PeX V0.99b脫殼――PeX.exe主程式

看雪資料發表於2015-11-15

PeX V0.99b脫殼――PeX.exe主程式
 
 
 
下載頁面:  http://protools.anticrack.de/packers.htm   以前DOWN的  ^O^ 
軟體大小:  45 KB

【軟體簡介】: code,data,import compression(based on APLIB v0.26b by Joergen Ibsen)&encryption;new technique was developed to increase compression ratio; protection against cracking&reverse engeenering; bpx protection; import table handling;advanced import table protection.

【作者宣告】:初學Crack,只是感興趣,沒有其它目的。失誤之處敬請諸位大俠賜教!

【破解工具】:Ollydbg1.09、PEiD、LordPE、Import REConstructor V1.4.2+ 

――――――――――――――――――――――――――――――――― 
【脫殼過程】:
          
       
PeX 殼應該是罕見的,至少我沒見過用PeX保護的軟體。既然loveboom兄弟提出來我就學習一下吧。呵呵,偶是脫殼白痴,碰不了猛殼,只好看看名不見經傳的小殼,^O^ 但是這個殼卻不算太弱呀,首次跟蹤一不小心就OVER了。

下面的除錯環境是:WinXP + Ollydbg 
  
――――――――――――――――――――――――
00408000     E9 F5000000          jmp pex.004080FA
                                  ====>進入OD後斷在這!F7進入!

00408005     0D 0AC4C4C4          or eax,C4C4C40A

這種入口方式是固定的,很容易辨認  ^O^

――――――――――――――――――――――――
這下面就要小心了,如果用F7走就很容易迷入陷阱!呵呵,所以這次採取另外的方法啦。
可以看見下面的call 0040XXXX,用F4走過去,但是這樣還是要F4很多次,並且不小心就暈入迴圈!好了,往下看,使勁向下看:popad、retn在004082FA處,直接在004082FA下斷,F9,砰,睜開眼睛,高興的看見安全著陸啦! :-) 這是對付PeX殼的有效方法,我已實驗過N次啦。


004080FA     60                   pushad
004080FB     E8 01000000          call pex.00408101
                                  ====>F7進去就OVER啦  :-(

