VGCrypt PE Encryptor V0.75脫殼――Vgcrypt.exe 主程式
VGCrypt PE Encryptor V0.75脫殼――Vgcrypt.exe 主程式
下載地址: http://member.netease.com/~fsdb/source/vgcrypt.zip
軟體大小: 16 KB
【軟體簡介】: This is a fairly simple PE encryptor I wrote up. I commented everything that is relavent to PE appendation or insertion, more so than I needed to even. The most interesting feature of this encryptor is that it attempts to find a location to insert itself between object virtual size and the next file alignment boundary, thus not changing the physical file size.
【作者宣告】:初學Crack,只是感興趣,沒有其它目的。失誤之處敬請諸位大俠賜教!
【破解工具】:Ollydbg1.09、PEiD、LordPE、ImportREC
―――――――――――――――――――――――――――――――――
【脫殼過程】:
除錯環境:Win98SE + Ollydbg 這個V0.75的VGCrypt有脫殼機:UnVGCrypt V0.1
呵呵,Vgcrypt.exe 主程式真行,居然自己給自己加了4層殼!:-)
――――――――――――――――――――――――
一、第1層殼
00408000 9C pushfd
====>進入OD後斷在這!
00408001 55 push ebp
00408002 E8 EC000000 call VGCRYPT.004080F3
====>F7進入
004080F3 E8 00000000 call VGCRYPT.004080F8
====>變形JMP!F7走進
004080F8 8B2C24 mov ebp,dword ptr ss:[esp]
004080FB 81ED 1C274000 sub ebp,VGCRYPT.0040271C
00408101 83C4 04 add esp,4
00408104 C3 retn
====>返回到00408007
00408007 87D5 xchg ebp,edx
00408009 5D pop ebp
0040800A 60 pushad
0040800B 87D5 xchg ebp,edx
0040800D 80BD 15274000 01 cmp byte ptr ss:[ebp+402715],1
00408014 74 39 je short VGCRYPT.0040804F
00408016 C685 15274000 01 mov byte ptr ss:[ebp+402715],1
0040801D E9 E4000000 jmp VGCRYPT.00408106
====>跳
00408106 E8 1B000000 call VGCRYPT.00408126
====>F7進入
00408126 64:67:FF36 0000 push dword ptr fs:[0]
0040812C 64:67:8926 0000 mov dword ptr fs:[0],esp
00408132 8DB5 47264000 lea esi,dword ptr ss:[ebp+402647]
00408138 8BFE mov edi,esi
0040813A B9 CA000000 mov ecx,0CA
0040813F 8AA5 11274000 mov ah,byte ptr ss:[ebp+402711]
00408145 AC lods byte ptr ds:[esi]
00408146 32C4 xor al,ah
00408148 FEC4 inc ah
0040814A C0C4 02 rol ah,2
0040814D 80C4 90 add ah,90
00408150 AA stos byte ptr es:[edi]
00408151 ^ E2 F2 loopd short VGCRYPT.00408145
====>F4下去,跳出LOOP!
00408153 ^ E9 CBFEFFFF jmp VGCRYPT.00408023
====>跳
00408023 E8 00000000 call VGCRYPT.00408028
====>變形JMP!F7走進
00408028 8B9D 05274000 mov ebx,dword ptr ss:[ebp+402705]
0040802E 83C3 28 add ebx,28
00408031 58 pop eax
00408032 2BC3 sub eax,ebx
00408034 8985 0D274000 mov dword ptr ss:[ebp+40270D],eax
0040803A CC int3
====>F4下去!避開這個int3,否則程式執行!
0040803B 8DBD 24264000 lea edi,dword ptr ss:[ebp+402624]
00408041 B9 3B000000 mov ecx,3B
00408046 F3:AA rep stos byte ptr es:[edi]
00408048 64:67:8F06 0000 pop dword ptr fs:[0]
0040804E 5A pop edx
0040804F 8B85 0D274000 mov eax,dword ptr ss:[ebp+40270D]
00408055 0185 09274000 add dword ptr ss:[ebp+402709],eax
0040805B 61 popad
0040805C 9D popfd
0040805D 8B9A 09274000 mov ebx,dword ptr ds:[edx+402709]
00408063 898A 09274000 mov dword ptr ds:[edx+402709],ecx
====>F4直接到這!
00408069 FFE3 jmp ebx
====>跳至00407000
====>一般Vgcrypt加殼這裡就跳向OEP了!
