ES:[EDI]
00418AC2  ^ EB E0       JMP SHORT krykille.00418AA4

偏移量：A1

M) DBPE2.x

0041E000 > /EB 20             JMP SHORT vfpupker.0041E022
0041E002  |0000             ADD BYTE PTR DS:[EAX],AL
0041E004  |40             INC EAX
0041E005  |0000             ADD BYTE PTR DS:[EAX],AL
0041E007  |0040 00          ADD BYTE PTR DS:[EAX],AL
0041E00A  |0000             ADD BYTE PTR DS:[EAX],AL
0041E00C  |0000             ADD BYTE PTR DS:[EAX],AL
0041E00E  |0000             ADD BYTE PTR DS:[EAX],AL
0041E010  |00E0             ADD AL,AH
0041E012  |0100             ADD DWORD PTR DS:[EAX],EAX
0041E014  |0B00             OR EAX,DWORD PTR DS:[EAX]
0041E016  |0000             ADD BYTE PTR DS:[EAX],AL
0041E018  |0230             ADD DH,BYTE PTR DS:[EAX]
0041E01A  |0000             ADD BYTE PTR DS:[EAX],AL
0041E01C  |0000             ADD BYTE PTR DS:[EAX],AL
0041E01E  |0000             ADD BYTE PTR DS:[EAX],AL
0041E020  |0000             ADD BYTE PTR DS:[EAX],AL
0041E022  \9C             PUSHFD

N) 未知壳

00435F91 >^\E9 6AE0FFFF JMP KEYGENME.00434000  ==向上跳
00435F96 0000          ADD BYTE PTR DS:[EAX],AL
00435F98 00D7          ADD BH,DL
00435F9A 26:17       POP SS                               ; Modification of segment

register

00435F9C 4F             DEC EDI

O)Krypton0.5

004A4000 >  54             PUSH ESP
004A4001 E8 00000000 CALL Krypton.004A4006
004A4006 5D             POP EBP
004A4007 8BC5          MOV EAX,EBP
004A4009 81ED 71444000  SUB EBP,Krypton.00404471
004A400F 2B85 64604000  SUB EAX,DWORD PTR SS:[EBP+406064]
004A4015 EB 43       JMP SHORT Krypton.004A405A

P)Obsidium1.0

0044F000 > /EB 02       JMP SHORT Obsidium.0044F004
0044F002  |3976 E8       CMP DWORD PTR DS:[ESI-18],ESI
0044F005 A3 1C0000FC MOV DWORD PTR DS:[FC00001C],EAX
0044F00A 88CC          MOV AH,CL
0044F00C 4A             DEC EDX
0044F00D BD E72EDC12 MOV EBP,12DC2EE7
0044F012  - 70 A1       JO SHORT Obsidium.0044EFB5
0044F014 37             AAA

TOP

z9988

E网入门

Rank: 5 Rank: 5

UID: 15908
帖子: 12
精华: 0
积分: 26
威望: 24
E币: 56
阅读权限: 20
在线时间: 2 小时

发短消息
加为好友
当前离线

2^# 大中小发表于 2008-1-19 17:14 只看该作者

我看不懂
但是知道大家破解软件非常辛苦，类似破解的文章竟然没有人支持
汗呀汗
再次向楼主表示敬意

TOP

‹‹ 上一主题 | 下一主题 ››