首先用PEID查下殼:什麼也沒發現,看區段名有Themida 字樣,初步估計應該是1.8.X的。
載入後隱藏我們的OD,在程式碼片段下記憶體寫入斷點
0041D014 > B8 00000000 MOV EAX,0 ;載入點。注意看這些代碼
0041D019 60 PUSHAD
0041D01A 0BC0 OR EAX,EAX ;明眼的就看出是Themida 殼了
0041D01C 74 68 JE SHORT 無敵外掛.0041D086
0041D01E E8 00000000 CALL 無敵外掛.0041D023
0041D023 58 POP EAX
0041D024 05 53000000 ADD EAX,53
0041D029 8038 E9 CMP BYTE PTR DS:[EAX],0E9
0041D02C 75 13 JNZ SHORT 無敵外掛.0041D041
0041D02E 61 POPAD
0041D02F EB 45 JMP SHORT 無敵外掛.0041D076
===============================================================================
SHIFT+F9運行,第一次中斷在下面:
004F14A2 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[> ;F7一次後F8一次
004F14A4 C685 CD2A1B07 5>MOV BYTE PTR SS:[EBP+71B2ACD],56
004F14AB 68 396D1FD4 PUSH D41F6D39
004F14B0 FFB5 FD051B07 PUSH DWORD PTR SS:[EBP+71B05FD]
004F14B6 8D85 E87C1E07 LEA EAX,DWORD PTR SS:[EBP+71E7CE8]
004F14BC FFD0 CALL EAX
004F14BE 68 00800000 PUSH 8000
004F14C3 6A 00 PUSH 0
004F14C5 52 PUSH EDX
004F14C6 FFD0 CALL EAX
===============================================================================
SHIFT+F9繼續運行,斷在下面:
004F52E1 8908 MOV DWORD PTR DS:[EAX],ECX ;中斷在這裡,往上面找代碼
===============================================================================
004F4A80 /0F84 17000000 JE 無敵外掛.004F4A9D
004F4A86 |83BD 310E1B07 0>CMP DWORD PTR SS:[EBP+71B0E31],0
004F4A8D |0F85 0A000000 JNZ 無敵外掛.004F4A9D 《====改成JMP 004F4A9D ==========
004F4A93 |C785 410C1B07 0>MOV DWORD PTR SS:[EBP+71B0C41],1
004F4A9D \61 POPAD
004F4A9E B9 46A60308 MOV ECX,803A646
004F4AA3 BA 9AD13616 MOV EDX,1636D19A
。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。
004F4BC4 5E POP ESI
004F4BC5 83BD 31011B07 0>CMP DWORD PTR SS:[EBP+71B0131],1
004F4BCC 0F84 39000000 JE 無敵外掛.004F4C0B 《====改成JMP 004F4BF6 ===========
004F4BD2 3B8D 29081B07 CMP ECX,DWORD PTR SS:[EBP+71B0829]
004F4BD8 0F84 2D000000 JE 無敵外掛.004F4C0B
004F4BDE 3B8D 1D171B07 CMP ECX,DWORD PTR SS:[EBP+71B171D]
004F4BE4 0F84 21000000 JE 無敵外掛.004F4C0B
004F4BEA 3B8D 552A1B07 CMP ECX,DWORD PTR SS:[EBP+71B2A55]
004F4BF0 0F84 15000000 JE 無敵外掛.004F4C0B
004F4BF6 8D9D E2FD2107 LEA EBX,DWORD PTR SS:[EBP+721FDE2]
004F4BFC FFD3 CALL EBX
004F4BFE 8BF8 MOV EDI,EAX
004F4C00 8985 1D2F1B07 MOV DWORD PTR SS:[EBP+71B2F1D],EAX
004F4C06 E9 B4060000 JMP 無敵外掛.004F52BF
004F4C0B 8D9D E2FD2107 LEA EBX,DWORD PTR SS:[EBP+721FDE2]
004F4C11 FFD3 CALL EBX
004F4C13 83BD 31011B07 0>CMP DWORD PTR SS:[EBP+71B0131],0
===============================================================================
改好上面2處跳轉(目的是避開加密)後返回中斷處,用HideOD申請一段記憶體位址(我的是2A30000)
004F52E1 8908 MOV DWORD PTR DS:[EAX],ECX ;中斷處,改成 JMP 2A30000
004F52E3 AD LODS DWORD PTR DS:[ESI]