――――――――――――――――――――――――
二、第2層殼
00407000 9C pushfd
00407001 55 push ebp
00407002 E8 EC000000 call VGCRYPT.004070F3
====>F7進入
004070F3 E8 00000000 call VGCRYPT.004070F8
====>變形JMP!F7走進
004070F8 8B2C24 mov ebp,dword ptr ss:[esp]
004070FB 81ED 1C274000 sub ebp,VGCRYPT.0040271C
00407101 83C4 04 add esp,4
00407104 C3 retn
====>返回到00407007
00407007 87D5 xchg ebp,edx
00407009 5D pop ebp
0040700A 60 pushad
0040700B 87D5 xchg ebp,edx
0040700D 80BD 15274000 01 cmp byte ptr ss:[ebp+402715],1
00407014 74 39 je short VGCRYPT.0040704F
00407016 C685 15274000 01 mov byte ptr ss:[ebp+402715],1
0040701D E9 E4000000 jmp VGCRYPT.00407106
====>跳
00407106 E8 1B000000 call VGCRYPT.00407126
====>F7進入
00407126 64:67:FF36 0000 push dword ptr fs:[0]
0040712C 64:67:8926 0000 mov dword ptr fs:[0],esp
00407132 8DB5 47264000 lea esi,dword ptr ss:[ebp+402647]
00407138 8BFE mov edi,esi
0040713A B9 CA000000 mov ecx,0CA
0040713F 8AA5 11274000 mov ah,byte ptr ss:[ebp+402711]
00407145 AC lods byte ptr ds:[esi]
00407146 32C4 xor al,ah
00407148 FEC4 inc ah
0040714A C0C4 02 rol ah,2
0040714D 80C4 90 add ah,90
00407150 AA stos byte ptr es:[edi]
00407151 ^ E2 F2 loopd short VGCRYPT.00407145
====>F4下去,跳出LOOP!
00407153 ^ E9 CBFEFFFF jmp VGCRYPT.00407023
====>跳
00407023 E8 00000000 call VGCRYPT.00407028
00407028 8B9D 05274000 mov ebx,dword ptr ss:[ebp+402705]
0040702E 83C3 28 add ebx,28
00407031 58 pop eax
00407032 2BC3 sub eax,ebx
00407034 8985 0D274000 mov dword ptr ss:[ebp+40270D],eax
0040703A CC int3
====>F4下去!避開這個int3,否則程式執行!
0040703B 8DBD 24264000 lea edi,dword ptr ss:[ebp+402624]
00407041 B9 3B000000 mov ecx,3B
00407046 F3:AA rep stos byte ptr es:[edi]
00407048 64:67:8F06 0000 pop dword ptr fs:[0]
0040704E 5A pop edx
0040704F 8B85 0D274000 mov eax,dword ptr ss:[ebp+40270D]
00407055 0185 09274000 add dword ptr ss:[ebp+402709],eax
0040705B 61 popad
0040705C 9D popfd
0040705D 8B9A 09274000 mov ebx,dword ptr ds:[edx+402709]
00407063 898A 09274000 mov dword ptr ds:[edx+402709],ecx
====>F4直接到這!
00407069 FFE3 jmp ebx
====>跳至00406000
――――――――――――――――――――――――
三、第3層殼
下面採用更快的方法! :-) 都是一樣的流程,按上面的方法走也可以。
00406000 9C pushfd
00406001 55 push ebp
00406002 E8 EC000000 call VGCRYPT.004060F3
====>這次不進入啦!我有更好的方法 ^O^
00406007 87D5 xchg ebp,edx
00406009 5D pop ebp
0040600A 60 pushad
0040600B 87D5 xchg ebp,edx
0040600D 80BD 15274000 01 cmp byte ptr ss:[ebp+402715],1
00406014 74 39 je short VGCRYPT.0040604F
00406016 C685 15274000 01 mov byte ptr ss:[ebp+402715],1
0040601D E9 E4000000 jmp VGCRYPT.00406106
====>跳 呵呵,省了一段路程
00406106 E8 1B000000 call VGCRYPT.00406126
0040610B 8B6424 08 mov esp,dword ptr ss:[esp+8]
0040610F E8 DFFFFFFF call VGCRYPT.004060F3
00406114 C685 CC264000 C3 mov byte ptr ss:[ebp+4026CC],0C3
0040611B E8 4BFFFFFF call VGCRYPT.0040606B
00406120 ^ E9 16FFFFFF jmp VGCRYPT.0040603B
00406125 B7 64 mov bh,64
00406127 67:FF36 0000 push dword ptr ds:[0]
0040612C 64:67:8926 0000 mov dword ptr fs:[0],esp
00406132 8DB5 47264000 lea esi,dword ptr ss:[ebp+402647]
00406138 8BFE mov edi,esi
0040613A B9 CA000000 mov ecx,0CA
0040613F 8AA5 11274000 mov ah,byte ptr ss:[ebp+402711]
00406145 AC lods byte ptr ds:[esi]
00406146 32C4 xor al,ah
00406148 FEC4 inc ah
0040614A C0C4 02 rol ah,2
0040614D 80C4 90 add ah,90
00406150 AA stos byte ptr es:[edi]
00406151 ^ E2 F2 loopd short VGCRYPT.00406145
00406153 ^ E9 CBFEFFFF jmp VGCRYPT.00406023
====>直接F4到這,跳出LOOP!
