下载页面: http://www2.skycn.com/soft/21992.html
软件大小: 2894 KB
软件语言: 简体中文
软件类别: 国产软件 / 试用版 / 网络辅助
应用平台: Win9x/NT/2000/XP
加入时间: 2005-04-12 16:54:38
下载次数: 26267
推荐等级: ***
开 发 商: http://www.5it.cn
软件介绍: “超级自动注册申请王”是一款能够自动注册QQ号、UC号、YamQQ号、赢财通QQ号、MyIM号、联众游戏大厅、游戏茶苑大厅、E话通号、KuGoo号、PP点点通帐号、浩方游戏平台号、免费相册、诸多免费邮箱、免费二级域名……管理所注册的号码密码……等等等等诸多的功能于一身的强大软件。
【作者声明】:只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教
【调试环境】:WinXP、flyODBG、PEiD、LordPE、ImportREC
—————————————————————————————————
【脱壳过程】:
Obsidium新版一直没看,有兄弟提出这个程序,看看不算难,所以记录了一下。
—————————————————————————————————
一、Obsidium V1.25的反跟踪
用OllyDbg修改版来调试,设置OllyDbg忽略所有异常选项。
用IsDebug插件去掉OllyDbg的调试器标志。用UnhExcFlt.DLL插件先Patch一下。
0066E000 E8 0E000000 call 0066E013
//进入Ollydbg后暂停在这
0066E005 8B5424 0C mov edx,dword ptr ss:[esp+C]
0066E009 8382 B8000000 0>add dword ptr ds:[edx+B8],0D
0066E010 33C0 xor eax,eax
0066E012 C3 retn
如果没有使用UnhandledExceptionFilter插件Patch,可以如下修改。
Ctrl+G:UnhandledExceptionFilter
7C862B8A 68 48020000 push 248
7C862B8F 68 E035867C push kernel32.7C8635E0
7C862B94 E8 32F9F9FF call kernel32.7C8024CB
7C862B99 A1 CC36887C mov eax,dword ptr ds:[7C8836CC]
7C862B9E 8945 E4 mov dword ptr ss:[ebp-1C],eax
7C862BA1 8B5D 08 mov ebx,dword ptr ss:[ebp+8]
7C862BA4 899D 88FEFFFF mov dword ptr ss:[ebp-178],ebx
7C862BAA C785 B8FEFFFF 0>mov dword ptr ss:[ebp-148],4
7C862BB4 33FF xor edi,edi
7C862BB6 89BD C4FEFFFF mov dword ptr ss:[ebp-13C],edi
7C862BBC 89BD 94FEFFFF mov dword ptr ss:[ebp-16C],edi
7C862BC2 8B03 mov eax,dword ptr ds:[ebx]
7C862BC4 F640 04 10 test byte ptr ds:[eax+4],10
7C862BC8 74 0A je short kernel32.7C862BD4
7C862BCA FF30 push dword ptr ds:[eax]
7C862BCC 6A FF push -1
7C862BCE FF15 FC13807C call dword ptr ds:[<&ntdll.NtTerminateProcess>]
7C862BD4 8B03 mov eax,dword ptr ds:[ebx]
7C862BD6 BE 050000C0 mov esi,C0000005
7C862BDB 3930 cmp dword ptr ds:[eax],esi
7C862BDD 75 1A jnz short kernel32.7C862BF9
7C862BDF 8378 14 01 cmp dword ptr ds:[eax+14],1
7C862BE3 75 14 jnz short kernel32.7C862BF9
7C862BE5 FF70 18 push dword ptr ds:[eax+18]
7C862BE8 E8 87FCFFFF call kernel32.7C862874
7C862BED 83F8 FF cmp eax,-1
7C862BF0 75 07 jnz short kernel32.7C862BF9
7C862BF2 0BC0 or eax,eax
7C862BF4 E9 5F080000 jmp kernel32.7C863458
7C862BF9 89BD DCFEFFFF mov dword ptr ss:[ebp-124],edi
7C862BFF 57 push edi
7C862C00 6A 04 push 4
7C862C02 8D85 DCFEFFFF lea eax,dword ptr ss:[ebp-124]
7C862C08 50 push eax
7C862C09 6A 07 push 7
7C862C0B E8 FDB3FAFF call kernel32.GetCurrentProcess
7C862C10 50 push eax
7C862C11 FF15 AC10807C call dword ptr ds:[<&ntdll.NtQueryInformationProcess>]
7C862C17 85C0 test eax,eax
7C862C19 0F8C A2000000 jl kernel32.7C862CC1
7C862C1F 39BD DCFEFFFF cmp dword ptr ss:[ebp-124],edi
//修改为: mov dword ptr ss:[ebp-124],0
7C862C25 0F84 96000000 je kernel32.7C862CC1
//修改为: jmp 7C862CC1
Obsidium V1.25专门针对WinXP下三环调试器设置了一个检测。
Ctrl+G:CheckRemoteDebuggerPresent
7C859902 8BFF mov edi,edi
7C859904 55 push ebp
7C859905 8BEC mov ebp,esp
7C859907 837D 08 00 cmp dword ptr ss:[ebp+8],0
7C85990B 56 push esi
7C85990C 74 35 je short kernel32.7C859943
7C85990E 8B75 0C mov esi,dword ptr ss:[ebp+C]
7C859911 85F6 test esi,esi
7C859913 74 2E je short kernel32.7C859943
7C859915 6A 00 push 0
7C859917 6A 04 push 4
7C859919 8D45 08 lea eax,dword ptr ss:[ebp+8]
7C85991C 50 push eax
7C85991D 6A 07 push 7
7C85991F FF75 08 push dword ptr ss:[ebp+8]
7C859922 FF15 AC10807C call dword ptr ds:[<&ntdll.NtQueryInformationProcess>]
7C859928 85C0 test eax,eax
7C85992A 7D 08 jge short kernel32.7C859934
7C85992C 50 push eax
7C85992D E8 49FAFAFF call kernel32.7C80937B
7C859932 EB 16 jmp short kernel32.7C85994A
7C859934 33C0 xor eax,eax
7C859936 3945 08 cmp dword ptr ss:[ebp+8],eax
7C859939 0F95C0 setne al
7C85993C 8906 mov dword ptr ds:[esi],eax
7C85993E 33C0 xor eax,eax
7C859940 40 inc eax
//修改为: nop
7C859941 EB 09 jmp short kernel32.7C85994C
7C859943 6A 57 push 57
7C859945 E8 76F9FAFF call kernel32.7C8092C0
7C85994A 33C0 xor eax,eax
7C85994C 5E pop esi
7C85994D 5D pop ebp
7C85994E C2 0800 retn 8
OK,现在就可以在OllyDbg修改版里面正常运行起来了。
—————————————————————————————————
1 2 下一页 |
安全中国首页 > 文章中心 > 脱壳技术