VGCrypt PE Encryptor V0.75脱壳――Vgcrypt.exe 主程序
下载地址: http://member.netease.com/~fsdb/source/vgcrypt.zip
软件大小: 16 KB
【软件简介】: This is a fairly simple PE encryptor I wrote up. I commented everything that is relavent to PE appendation or insertion, more so than I needed to even. The most interesting feature of this encryptor is that it attempts to find a location to insert itself between object virtual size and the next file alignment boundary, thus not changing the physical file size.
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:Ollydbg1.09、PEiD、LordPE、ImportREC
―――――――――――――――――――――――――――――――――
【脱壳过程】:
调试环境:Win98SE + Ollydbg 这个V0.75的VGCrypt有脱壳机:UnVGCrypt V0.1
呵呵,Vgcrypt.exe 主程序真行,居然自己给自己加了4层壳!:-)
――――――――――――――――――――――――
一、第1层壳
00408000 9C pushfd
====>进入OD后断在这!
00408001 55 push ebp
00408002 E8 EC000000 call VGCRYPT.004080F3
====>F7进入
004080F3 E8 00000000 call VGCRYPT.004080F8
====>变形JMP!F7走进
004080F8 8B2C24 mov ebp,dword ptr ss:[esp]
004080FB 81ED 1C274000 sub ebp,VGCRYPT.0040271C
00408101 83C4 04 add esp,4
00408104 C3 retn
====>返回到00408007
00408007 87D5 xchg ebp,edx
00408009 5D pop ebp
0040800A 60 pushad
0040800B 87D5 xchg ebp,edx
0040800D 80BD 15274000 01 cmp byte ptr ss:[ebp+402715],1
00408014 74 39 je short VGCRYPT.0040804F
00408016 C685 15274000 01 mov byte ptr ss:[ebp+402715],1
0040801D E9 E4000000 jmp VGCRYPT.00408106
====>跳
00408106 E8 1B000000 call VGCRYPT.00408126
====>F7进入
00408126 64:67:FF36 0000 push dword ptr fs:[0]
0040812C 64:67:8926 0000 mov dword ptr fs:[0],esp
00408132 8DB5 47264000 lea esi,dword ptr ss:[ebp+402647]
00408138 8BFE mov edi,esi
0040813A B9 CA000000 mov ecx,0CA
0040813F 8AA5 11274000 mov ah,byte ptr ss:[ebp+402711]
00408145 AC lods byte ptr ds:[esi]
00408146 32C4 xor al,ah
00408148 FEC4 inc ah
0040814A C0C4 02 rol ah,2
0040814D 80C4 90 add ah,90
00408150 AA stos byte ptr es:[edi]
00408151 ^ E2 F2 loopd short VGCRYPT.00408145
====>F4下去,跳出LOOP!
00408153 ^ E9 CBFEFFFF jmp VGCRYPT.00408023
====>跳
00408023 E8 00000000 call VGCRYPT.00408028
====>变形JMP!F7走进
00408028 8B9D 05274000 mov ebx,dword ptr ss:[ebp+402705]
0040802E 83C3 28 add ebx,28
00408031 58 pop eax
00408032 2BC3 sub eax,ebx
00408034 8985 0D274000 mov dword ptr ss:[ebp+40270D],eax
0040803A CC int3
====>F4下去!避开这个int3,否则程序运行!
0040803B 8DBD 24264000 lea edi,dword ptr ss:[ebp+402624]
00408041 B9 3B000000 mov ecx,3B
00408046 F3:AA rep stos byte ptr es:[edi]
00408048 64:67:8F06 0000 pop dword ptr fs:[0]
0040804E 5A pop edx
0040804F 8B85 0D274000 mov eax,dword ptr ss:[ebp+40270D]
00408055 0185 09274000 add dword ptr ss:[ebp+402709],eax
0040805B 61 popad
0040805C 9D popfd
0040805D 8B9A 09274000 mov ebx,dword ptr ds:[edx+402709]
00408063 898A 09274000 mov dword ptr ds:[edx+402709],ecx
====>F4直接到这!
00408069 FFE3 jmp ebx
====>跳至00407000
====>一般Vgcrypt加壳这里就跳向OEP了!
