标签:
L程序的运行日志
e是加载的线程
m内存
T线程
w窗口
h句柄信息
c反汇编窗口
p修改后的信息
易语言的特征代码
1: 004107E2 FC cld
2: 004107E3 DBE3 finit
3: 004107E5 E8 E2FFFFFF call 吾爱破解.004107CC
4: 004107EA 68 D7074100 push 吾爱破解.004107D7
5: 004107EF B8 03000000 mov eax,0x3
6: 004107F4 E8 41000000 call 吾爱破解.0041083A
7: 004107F9 83C4 04 add esp,0x4
8: 004107FC E8 CC3AFFFF call 吾爱破解.004042CD
9: 00410801 E8 AA3AFFFF call 吾爱破解.004042B0
10: 00410806 E8 883AFFFF call 吾爱破解.00404293
11: 0041080B 68 01000152 push 0x52010001
12: 00410810 E8 1F000000 call 吾爱破解.00410834
13: 00410815 83C4 04 add esp,0x4
14: 00410818 E8 11000000 call 吾爱破解.0041082E
15: 0041081D 6A 00 push 0x0
16: 0041081F E8 04000000 call 吾爱破解.00410828
17: 00410824 83C4 04 add esp,0x4
18: 00410827 C3 retn
19: 00410828 - FF25 8F3A4000 jmp dword ptr ds:[0x403A8F] ; krnln.1002D70F
20: 0041082E - FF25 933A4000 jmp dword ptr ds:[0x403A93] ; krnln.1002D672
21: 00410834 - FF25 973A4000 jmp dword ptr ds:[0x403A97] ; krnln.1002D6A5
22: 0041083A - FF25 9B3A4000 jmp dword ptr ds:[0x403A9B] ; krnln.1002CE0A
23: 00410840 - FF25 8B3A4000 jmp dword ptr ds:[0x403A8B] ; krnln.1002D80A
24: 00410846 - FF25 833A4000 jmp dword ptr ds:[0x403A83] ; krnln.1002D72C
25: 0041084C - FF25 6B3A4000 jmp dword ptr ds:[0x403A6B] ; krnln.1002D60E
26: 00410852 - FF25 773A4000 jmp dword ptr ds:[0x403A77] ; krnln.1002CE86
27: 00410858 - FF25 6F3A4000 jmp dword ptr ds:[0x403A6F] ; krnln.1002CE24
28: 0041085E - FF25 873A4000 jmp dword ptr ds:[0x403A87] ; krnln.1002D75F
非独立编译
在.data段下断点,F2然后运行,然后会断下,然后找K看堆栈处
1: 0012FE68 1002CD43 krnln.1005ED30 krnln.1002CD3E 0012FE64
2: 0012FE90 1002D84F ? krnln.1002CCFF krnln.1002D84A 0012FE8C
1: 1002CCFF 55 push ebp
2: 1002CD00 8BEC mov ebp,esp
3: 1002CD02 83EC 08 sub esp,0x8
4: 1002CD05 53 push ebx ; krnln.10118688
5: 1002CD06 56 push esi ; 吾爱破解.00403000
6: 1002CD07 57 push edi
7: 1002CD08 894D F8 mov dword ptr ss:[ebp-0x8],ecx
8: 1002CD0B FF15 E4630E10 call dword ptr ds:[<&KERNEL32.GetProcess>; kernel32.GetProcessHeap
9: 1002CD11 8B4D F8 mov ecx,dword ptr ss:[ebp-0x8] ; krnln.100E298D
10: 1002CD14 8981 A8040000 mov dword ptr ds:[ecx+0x4A8],eax
11: 1002CD1A 8B55 F8 mov edx,dword ptr ss:[ebp-0x8] ; krnln.100E298D
12: 1002CD1D 8B82 C4000000 mov eax,dword ptr ds:[edx+0xC4]
13: 1002CD23 83C0 01 add eax,0x1