00406023 E8 00000000 call VGCRYPT.00406028
00406028 8B9D 05274000 mov ebx,dword ptr ss:[ebp+402705]
0040602E 83C3 28 add ebx,28
00406031 58 pop eax
00406032 2BC3 sub eax,ebx
00406034 8985 0D274000 mov dword ptr ss:[ebp+40270D],eax
0040603A CC int3
0040603B 8DBD 24264000 lea edi,dword ptr ss:[ebp+402624]
00406041 B9 3B000000 mov ecx,3B
00406046 F3:AA rep stos byte ptr es:[edi]
00406048 64:67:8F06 0000 pop dword ptr fs:[0]
0040604E 5A pop edx
0040604F 8385 0D274000 01 add dword ptr ss:[ebp+40270D],1
00406056 8509 test dword ptr ds:[ecx],ecx
00406058 27 daa
00406059 40 inc eax
0040605A 0061 9D add byte ptr ds:[ecx-63],ah
0040605D 8B9A 09274000 mov ebx,dword ptr ds:[edx+402709]
00406063 898A 09274000 mov dword ptr ds:[edx+402709],ecx
====>F4直接到這!
00406069 FFE3 jmp ebx
====>跳至00405000
――――――――――――――――――――――――
四、第4層殼
00405000 9C pushfd
00405001 55 push ebp
00405002 E8 EC000000 call VGCRYPT.004050F3
00405007 87D5 xchg ebp,edx
00405009 5D pop ebp
0040500A 60 pushad
0040500B 87D5 xchg ebp,edx
0040500D 80BD 15274000 01 cmp byte ptr ss:[ebp+402715],1
00405014 74 39 je short VGCRYPT.0040504F
00405016 C685 15274000 01 mov byte ptr ss:[ebp+402715],1
0040501D E9 E4000000 jmp VGCRYPT.00405106
====>跳
00405106 E8 1B000000 call VGCRYPT.00405126
0040510B 8B6424 08 mov esp,dword ptr ss:[esp+8]
0040510F E8 DFFFFFFF call VGCRYPT.004050F3
00405114 C685 CC264000 C3 mov byte ptr ss:[ebp+4026CC],0C3
0040511B E8 4BFFFFFF call VGCRYPT.0040506B
00405120 ^ E9 16FFFFFF jmp VGCRYPT.0040503B
00405125 B7 64 mov bh,64
00405127 67:FF36 0000 push dword ptr ds:[0]
0040512C 64:67:8926 0000 mov dword ptr fs:[0],esp
00405132 8DB5 47264000 lea esi,dword ptr ss:[ebp+402647]
00405138 8BFE mov edi,esi
0040513A B9 CA000000 mov ecx,0CA
0040513F 8AA5 11274000 mov ah,byte ptr ss:[ebp+402711]
00405145 AC lods byte ptr ds:[esi]
00405146 32C4 xor al,ah
00405148 FEC4 inc ah
0040514A C0C4 02 rol ah,2
0040514D 80C4 90 add ah,90
00405150 AA stos byte ptr es:[edi]
00405151 ^ E2 F2 loopd short VGCRYPT.00405145
00405153 ^ E9 CBFEFFFF jmp VGCRYPT.00405023
====>直接F4到這,跳出LOOP!
00405023 E8 00000000 call VGCRYPT.00405028
00405028 8B9D 05274000 mov ebx,dword ptr ss:[ebp+402705]
0040502E 83C3 28 add ebx,28
00405031 58 pop eax
00405032 2BC3 sub eax,ebx
00405034 8985 0D274000 mov dword ptr ss:[ebp+40270D],eax
0040503A CC int3
0040503B 8DBD 24264000 lea edi,dword ptr ss:[ebp+402624]
00405041 B9 3B000000 mov ecx,3B
00405046 F3:AA rep stos byte ptr es:[edi]
00405048 64:67:8F06 0000 pop dword ptr fs:[0]
0040504E 5A pop edx
0040504F 8B85 0D274000 mov eax,dword ptr ss:[ebp+40270D]
00405055 0185 09274000 add dword ptr ss:[ebp+402709],eax
0040505B 61 popad
0040505C 9D popfd
0040505D 8B9A 09274000 mov ebx,dword ptr ds:[edx+402709]
00405063 898A 09274000 mov dword ptr ds:[edx+402709],ecx
====>F4直接到這!