00408100     E8 83C404E8          call E8454588
00408105     0100                 add dword ptr ds:[eax],eax
00408107     0000                 add byte ptr ds:[eax],al
00408109   - E9 5D81EDD5          jmp D62E026B
0040810E     2240 00              and al,byte ptr ds:[eax]
00408111     E8 06020000          call pex.0040831C
00408116     E8 EB08EB02          call 032B8A06
0040811B     CD20 FF24249A        vxdcall 9A2424FF
00408121     66:BE 4746           mov si,4647
00408125     E8 01000000          call pex.0040812B
0040812A     9A 598D9527 2340     call far 4023:27958D59     
00408131     00E8                 add al,ch
00408133     0100                 add dword ptr ds:[eax],eax
00408135     0000                 add byte ptr ds:[eax],al
00408137     6958 66 BF4D4AE8     imul ebx,dword ptr ds:[eax+66],E84A4DBF
0040813E     C101 00              rol dword ptr ds:[ecx],0 
00408141     008D 52F9E801        add byte ptr ss:[ebp+1E8F952],cl
00408147     0000                 add byte ptr ds:[eax],al
00408149     00E8                 add al,ch
0040814B     5B                   pop ebx
0040814C     68 CCFFE29A          push 9AE2FFCC
00408151     FFE4                 jmp esp
00408153     69FF A5452540        imul edi,edi,402545A5
00408159     00E9                 add cl,ch
0040815B     E8 B9FFFFFF          call pex.00408119
00408160     EB 02                jmp short pex.00408164
00408162     CD20 8BC4EB02        vxdcall 2EBC48B
00408168     CD20 81001600        vxdcall 160081
0040816E     0000                 add byte ptr ds:[eax],al
00408170     0F85 A6010000        jnz pex.0040831C
00408176     69E8 00000000        imul ebp,eax,0
0040817C     58                   pop eax
0040817D     99                   cdq
0040817E     80CA 15              or dl,15
00408181     8D0402               lea eax,dword ptr ds:[edx+eax]
00408184     50                   push eax
00408185     E8 72010000          call pex.004082FC
0040818A     66:3D 86F3           cmp ax,0F386
0040818E     74 03                je short pex.00408193
00408190   - E9 8D95CB23          jmp 240C1722
00408195     40                   inc eax
00408196     00E8                 add al,ch
00408198     67:0100              add dword ptr ds:[bx+si],eax
0040819B     00E8                 add al,ch
0040819D     0100                 add dword ptr ds:[eax],eax
0040819F     0000                 add byte ptr ds:[eax],al
004081A1     6983 C4048DBD CA2540>imul eax,dword ptr ds:[ebx+BD8D04C4],pex.004025CA
004081AB     B9 89210000          mov ecx,2189
004081B0     BA 0CC8B7E1          mov edx,E1B7C80C
004081B5     8A07                 mov al,byte ptr ds:[edi]
004081B7     D2C0                 rol al,cl
004081B9     D2C8                 ror al,cl
004081BB     32C1                 xor al,cl
004081BD     F6D0                 not al
004081BF     32C5                 xor al,ch
004081C1     32C2                 xor al,dl
004081C3     32C6                 xor al,dh
004081C5     D2C0                 rol al,cl
004081C7     02C1                 add al,cl
004081C9     02C5                 add al,ch
004081CB     F6D8                 neg al
004081CD     02C2                 add al,dl
004081CF     02C6                 add al,dh
004081D1     D2C8                 ror al,cl
004081D3     2AC1                 sub al,cl
004081D5     2AC5                 sub al,ch
004081D7     F6D0                 not al
004081D9     2AC2                 sub al,dl
004081DB     2AC6                 sub al,dh
004081DD     D3C2                 rol edx,cl
004081DF     8807                 mov byte ptr ds:[edi],al
004081E1     47                   inc edi
004081E2     49                   dec ecx
004081E3   ^ 75 D0                jnz short pex.004081B5
004081E5     E8 01000000          call pex.004081EB
004081EA     E8 83C4040F          call 0F454672
004081EF     0BE8                 or ebp,eax
004081F1     2BD2                 sub edx,edx
004081F3     64:8B02              mov eax,dword ptr fs:[edx]
004081F6     8B20                 mov esp,dword ptr ds:[eax]
004081F8     64:8F02              pop dword ptr fs:[edx]
004081FB     58                   pop eax
004081FC     5D                   pop ebp
004081FD     C3                   retn