14: 1002CD26 8B4D F8 mov ecx,dword ptr ss:[ebp-0x8] ; krnln.100E298D
15: 1002CD29 8981 C4000000 mov dword ptr ds:[ecx+0xC4],eax
16: 1002CD2F 8B55 10 mov edx,dword ptr ss:[ebp+0x10] ; krnln.1011618C
17: 1002CD32 52 push edx
18: 1002CD33 8B45 0C mov eax,dword ptr ss:[ebp+0xC]
19: 1002CD36 50 push eax
20: 1002CD37 8B4D 08 mov ecx,dword ptr ss:[ebp+0x8] ; 吾爱破解.00403000
21: 1002CD3A 51 push ecx
22: 1002CD3B 8B4D F8 mov ecx,dword ptr ss:[ebp-0x8] ; krnln.100E298D
23: 1002CD3E E8 ED1F0300 call krnln.1005ED30
24: 1002CD43 FFD0 call eax //在这里下断点 然后F9再F7
易语言有一个特别的地方,是每次调用一个CALL的时候,很多时候会使用的上面的jmp表
对于非独立编译的易语言,如果开始的时候不显示如下代码
1: 00401006 \. E8 B5010000 call <jmp.&KERNEL32.ExitProcess> ; \ExitProcess
2: 0040100B . 47 65 74 4E 65 77 >ascii "GetNewSock",0
3: 00401016 . 45 72 72 6F 72 00 ascii "Error",0
4: 0040101C . 6B 72 6E 6C 6E 2E >ascii "krnln.fne",0
5: 00401026 . 4E 6F 74 20 66 6F >ascii "Not found the ke"
6: 00401036 . 72 6E 65 6C 20 6C >ascii "rnel library or "
7: 00401046 . 74 68 65 20 6B 65 >ascii "the kernel libra"
8: 00401056 . 72 79 20 69 73 20 >ascii "ry is invalid!",0
9: 00401065 . 6B 72 6E 6C 6E 2E >ascii "krnln.fnr",0
10: 0040106F . 50 61 74 68 00 ascii "Path",0
11: 00401074 . 53 6F 66 74 77 61 >ascii "Software\FlySky\"
12: 00401084 . 45 5C 49 6E 73 74 >ascii "E\Install",0
可以使用快捷键ctrl+A这样就可以显示出上面的字符串,或者使用右键分析一下即可
开始的时候会调用易语言的运行库
1: 004010A3 |. 68 65104000 push 吾爱破解.00401065 ; /StringToAdd = "krnln.fnr"
2: 004010A8 |. 8D85 FCFEFFFF lea eax,[local.65] ; |
3: 004010AE |. 50 push eax ; |ConcatString = NULL
4: 004010AF |. E8 24010000 call <jmp.&KERNEL32.lstrcatA> ; \lstrcatA
5: 004010B4 |. 50 push eax ; /FileName = NULL
6: 004010B5 |. E8 18010000 call <jmp.&KERNEL32.LoadLibraryA> ; \LoadLibraryA
7: 004010BA |. 85C0 test eax,eax
独立编译的易语言
会被识别为vc6的编译器,因为开始的语言的特征和VC6的很相似,前面的都是v中的初始化
1: 0046C607 >/$ 55 push ebp
2: 0046C608 |. 8BEC mov ebp,esp
3: 0046C60A |. 6A FF push -0x1
4: 0046C60C |. 68 006A4900 push 吾爱破解.00496A00
5: 0046C611 |. 68 BC124700 push 吾爱破解.004712BC ; SE 处理程序安装
6: 0046C616 |. 64:A1 00000000 mov eax,dword ptr fs:[0]
7: 0046C61C |. 50 push eax
8: 0046C61D |. 64:8925 00000000 mov dword ptr fs:[0],esp
9: 0046C624 |. 83EC 58 sub esp,0x58
10: 0046C627 |. 53 push ebx
11: 0046C628 |. 56 push esi
12: 0046C629 |. 57 push edi
13: 0046C62A |. 8965 E8 mov [local.6],esp