004F52E4 C746 FC 0000000>MOV DWORD PTR DS:[ESI-4],0
004F52EB 89B5 6D301B07 MOV DWORD PTR SS:[EBP+71B306D],ESI ;地址A,記下來
004F52F1 83F8 FF CMP EAX,-1
004F52F4 0F85 20000000 JNZ 無敵外掛.004F531A
004F52FA 813E DDDDDDDD CMP DWORD PTR DS:[ESI],DDDDDDDD
004F5300 0F85 14000000 JNZ 無敵外掛.004F531A
004F5306 C706 00000000 MOV DWORD PTR DS:[ESI],0
004F530C 83C6 04 ADD ESI,4
004F530F 89B5 6D301B07 MOV DWORD PTR SS:[EBP+71B306D],ESI
004F5315 ^ E9 E6F6FFFF JMP 無敵外掛.004F4A00
004F531A C1C0 03 ROL EAX,3
004F531D 0385 11171B07 ADD EAX,DWORD PTR SS:[EBP+71B1711]
004F5323 83BD 99221B07 0>CMP DWORD PTR SS:[EBP+71B2299],1
004F532A 0F84 9D000000 JE 無敵外掛.004F53CD
004F5330 813E AAAAAAAA CMP DWORD PTR DS:[ESI],AAAAAAAA
004F5336 0F85 12000000 JNZ 無敵外掛.004F534E
004F533C 83C6 04 ADD ESI,4
004F533F C746 FC 0000000>MOV DWORD PTR DS:[ESI-4],0
004F5346 97 XCHG EAX,EDI
004F5347 B0 E9 MOV AL,0E9
004F5349 E9 03000000 JMP 無敵外掛.004F5351
004F534E 97 XCHG EAX,EDI
004F534F B0 E8 MOV AL,0E8
004F5351 50 PUSH EAX
004F5352 83BD 31011B07 0>CMP DWORD PTR SS:[EBP+71B0131],1
004F5359 0F84 3E000000 JE 無敵外掛.004F539D
004F535F B8 00010000 MOV EAX,100
004F5364 83BD C7E82107 0>CMP DWORD PTR SS:[EBP+721E8C7],0
004F536B 0F84 08000000 JE 無敵外掛.004F5379
004F5371 8D9D 61712107 LEA EBX,DWORD PTR SS:[EBP+7217161]
004F5377 FFD3 CALL EBX
004F5379 803F 90 CMP BYTE PTR DS:[EDI],90
004F537C 0F84 08000000 JE 無敵外掛.004F538A
004F5382 83C7 05 ADD EDI,5
004F5385 E9 43000000 JMP 無敵外掛.004F53CD
004F538A 83F8 50 CMP EAX,50
004F538D 0F82 0A000000 JB 無敵外掛.004F539D
004F5393 B0 90 MOV AL,90
004F5395 AA STOS BYTE PTR ES:[EDI]
004F5396 58 POP EAX
004F5397 AA STOS BYTE PTR ES:[EDI]
004F5398 E9 24000000 JMP 無敵外掛.004F53C1 ;改成 JMP 2A30014
004F539D 58 POP EAX
004F539E AA STOS BYTE PTR ES:[EDI]
004F539F 807F FF E9 CMP BYTE PTR DS:[EDI-1],0E9
004F53A3 0F85 18000000 JNZ 無敵外掛.004F53C1 ;改成 JMP 2A30036
004F53A9 83BD C7E82107 0>CMP DWORD PTR SS:[EBP+721E8C7],0 ;地址C,記下來
004F53B0 0F84 08000000 JE 無敵外掛.004F53BE
004F53B6 8D9D 31712107 LEA EBX,DWORD PTR SS:[EBP+7217131]
004F53BC FFD3 CALL EBX
004F53BE 8847 04 MOV BYTE PTR DS:[EDI+4],AL ;這裡NOP掉
004F53C1 8B85 1D2F1B07 MOV EAX,DWORD PTR SS:[EBP+71B2F1D] ;地址B,記下來
004F53C7 2BC7 SUB EAX,EDI
004F53C9 83E8 04 SUB EAX,4
004F53CC AB STOS DWORD PTR ES:[EDI] ;這裡NOP掉
004F53CD AD LODS DWORD PTR DS:[ESI]
004F53CE C746 FC 0000000>MOV DWORD PTR DS:[ESI-4],0
004F53D5 ^ E9 11FFFFFF JMP 無敵外掛.004F52EB ;改成 JMP 02A3005F
004F53DA 89B5 6D301B07 MOV DWORD PTR SS:[EBP+71B306D],ESI
004F53E0 52 PUSH EDX
004F53E1 68 00800000 PUSH 8000
004F53E6 6A 00 PUSH 0
004F53E8 FFB5 F5211B07 PUSH DWORD PTR SS:[EBP+71B21F5]