004081FE     9A 8B954525 4000     call far 0040:2545958B  
00408205     E8 F9000000          call pex.00408303
0040820A     E8 01000000          call pex.00408210
0040820F     C783 C404BB73 4E0000>mov dword ptr ds:[ebx+73BB04C4],6A00004E
00408219     04 68                add al,68
0040821B     0030                 add byte ptr ds:[eax],dh
0040821D     0000                 add byte ptr ds:[eax],al
0040821F     53                   push ebx
00408220     6A 00                push 0
00408222     FF95 49254000        call dword ptr ss:[ebp+402549]
00408228     E8 01000000          call pex.0040822E
0040822D     E8 83C40468          call 684546B5
00408232     0040 00              add byte ptr ds:[eax],al
00408235     0053 50              add byte ptr ds:[ebx+50],dl
00408238     E8 01000000          call pex.0040823E
0040823D   - E9 83C40450          jmp 504546C5
00408242     8D95 CA254000        lea edx,dword ptr ss:[ebp+4025CA]
00408248     52                   push edx
00408249     E8 0E000000          call pex.0040825C
0040824E     E8 01000000          call pex.00408254
00408253     6983 C4045A5E 0E56CB>imul eax,dword ptr ds:[ebx+5E5A04C4],60CB560E
0040825D     8B7424 24            mov esi,dword ptr ss:[esp+24]
00408261     8B7C24 28            mov edi,dword ptr ss:[esp+28]
00408265     FC                   cld
00408266     B2 80                mov dl,80
00408268     A4                   movs byte ptr es:[edi],byte ptr ds:[esi]
00408269     E8 68000000          call pex.004082D6
0040826E   ^ 73 F8                jnb short pex.00408268
00408270     2BC9                 sub ecx,ecx
00408272     E8 5F000000          call pex.004082D6
00408277     73 1A                jnb short pex.00408293
00408279     2BC0                 sub eax,eax
0040827B     E8 56000000          call pex.004082D6
00408280     73 20                jnb short pex.004082A2
00408282     41                   inc ecx
00408283     B0 10                mov al,10
00408285     E8 4C000000          call pex.004082D6
0040828A     12C0                 adc al,al
0040828C   ^ 73 F7                jnb short pex.00408285
0040828E     75 3C                jnz short pex.004082CC
00408290     AA                   stos byte ptr es:[edi]
00408291   ^ EB D6                jmp short pex.00408269
00408293     E8 4A000000          call pex.004082E2
00408298     49                   dec ecx
00408299     E2 10                loopd short pex.004082AB
0040829B     E8 40000000          call pex.004082E0
004082A0     EB 28                jmp short pex.004082CA
004082A2     AC                   lods byte ptr ds:[esi]
004082A3     D1E8                 shr eax,1
004082A5     74 4B                je short pex.004082F2
004082A7     13C9                 adc ecx,ecx
004082A9     EB 1C                jmp short pex.004082C7
004082AB     91                   xchg eax,ecx
004082AC     48                   dec eax
004082AD     C1E0 08              shl eax,8
004082B0     AC                   lods byte ptr ds:[esi]
004082B1     E8 2A000000          call pex.004082E0
004082B6     3D 007D0000          cmp eax,7D00
004082BB     73 0A                jnb short pex.004082C7
004082BD     80FC 05              cmp ah,5
004082C0     73 06                jnb short pex.004082C8
004082C2     83F8 7F              cmp eax,7F
004082C5     77 02                ja short pex.004082C9
004082C7     41                   inc ecx
004082C8     41                   inc ecx
004082C9     95                   xchg eax,ebp
004082CA     8BC5                 mov eax,ebp
004082CC     56                   push esi
004082CD     8BF7                 mov esi,edi
004082CF     2BF0                 sub esi,eax
004082D1     F3:A4                rep movs byte ptr es:[edi],byte ptr ds:[esi]
004082D3     5E                   pop esi
004082D4   ^ EB 93                jmp short pex.00408269
004082D6     02D2                 add dl,dl
004082D8     75 05                jnz short pex.004082DF
004082DA     8A16                 mov dl,byte ptr ds:[esi]
004082DC     46                   inc esi
004082DD     12D2                 adc dl,dl
004082DF     C3                   retn
                                  ====>這上面都是迴圈啦  :-)