――――――――――――――――――――――――
二、第2层壳
00407000 9C pushfd
00407001 55 push ebp
00407002 E8 EC000000 call VGCRYPT.004070F3
====>F7进入
004070F3 E8 00000000 call VGCRYPT.004070F8
====>变形JMP!F7走进
004070F8 8B2C24 mov ebp,dword ptr ss:[esp]
004070FB 81ED 1C274000 sub ebp,VGCRYPT.0040271C
00407101 83C4 04 add esp,4
00407104 C3 retn
====>返回到00407007
00407007 87D5 xchg ebp,edx
00407009 5D pop ebp
0040700A 60 pushad
0040700B 87D5 xchg ebp,edx
0040700D 80BD 15274000 01 cmp byte ptr ss:[ebp+402715],1
00407014 74 39 je short VGCRYPT.0040704F
00407016 C685 15274000 01 mov byte ptr ss:[ebp+402715],1
0040701D E9 E4000000 jmp VGCRYPT.00407106
====>跳
00407106 E8 1B000000 call VGCRYPT.00407126
====>F7进入
00407126 64:67:FF36 0000 push dword ptr fs:[0]
0040712C 64:67:8926 0000 mov dword ptr fs:[0],esp
00407132 8DB5 47264000 lea esi,dword ptr ss:[ebp+402647]
00407138 8BFE mov edi,esi
0040713A B9 CA000000 mov ecx,0CA
0040713F 8AA5 11274000 mov ah,byte ptr ss:[ebp+402711]
00407145 AC lods byte ptr ds:[esi]
00407146 32C4 xor al,ah
00407148 FEC4 inc ah
0040714A C0C4 02 rol ah,2
0040714D 80C4 90 add ah,90
00407150 AA stos byte ptr es:[edi]
00407151 ^ E2 F2 loopd short VGCRYPT.00407145
====>F4下去,跳出LOOP!
00407153 ^ E9 CBFEFFFF jmp VGCRYPT.00407023
====>跳
00407023 E8 00000000 call VGCRYPT.00407028
00407028 8B9D 05274000 mov ebx,dword ptr ss:[ebp+402705]
0040702E 83C3 28 add ebx,28
00407031 58 pop eax
00407032 2BC3 sub eax,ebx
00407034 8985 0D274000 mov dword ptr ss:[ebp+40270D],eax
0040703A CC int3
====>F4下去!避开这个int3,否则程序运行!
0040703B 8DBD 24264000 lea edi,dword ptr ss:[ebp+402624]
00407041 B9 3B000000 mov ecx,3B
00407046 F3:AA rep stos byte ptr es:[edi]
00407048 64:67:8F06 0000 pop dword ptr fs:[0]
0040704E 5A pop edx
0040704F 8B85 0D274000 mov eax,dword ptr ss:[ebp+40270D]
00407055 0185 09274000 add dword ptr ss:[ebp+402709],eax
0040705B 61 popad
0040705C 9D popfd
0040705D 8B9A 09274000 mov ebx,dword ptr ds:[edx+402709]
00407063 898A 09274000 mov dword ptr ds:[edx+402709],ecx
====>F4直接到这!
00407069 FFE3 jmp ebx
====>跳至00406000
――――――――――――――――――――――――
三、第3层壳
下面采用更快的方法! :-) 都是一样的流程,按上面的方法走也可以。
00406000 9C pushfd
00406001 55 push ebp
00406002 E8 EC000000 call VGCRYPT.004060F3
====>这次不进入啦!我有更好的方法 ^O^
00406007 87D5 xchg ebp,edx
00406009 5D pop ebp
0040600A 60 pushad
0040600B 87D5 xchg ebp,edx
0040600D 80BD 15274000 01 cmp byte ptr ss:[ebp+402715],1
00406014 74 39 je short VGCRYPT.0040604F
00406016 C685 15274000 01 mov byte ptr ss:[ebp+402715],1
0040601D E9 E4000000 jmp VGCRYPT.00406106
====>跳 呵呵,省了一段路程
00406106 E8 1B000000 call VGCRYPT.00406126
0040610B 8B6424 08 mov esp,dword ptr ss:[esp+8]
0040610F E8 DFFFFFFF call VGCRYPT.004060F3
00406114 C685 CC264000 C3 mov byte ptr ss:[ebp+4026CC],0C3
0040611B E8 4BFFFFFF call VGCRYPT.0040606B
00406120 ^ E9 16FFFFFF jmp VGCRYPT.0040603B
00406125 B7 64 mov bh,64
00406127 67:FF36 0000 push dword ptr ds:[0]
0040612C 64:67:8926 0000 mov dword ptr fs:[0],esp
00406132 8DB5 47264000 lea esi,dword ptr ss:[ebp+402647]
00406138 8BFE mov edi,esi
0040613A B9 CA000000 mov ecx,0CA
0040613F 8AA5 11274000 mov ah,byte ptr ss:[ebp+402711]
00406145 AC lods byte ptr ds:[esi]
00406146 32C4 xor al,ah
00406148 FEC4 inc ah
0040614A C0C4 02 rol ah,2
0040614D 80C4 90 add ah,90
00406150 AA stos byte ptr es:[edi]
00406151 ^ E2 F2 loopd short VGCRYPT.00406145
00406153 ^ E9 CBFEFFFF jmp VGCRYPT.00406023
====>直接F4到这,跳出LOOP!