004F53EE FF95 49131B07 CALL DWORD PTR SS:[EBP+71B1349]
004F53F4 5A POP EDX
004F53F5 8B8D 9D121B07 MOV ECX,DWORD PTR SS:[EBP+71B129D]
004F53FB C701 00000000 MOV DWORD PTR DS:[ECX],0
004F5401 83C1 04 ADD ECX,4
004F5404 898D 9D121B07 MOV DWORD PTR SS:[EBP+71B129D],ECX
004F540A ^ E9 10F5FFFF JMP 無敵外掛.004F491F
004F540F E9 A4060000 JMP 無敵外掛.004F5AB8 ;這裡F2下個斷點
004F5414 60 PUSHAD
004F5415 8B8D 9D121B07 MOV ECX,DWORD PTR SS:[EBP+71B129D]
004F541B 8B09 MOV ECX,DWORD PTR DS:[ECX]
004F541D 898D C3E82107 MOV DWORD PTR SS:[EBP+721E8C3],ECX
004F5423 8138 4E54444C CMP DWORD PTR DS:[EAX],4C44544E
。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。
CTRL+G 來到2A30000處,寫如下代碼:
02A30000 A3 0004A302 MOV DWORD PTR DS:[2A30400],EAX
02A30005 8908 MOV DWORD PTR DS:[EAX],ECX
02A30007 AD LODS DWORD PTR DS:[ESI]
02A30008 C746 FC 0000000>MOV DWORD PTR DS:[ESI-4],0
02A3000F - E9 D752ACFD JMP 無敵外掛.004F52EB ;地址A
02A30014 50 PUSH EAX
02A30015 A1 0004A302 MOV EAX,DWORD PTR DS:[2A30400]
02A3001A 8907 MOV DWORD PTR DS:[EDI],EAX
02A3001C 807F FF E8 CMP BYTE PTR DS:[EDI-1],0E8
02A30020 75 08 JNZ SHORT 02A3002A
02A30022 66:C747 FE FF15 MOV WORD PTR DS:[EDI-2],15FF
02A30028 EB 06 JMP SHORT 02A30030
02A3002A 66:C747 FE FF25 MOV WORD PTR DS:[EDI-2],25FF
02A30030 58 POP EAX
02A30031 - E9 8B53ACFD JMP 無敵外掛.004F53C1 ;地址B
02A30036 50 PUSH EAX
02A30037 A1 0004A302 MOV EAX,DWORD PTR DS:[2A30400]
02A3003C 8947 01 MOV DWORD PTR DS:[EDI+1],EAX
02A3003F 807F FF E8 CMP BYTE PTR DS:[EDI-1],0E8
02A30043 75 08 JNZ SHORT 02A3004D
02A30045 66:C747 FF FF15 MOV WORD PTR DS:[EDI-1],15FF
02A3004B EB 06 JMP SHORT 02A30053
02A3004D 66:C747 FF FF25 MOV WORD PTR DS:[EDI-1],25FF
02A30053 58 POP EAX
02A30054 - 0F85 6753ACFD JNZ 無敵外掛.004F53C1 ;地址B
02A3005A - E9 4A53ACFD JMP 無敵外掛.004F53A9 ;地址C
02A3005F 83C7 04 ADD EDI,4
02A30062 - E9 8452ACFD JMP 無敵外掛.004F52EB ;地址A
02A30067 90 NOP
(二進位代碼)
A3 00 04 A3 02 89 08 AD C7 46 FC 00 00 00 00 E9 D7 52 AC FD 50 A1 00 04 A3 02 89 07 80 7F FF E8
75 08 66 C7 47 FE FF 15 EB 06 66 C7 47 FE FF 25 58 E9 8B 53 AC FD 50 A1 00 04 A3 02 89 47 01 80
7F FF E8 75 08 66 C7 47 FF FF 15 EB 06 66 C7 47 FF FF 25 58 0F 85 67 53 AC FD E9 4A 53 AC FD 83
C7 04 E9 84 52 AC FD 90
================================================================================
寫好代碼後,刪除先前在程式碼片段下的記憶體寫入斷點,shift+F9,中斷在004F540F,到這裡已經獲得了IAT,現在
找OEP.,在這裡我採用世面上流傳的找THEMIDA OEP方法:
取消004F540F處斷點,ALT+M開啟記憶體察看視窗,直接在程式碼片段F2下斷點。Shift+F9就中斷在OEP處了
004013A8 - FF25 DC104000 JMP DWORD PTR DS:[4010DC] ; MSVBVM60.ThunRTMain
004013AE 0000 ADD BYTE PTR DS:[EAX],AL
004013B0 DA00 FIADD DWORD PTR DS:[EAX]
004013B2 5C POP ESP