00405069 FFE3 jmp ebx
====>跳至00401000 這就是OEP值 :-)
――――――――――――――――――――――――
00401000 E8 db E8
====>在這兒用LordPE完全DUMP這個程式
00401001 51 db 51
00401002 06 db 06
―――――――――――――――――――――――
停在OEP處,執行ImportREC,選擇這個程式。把OEP改為00001000,點IT AutoSearch,點“Get Import”,
函式都是有效的。FixDump,正常執行! 8.5K ->40K
―――――――――――――――――――――――――――――――――
, _/
/| _.-~/ _ , 青春都一餉
( /~ / ~-._ |
`\ _/ ~ ) 忍把浮名
_-~~~-.) )__/;;,. _ //'
/'_, --~ ~~~- ,;;___( (.-~~~-. 換了破解輕狂
`~ _( ,_..-- ( ,;'' / ~-- /._`
/~~//' /' `~ ) /--.._, )_ `~
" `~" " `" /~'` `\~~
" " "~' ""
Cracked By 巢水工作坊――fly [OCN][FCG]
2003-10-02 02:20
相關文章
- SoftDefender主程式脫殼2015-11-15
- International CueClub主程式脫殼(Softwrap殼)2004-09-12
- ExeStealth 常用脫殼方法 + ExeStealth V2.72主程式脫殼2015-11-15
- Armadillo 3.6主程式脫殼2015-11-15
- 脫Crunch/PE -> BitArts的殼。 (3千字)2002-05-03
- EncryptPE
2003.5.18 主程式脫殼2004-06-19
- 壹次脫殼法――Armadillo 雙程式標準殼 快速脫殼2015-11-15
- Alex
Protector V1.0 脫殼――alexprot.exe 主程式2004-10-17
- XcR V0.11 脫殼――XcR.ExE 主程式2015-11-15
- DAEMON Protect 0.6.7脫殼――protect beta-last.exe主程式2015-11-15AST
- 用Ollydbg快速手脫Krypton 0.5加殼程式――Krypton主程式
等2015-11-15
- Lock98主程式脫殼筆記 (1千字)2015-11-15筆記
- PeX V0.99b脫殼――PeX.exe主程式2015-11-15
- 用Arm3.75加殼的cc
版+iat亂序主程式的脫殼 (1)2004-10-02
- 幻影 V2.33 脫殼+修復――dbpe.exe主程式2015-11-15
- 偽 SVK Protector 1.32 脫殼+修復――SVK Protector
DEMO 1.32 主程式2015-11-15
- Visual Protect V3.54 脫殼 ―― VisualProtect.exe
主程式2015-11-15
- 脫殼----對用pecompact加殼的程式進行手動脫殼
(1千字)2000-07-30
- 殼的工作原理脫殼2013-04-10
- 對Crunch v1.1主程式檔案的脫殼方法 ---ljtt2000-11-30
- Protection Plus V4.X 脫殼――SoftwareKey V1.1 主程式2015-11-15
- [翻譯]利用程式碼注入脫殼2015-11-15
- VBExplorer.exe脫殼教程
附脫殼指令碼2015-11-15指令碼
- ACProtect 1.21專業版主程式的脫殼2015-11-15
- 明月幾時有――ASProtect
V1.31 build 06.14主程式 脫殼2004-10-01UI
- PC Guard for Win32 V5.0 DEMO 脫殼 ――
PCGWIN32.EXE 主程式2015-11-15Win32
- ASProtect 1.23 SDK之 Aspack2.12r 主程式脫殼去暗樁2015-11-15
- 以殼解殼--SourceRescuer脫殼手記破解分析2004-11-16
- Krypton
0.5加殼程式脫殼及輸入表修復記2004-10-06
- Armadillo V3.6雙程式標準殼 ------神速脫殼大法2015-11-15
- 脫殼----對用Petite2.2加殼的程式進行手動脫殼的一點分析
(5千字)2000-07-27
- 脫殼基本知識2015-11-15
- 脫中國遊戲中心大廳程式的殼2000-10-08遊戲
- 羽夏殼世界—— PE 結構(上)2022-04-10
- 首款反射式PE殼<琥珀>2017-11-06反射
- iOS逆向學習之五(加殼?脫殼?)2019-10-10iOS
- 先分析,再脫殼(一)2003-09-04
- IconEdit2
脫殼2002-03-28