004082E0     2BC9                 sub ecx,ecx
004082E2     41                   inc ecx
004082E3     E8 EEFFFFFF          call pex.004082D6
004082E8     13C9                 adc ecx,ecx
004082EA     E8 E7FFFFFF          call pex.004082D6
004082EF   ^ 72 F2                jb short pex.004082E3
004082F1     C3                   retn
004082F2     2B7C24 28            sub edi,dword ptr ss:[esp+28]
004082F6     897C24 1C            mov dword ptr ss:[esp+1C],edi
004082FA     61                   popad
                                  ====>F2此處下斷!F9執行,安全著陸!:-)

004082FB     C3                   retn
                                  ====>返回到0040824E

―――――――――――――――――――――――
0040824E     E8 01000000          call pex.00408254
                                  ====>變形JMP!F7走進

00408254     83C4 04              add esp,4
00408257     5A                   pop edx
00408258     5E                   pop esi
00408259     0E                   push cs
0040825A     56                   push esi
0040825B     CB                   retf      
                                  ====>返回到003A0000

003A0000     95                   xchg eax,ebp
003A0001     E8 01000000          call 003A0007
                                  ====>變形JMP!F7走進

003A0007     5D                   pop ebp
003A0008     81ED D0254000        sub ebp,4025D0
003A000E     8D95 212A4000        lea edx,dword ptr ss:[ebp+402A21]
003A0014     6A 07                push 7
003A0016     59                   pop ecx
003A0017     8B1A                 mov ebx,dword ptr ds:[edx]
003A0019     03DD                 add ebx,ebp
003A001B     0103                 add dword ptr ds:[ebx],eax
003A001D     83C2 04              add edx,4
003A0020   ^ E2 F5                loopd short 003A0017
                                  ====>F4下去,跳出LOOP

003A0022     81C6 73040000        add esi,473
003A0028     41                   inc ecx
003A0029     C1F1 01              sal ecx,1
003A002C     E2 01                loopd short 003A002F
                                  ====>這裡用F7走啦!

003A002F     FC                   cld
003A0030     BF C0014000          mov edi,4001C0
003A0035     BB 04000000          mov ebx,4
003A003A     E8 01000000          call 003A0040
                                  ====>變形JMP!F7走進

003A0040     83C4 04              add esp,4
003A0043     57                   push edi
003A0044     807F 22 00           cmp byte ptr ds:[edi+22],0
003A0048     75 23                jnz short 003A006D
003A004A     E8 01000000          call 003A0050
                                  ====>變形JMP!F7走進

003A0050     83C4 04              add esp,4
003A0053     8B0F                 mov ecx,dword ptr ds:[edi]
003A0055     0FB647 24            movzx eax,byte ptr ds:[edi+24]
003A0059     3247 27              xor al,byte ptr ds:[edi+27]
003A005C     0347 0C              add eax,dword ptr ds:[edi+C]
003A005F     05 00004000          add eax,400000
003A0064     6A 7F                push 7F
003A0066     5A                   pop edx
003A0067     42                   inc edx
003A0068     2BC2                 sub eax,edx
003A006A     97                   xchg eax,edi
003A006B     F3:A4                rep movs byte ptr es:[edi],byte ptr ds:[esi]
003A006D     5F                   pop edi
003A006E     83C7 28              add edi,28
003A0071     E8 01000000          call 003A0077
                                  ====>變形JMP!F7走進

003A0077     83C4 04              add esp,4
003A007A     4B                   dec ebx
003A007B   ^ 75 C6                jnz short 003A0043
                                  ====>F4下去 

003A007D     E8 01000000          call 003A0083
                                  ====>變形JMP!F7走進

003A0083     83C4 04              add esp,4
003A0086     899D CB254000        mov dword ptr ss:[ebp+4025CB],ebx
003A008C     BE C8500000          mov esi,50C8
003A0091     85F6                 test esi,esi
003A0093     0F84 AA020000        je 003A0343
                                  ====>G 003A0343   加快速度啦 :-)

003A0343     50                   push eax
003A0344     50                   push eax
003A0345     DF3C24               fistp qword ptr ss:[esp]
003A0348     58                   pop eax
003A0349     58                   pop eax
003A034A     E8 01000000          call 003A0350
                                  ====>變形JMP!F7走進


003A0350     83C4 04              add esp,4
003A0353     BF 01804000          mov edi,408001
003A0358     57                   push edi
003A0359     8DB5 2F294000        lea esi,dword ptr ss:[ebp+40292F]
003A035F     6A 3D                push 3D
003A0361     59                   pop ecx
003A0362     F3:A4                rep movs byte ptr es:[edi],byte ptr ds:[esi]
003A0364     C3                   retn
                                  ====>返回到00408001


―――――――――――――――――――――――
00408001     FF15 81834000        call dword ptr ds:[<&KERNEL32.VirtualFree>] 
00408007     E8 01000000          call pex.0040800D
                                  ====>變形JMP!F7走進