14: 0046C62D |. FF15 38C34800 call dword ptr ds:[<&KERNEL32.GetVersion>; kernel32.GetVersion
15: 0046C633 |. 33D2 xor edx,edx ; ntdll.KiFastSystemCallRet
16: 0046C635 |. 8AD4 mov dl,ah
17: 0046C637 |. 8915 48134C00 mov dword ptr ds:[0x4C1348],edx ; ntdll.KiFastSystemCallRet
18: 0046C63D |. 8BC8 mov ecx,eax
19: 0046C63F |. 81E1 FF000000 and ecx,0xFF
20: 0046C645 |. 890D 44134C00 mov dword ptr ds:[0x4C1344],ecx
21: 0046C64B |. C1E1 08 shl ecx,0x8
22: 0046C64E |. 03CA add ecx,edx ; ntdll.KiFastSystemCallRet
23: 0046C650 |. 890D 40134C00 mov dword ptr ds:[0x4C1340],ecx
24: 0046C656 |. C1E8 10 shr eax,0x10
25: 0046C659 |. A3 3C134C00 mov dword ptr ds:[0x4C133C],eax
26: 0046C65E |. 6A 01 push 0x1
27: 0046C660 |. E8 F14B0000 call 吾爱破解.00471256
1.字符串
1: 0045FA73 mov dword ptr ds:[eax+0x18],吾爱破解.004 invalid block type
2: 0045FAF7 mov dword ptr ds:[ecx+0x18],吾爱破解.004 invalid stored block lengths
3: 0045FC43 mov dword ptr ds:[eax+0x18],吾爱破解.004 too many length or distance symbols
4: 0045FD31 mov dword ptr ds:[esi+0x18],吾爱破解.004 invalid bit length repeat
5: 00464BD5 mov ecx,0x2C8D00 r
6: 00465095 mov ecx,0x2C8D00 r
7: 00467B40 mov dword ptr ds:[edi+0x18],吾爱破解.004 invalid literal/length code
8: 00467B8E mov dword ptr ds:[edi+0x18],吾爱破解.004 invalid distance code
9: 00467DD4 mov dword ptr ds:[edi+0x18],吾爱破解.004 oversubscribed dynamic bit lengths tree
10: 00467DF4 mov dword ptr ds:[edi+0x18],吾爱破解.004 incomplete dynamic bit lengths tree
11: 004683D9 mov dword ptr ds:[ebx+0x18],吾爱破解.004 oversubscribed distance tree
12: 004683F8 mov dword ptr ds:[ebx+0x18],吾爱破解.004 incomplete distance tree
13: 00468417 mov dword ptr ds:[ebx+0x18],吾爱破解.004 empty distance tree with lengths
14: 00468440 mov dword ptr ds:[ebx+0x18],吾爱破解.004 oversubscribed literal/length tree
15: 0046845A mov dword ptr ds:[ebx+0x18],吾爱破解.004 incomplete literal/length tree
16: 00468484 mov ecx,dword ptr ds:[0x4AD2A0] \t
17: 0046B662 mov dword ptr ds:[edi+0x18],吾爱破解.004 invalid distance code
18: 0046B726 mov dword ptr ds:[edi+0x18],吾爱破解.004 invalid literal/length code
2.代码处找
1: 0046C6D2 |> \6A 0A push 0xA
2: 0046C6D4 |. 58 pop eax ; kernel32.7C817067
3: 0046C6D5 |> 50 push eax
4: 0046C6D6 |. FF75 9C push [local.25]
5: 0046C6D9 |. 56 push esi
6: 0046C6DA |. 56 push esi ; /pModule = 0012B750 ???