004013B3 A7 CMPS DWORD PTR DS:[ESI],DWORD PTR ES:[ED>
004013B4 9E SAHF
004013B5 D20F ROR BYTE PTR DS:[EDI],CL
004013B7 EE OUT DX,AL ; I/O 命令
004013B8 8BED MOV EBP,EBP
004013BA 0000 ADD BYTE PTR DS:[EAX],AL
004013BC 0000 ADD BYTE PTR DS:[EAX],AL
004013BE 0000 ADD BYTE PTR DS:[EAX],AL
004013C0 3000 XOR BYTE PTR DS:[EAX],AL
004013C2 0000 ADD BYTE PTR DS:[EAX],AL
004013C4 3800 CMP BYTE PTR DS:[EAX],AL
004013C6 0000 ADD BYTE PTR DS:[EAX],AL
004013C8 0000 ADD BYTE PTR DS:[EAX],AL
004013CA 0000 ADD BYTE PTR DS:[EAX],AL
004013CC D9F2 FPTAN
通過上面的代碼,我們很明顯發現程式是用VB編譯的,而且OEP已經被THEMIDA偷掉了,讓我們來
手動修複他的OEP吧。我們先找一個沒加殼的VB程式用OD載入進行對比一下就明白了。
004011D0 $- FF25 80104000 JMP DWORD PTR DS:[<&MSVBVM60.#100>] ; MSVBVM60.ThunRTMain
004011D6 00 DB 00
004011D7 00 DB 00
004011D8 > $ 68 7C184000 PUSH Variant.0040187C ;注意這裡,(搜尋VB5!)
004011DD . E8 EEFFFFFF CALL <JMP.&MSVBVM60.#100> ;這個CALL是指向上面的JMP
004011E2 . 0000 ADD BYTE PTR DS:[EAX],AL
004011E4 . 0000 ADD BYTE PTR DS:[EAX],AL
004011E6 . 0000 ADD BYTE PTR DS:[EAX],AL
004011E8 . 3000 XOR BYTE PTR DS:[EAX],AL
004011EA . 0000 ADD BYTE PTR DS:[EAX],AL
004011EC . 40 INC EAX
004011ED . 0000 ADD BYTE PTR DS:[EAX],AL
004011EF . 0000 ADD BYTE PTR DS:[EAX],AL
004011F1 . 0000 ADD BYTE PTR DS:[EAX],AL
004011F3 . 0058 2C ADD BYTE PTR DS:[EAX+2C],BL
004011F6 . 114A DB ADC DWORD PTR DS:[EDX-25],ECX
004011F9 . 43 INC EBX
004011FA . 8645 BA XCHG BYTE PTR SS:[EBP-46],AL
004011FD . 1822 SBB BYTE PTR DS:[EDX],AH
004011FF . 6D INS DWORD PTR ES:[EDI],DX ; I/O 命令
00401200 . CE INTO
00401201 . C3 RETN
。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。
改成如下代碼就手動修複OEP了:
004013A8 - FF25 DC104000 JMP DWORD PTR DS:[4010DC] ; MSVBVM60.ThunRTMain
004013AE 0000 ADD BYTE PTR DS:[EAX],AL
004013B0 68 D07E4000 PUSH 無敵外掛.00407ED0 ; ASCII "VB5!6&vb6chs.dll"
004013B5 E8 EEFFFFFF CALL 無敵外掛.004013A8 ; JMP 到 MSVBVM60.ThunRTMain
004013BA 0000 ADD BYTE PTR DS:[EAX],AL
004013BC 0000 ADD BYTE PTR DS:[EAX],AL
004013BE 0000 ADD BYTE PTR DS:[EAX],AL
004013C0 3000 XOR BYTE PTR DS:[EAX],AL
004013C2 0000 ADD BYTE PTR DS:[EAX],AL
004013C4 3800 CMP BYTE PTR DS:[EAX],AL
004013C6 0000 ADD BYTE PTR DS:[EAX],AL
004013C8 0000 ADD BYTE PTR DS:[EAX],AL
004013CA 0000 ADD BYTE PTR DS:[EAX],AL
004013CC D9F2 FPTAN
===============================================================================
到這裡修複後就可以用LOAD PE 脫殼,ImportREC修複輸入表
OEP:000013AE
RVA:00001000
大小:00000118
剪取掉一個無效指標後修複。試運行一下脫殼修複好的程式,正常。
PEID查殼 Microsoft Visual Basic 5.0 / 6
發現脫殼後的檔案巨大,用LOAD PE 清除 Themida 這個區段,儲存,在用LOAD PE 重建。
再次開啟重建後的程式,運行正常,檔案大小98.1KB 到這裡就脫殼+修複+最佳化完畢了。
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