0040800D     83C4 04              add esp,4
00408010     2BC0                 sub eax,eax
00408012     64:8F00              pop dword ptr fs:[eax]
00408015     83C4 0C              add esp,0C
00408018     E8 01000000          call pex.0040801E
                                  ====>變形JMP!F7走進

0040801E     58                   pop eax   
0040801F     61                   popad
00408020     E8 15000000          call pex.0040803A
                                  ====>變形JMP!F7走進

0040803A     58                   pop eax 
0040803B     40                   inc eax
0040803C     50                   push eax
0040803D     C3                   retn    //第一次到這!
                                  ====>返回到00408026

00408026     E8 0F000000          call pex.0040803A
                                  ====>變形JMP!F7走進

0040803A     58                   pop eax 
0040803B     40                   inc eax
0040803C     50                   push eax
0040803D     C3                   retn    //第二次到這!!
                                  ====>返回到0040802C

0040802C     E8 09000000          call pex.0040803A
                                  ====>變形JMP!F7走進

0040803A     58                   pop eax 
0040803B     40                   inc eax
0040803C     50                   push eax
0040803D     C3                   retn    //第三次到這!!
                                  ====>返回到00408032

00408032     68 FF0F4000          push pex.00400FFF
00408037     EB 01                jmp short pex.0040803A
                                  ====>跳

0040803A     58                   pop eax 
0040803B     40                   inc eax
0040803C     50                   push eax
0040803D     C3                   retn    //第四次到這!!!
                                  ====>返回到00401000   這就是OEP值  :-)


―――――――――――――――――――――――
00401000       E8                 db E8
                                  ====>在這兒用LordPE完全DUMP這個程式

00401001       69                 db 69  
00401002       1A                 db 1A

―――――――――――――――――――――――

重新執行程式修復後雖然能夠正常執行,但是執行壓縮功能時提示出錯!
暈,脫PeX加殼的其他程式都能夠正常使用的呀。所以想出以下辦法:   :-)

重新執行pex.exe,執行Import REConstructor v1.4.2+漢化版 ,選擇這個程式。
把OEP改為00001000,點IT AutoSearch,把RAV改為:00005000,把大小改為:0000054E 
點“Get Import”,函式全部無效!偶暈……  手動修復後還有幾個函式無效 :-(
算了,點右鍵,選擇“開關*載入程式*”。FixDump,正常執行!執行壓縮功能正常了!13K->48K
 
雖然這樣不能跨平臺執行,但偶也沒辦法了。注:脫PeX加殼的其他程式不需這樣做的。


―――――――――――――――――――――――――――――――――
附:陷阱的地方    @v@  :-)  @v@


0040814B     5B                   pop ebx
0040814C     68 CCFFE29A          push 9AE2FFCC
00408151   - FFE4                 jmp esp
                                  ====>返回到0012FF90

0012FF90     CC                   int3
                                  ====>這裡INT3後就直接執行了,如果NOP掉下面就VOER了。

0012FF91     FFE2                 jmp edx
                                  ====>跳向00408154

00408154   - FFA5 45254000        jmp dword ptr ss:[ebp+402545] ; kernel32.ExitProcess
                                  ====>這裡就OVER了   *o*


―――――――――――――――――――――――――――――――――
                                
         ,     _/ 
        /| _.-~/            _     ,        青春都一餉
       ( /~   /              ~-._ |
       `\  _/                   ~ )          忍把浮名 
   _-~~~-.)  )__/;;,.          _  //'
  /'_,   --~    ~~~-  ,;;___(  (.-~~~-.        換了破解輕狂
 `~ _( ,_..-- (     ,;'' /    ~--   /._` 
  /~~//'   /' `~         ) /--.._, )_  `~
  "  `~"  "      `"      /~'`    `\~~   
                         "     "   "~'  ""

    

               Cracked By 巢水工作坊――fly [OCN][FCG]

                       2003-10-01  22:04

相關文章