7: 0046C6DB |. FF15 50C34800 call dword ptr ds:[<&KERNEL32.GetModuleH>; \GetModuleHandleA
8: 0046C6E1 |. 50 push eax
9: 0046C6E2 |. E8 F7DD0000 call 吾爱破解.0047A4DE ;这里是mian函数入口
10:
进入mian函数
1: 0047A4DE /$ FF7424 10 push dword ptr ss:[esp+0x10]
2: 0047A4E2 |. FF7424 10 push dword ptr ss:[esp+0x10]
3: 0047A4E6 |. FF7424 10 push dword ptr ss:[esp+0x10]
4: 0047A4EA |. FF7424 10 push dword ptr ss:[esp+0x10]
5: 0047A4EE |. E8 24860000 call 吾爱破解.00482B17 //进入call
6:
7:
进入下面这个地方的call
1: 00482B17 /$ 53 push ebx
2: 00482B18 |. 56 push esi
3: 00482B19 |. 57 push edi
4: 00482B1A |. 83CB FF or ebx,-0x1
5: 00482B1D |. E8 5CEDFFFF call 吾爱破解.0048187E
6: 00482B22 |. 8BF0 mov esi,eax
7: 00482B24 |. E8 5D350000 call 吾爱破解.00486086
8: 00482B29 |. FF7424 1C push dword ptr ss:[esp+0x1C]
9: 00482B2D |. 8B78 04 mov edi,dword ptr ds:[eax+0x4]
10: 00482B30 |. FF7424 1C push dword ptr ss:[esp+0x1C]
11: 00482B34 |. FF7424 1C push dword ptr ss:[esp+0x1C]
12: 00482B38 |. FF7424 1C push dword ptr ss:[esp+0x1C]
13: 00482B3C |. E8 2A430000 call 吾爱破解.00486E6B
14: 00482B41 |. 85C0 test eax,eax
15: 00482B43 |. 74 3B je short 吾爱破解.00482B80
16: 00482B45 |. 85FF test edi,edi
17: 00482B47 |. 74 0E je short 吾爱破解.00482B57
18: 00482B49 |. 8B07 mov eax,dword ptr ds:[edi]
19: 00482B4B |. 8BCF mov ecx,edi
20: 00482B4D |. FF90 84000000 call dword ptr ds:[eax+0x84]
21: 00482B53 |. 85C0 test eax,eax
22: 00482B55 |. 74 29 je short 吾爱破解.00482B80
23: 00482B57 |> 8B06 mov eax,dword ptr ds:[esi]
24: 00482B59 |. 8BCE mov ecx,esi
25: 00482B5B |. FF50 50 call dword ptr ds:[eax+0x50] //进入call
继续进入下一个cal
1: 0041A6B0 /. 55 push ebp
2: 0041A6B1 |. 8BEC mov ebp,esp
3: 0041A6B3 |. 51 push ecx ; 吾爱破解.004BE790
4: 0041A6B4 |. 53 push ebx
5: 0041A6B5 |. 56 push esi ; 吾爱破解.004BE790
6: 0041A6B6 |. 8BF1 mov esi,ecx ; 吾爱破解.004BE790
7: 0041A6B8 |. 57 push edi ; 吾爱破解.004BE790
8: 0041A6B9 |. 8B4E 68 mov ecx,dword ptr ds:[esi+0x68] ; 吾爱破解.00400000
9: 0041A6BC |. 8D86 D8000000 lea eax,dword ptr ds:[esi+0xD8]
10: 0041A6C2 |. 50 push eax ; 吾爱破解.00490010
11: 0041A6C3 |. 51 push ecx ; 吾爱破解.004BE790
12: 0041A6C4 |. E8 57D10000 call 吾爱破解.00427820
13: 0041A6C9 |. 83C4 08 add esp,0x8
14: 0041A6CC |. 8D8E 84030000 lea ecx,dword ptr ds:[esi+0x384]
15: 0041A6D2 |. 68 02104000 push 吾爱破解.00401002
16: 0041A6D7 |. 68 00104000 push 吾爱破解.00401000
17: 0041A6DC |. 68 00104000 push 吾爱破解.00401000
18: 0041A6E1 |. E8 DA6C0100 call 吾爱破解.004313C0
19: 0041A6E6 |. 60 pushad
20: 0041A6E7 |. E8 E32EFFFF call 吾爱破解.0040D5CF //进入这个call
21:
22:
然后就找到易语言的的特征处了
vc6 特征
区段信息
.text .rdata .data .rsrc
特征api
1: 0040172B |. 6A 02 push 0x2
2: 0040172D |. FF15 90214000 call dword ptr ds:[<&MSVCRT.__set_app_ty>; msvcrt.__set_app_type
3: 00401733 |. 59 pop ecx ; kernel32.7C817067
4: 00401734 |. 830D 4C314000 FF or dword ptr ds:[0x40314C],-0x1
5: 0040173B |. 830D 50314000 FF or dword ptr ds:[0x403150],-0x1
6: 00401742 |. FF15 8C214000 call dword ptr ds:[<&MSVCRT.__p__fmode>] ; msvcrt.__p__fmode
7: 00401748 |. 8B0D 40314000 mov ecx,dword ptr ds:[0x403140]
8: 0040174E |. 8908 mov dword ptr ds:[eax],ecx
9: 00401750 |. FF15 88214000 call dword ptr ds:[<&MSVCRT.__p__commode>; msvcrt.__p__commode
对于脱壳的时候 这个下面这个push
1: 00401703 |. 6A FF push -0x1
2: 00401705 |. 68 00254000 push 吾爱破解.00402500 //Push的这个值比较重要有的壳需要修复这里
3: 0040170A |. 68 86184000 push <jmp.&MSVCRT._except_handler3> ; SE 处理程序安装
vs2008 vs2013
1: 0041DDAC > $ E8 EF4E0000 call 吾爱破解.00422CA0 ;call XXXX
2: 0041DDB1 .^ E9 79FEFFFF jmp 吾爱破解.0041DC2F ;jmp xxxx
1: .text .rdata .data .rsrc .reloc
delphi
区段特征:和bc++类似(因为是一个公司研发的)
1: code data bss .idata .tls .rdata .reloc .rsrc
代码特征
进入入口处的第一个call,可以看到下面则个函数,加壳过后的很多程序,入口都会被虚拟化,但是这个函数还是会被保留
1: 00405BC8 53 push ebx
2: 00405BC9 8BD8 mov ebx,eax
3: 00405BCB 33C0 xor eax,eax
4: 00405BCD A3 9CF04400 mov dword ptr ds:[0x44F09C],eax
5: 00405BD2 6A 00 push 0x0
6: 00405BD4 E8 2BFFFFFF call <jmp.&kernel32.GetModuleHandleA>
7:
BC++
1: 004014EC > $ /EB 10 jmp short 吾爱破解.004014FE //特征1一个很大的跳转
2: 004014EE |66 db 66 ; CHAR ‘f‘
3: 004014EF |62 db 62 ; CHAR ‘b‘
4: 004014F0 |3A db 3A ; CHAR ‘:‘
5: 004014F1 |43 db 43 ; CHAR ‘C‘
6: 004014F2 |2B db 2B ; CHAR ‘+‘
7: 004014F3 |2B db 2B ; CHAR ‘+‘
8: 004014F4 |48 db 48 ; CHAR ‘H‘
9: 004014F5 |4F db 4F ; CHAR ‘O‘
10: 004014F6 |4F db 4F ; CHAR ‘O‘
11: 004014F7 |4B db 4B ; CHAR ‘K‘
12: 004014F8 |90 nop
13: 004014F9 |E9 db E9
14: 004014FA . |ACB04C00 dd offset 吾爱破解.___CPPdebugHook
15: 004014FE > \A1 9FB04C00 mov eax,dword ptr ds:[0x4CB09F]
16: 00401503 . C1E0 02 shl eax,0x2
17: 00401506 . A3 A3B04C00 mov dword ptr ds:[0x4CB0A3],eax
18: 0040150B . 52 push edx ; ntdll.KiFastSystemCallRet
19: 0040150C . 6A 00 push 0x0 ; /pModule = NULL
20: 0040150E . E8 578F0C00 call <jmp.&KERNEL32.GetModuleHandleA> ; 特征2:\GetModuleHandleA函数
区段信息:
1: .text .data .rdata .idata .edata .rsrc .reloc
1: 004036DE mov eax,吾爱破解.0049DAB8 AutoIt v3
2: 00403701 push 吾爱破解.0049DACC edit
3: 00403806 push 吾爱破解.0049DBD0 TaskbarCreated
4: 00403BEA push 吾爱破解.0049E444 Exit
5: 00403C27 push 吾爱破解.0049E450 Script Paused
6: 00403F1F mov dword ptr ss:[ebp-0x8],吾爱破解.0049 AutoIt v3
7: 00403FA2 mov [local.5],吾爱破解.004B26A8 AutoIt v3 GUI
小技巧:
crtl+上下键 反汇编代码滚动
crtl+a 分析代码
视频及程序下载地址
标签:
原文地址:http://www.cnblogs.com/kangxiaopao/p/4643557.html