00406023 E8 00000000 call VGCRYPT.00406028
00406028 8B9D 05274000 mov ebx,dword ptr ss:[ebp+402705]
0040602E 83C3 28 add ebx,28
00406031 58 pop eax
00406032 2BC3 sub eax,ebx
00406034 8985 0D274000 mov dword ptr ss:[ebp+40270D],eax
0040603A CC int3
0040603B 8DBD 24264000 lea edi,dword ptr ss:[ebp+402624]
00406041 B9 3B000000 mov ecx,3B
00406046 F3:AA rep stos byte ptr es:[edi]
00406048 64:67:8F06 0000 pop dword ptr fs:[0]
0040604E 5A pop edx
0040604F 8385 0D274000 01 add dword ptr ss:[ebp+40270D],1
00406056 8509 test dword ptr ds:[ecx],ecx
00406058 27 daa
00406059 40 inc eax
0040605A 0061 9D add byte ptr ds:[ecx-63],ah
0040605D 8B9A 09274000 mov ebx,dword ptr ds:[edx+402709]
00406063 898A 09274000 mov dword ptr ds:[edx+402709],ecx
====>F4直接到这!
00406069 FFE3 jmp ebx
====>跳至00405000
――――――――――――――――――――――――
四、第4层壳
00405000 9C pushfd
00405001 55 push ebp
00405002 E8 EC000000 call VGCRYPT.004050F3
00405007 87D5 xchg ebp,edx
00405009 5D pop ebp
0040500A 60 pushad
0040500B 87D5 xchg ebp,edx
0040500D 80BD 15274000 01 cmp byte ptr ss:[ebp+402715],1
00405014 74 39 je short VGCRYPT.0040504F
00405016 C685 15274000 01 mov byte ptr ss:[ebp+402715],1
0040501D E9 E4000000 jmp VGCRYPT.00405106
====>跳
00405106 E8 1B000000 call VGCRYPT.00405126
0040510B 8B6424 08 mov esp,dword ptr ss:[esp+8]
0040510F E8 DFFFFFFF call VGCRYPT.004050F3
00405114 C685 CC264000 C3 mov byte ptr ss:[ebp+4026CC],0C3
0040511B E8 4BFFFFFF call VGCRYPT.0040506B
00405120 ^ E9 16FFFFFF jmp VGCRYPT.0040503B
00405125 B7 64 mov bh,64
00405127 67:FF36 0000 push dword ptr ds:[0]
0040512C 64:67:8926 0000 mov dword ptr fs:[0],esp
00405132 8DB5 47264000 lea esi,dword ptr ss:[ebp+402647]
00405138 8BFE mov edi,esi
0040513A B9 CA000000 mov ecx,0CA
0040513F 8AA5 11274000 mov ah,byte ptr ss:[ebp+402711]
00405145 AC lods byte ptr ds:[esi]
00405146 32C4 xor al,ah
00405148 FEC4 inc ah
0040514A C0C4 02 rol ah,2
0040514D 80C4 90 add ah,90
00405150 AA stos byte ptr es:[edi]
00405151 ^ E2 F2 loopd short VGCRYPT.00405145
00405153 ^ E9 CBFEFFFF jmp VGCRYPT.00405023
====>直接F4到这,跳出LOOP!
00405023 E8 00000000 call VGCRYPT.00405028
00405028 8B9D 05274000 mov ebx,dword ptr ss:[ebp+402705]
0040502E 83C3 28 add ebx,28
00405031 58 pop eax
00405032 2BC3 sub eax,ebx
00405034 8985 0D274000 mov dword ptr ss:[ebp+40270D],eax
0040503A CC int3
0040503B 8DBD 24264000 lea edi,dword ptr ss:[ebp+402624]
00405041 B9 3B000000 mov ecx,3B
00405046 F3:AA rep stos byte ptr es:[edi]
00405048 64:67:8F06 0000 pop dword ptr fs:[0]
0040504E 5A pop edx
0040504F 8B85 0D274000 mov eax,dword ptr ss:[ebp+40270D]
00405055 0185 09274000 add dword ptr ss:[ebp+402709],eax
0040505B 61 popad
0040505C 9D popfd
0040505D 8B9A 09274000 mov ebx,dword ptr ds:[edx+402709]
00405063 898A 09274000 mov dword ptr ds:[edx+402709],ecx
====>F4直接到这!
00405069 FFE3 jmp ebx
====>跳至00401000 这就是OEP值 :-)
――――――――――――――――――――――――
00401000 E8 db E8
====>在这儿用LordPE完全DUMP这个进程
00401001 51 db 51
00401002 06 db 06
―――――――――――――――――――――――
停在OEP处,运行ImportREC,选择这个进程。把OEP改为00001000,点IT AutoSearch,点“Get Import”,
函数都是有效的。FixDump,正常运行! 8.5K ->40K
―――――――――――――――――――――――――――――――――
, _/
/| _.-~/ _ , 青春都一饷
( /~ / ~-._ |
`\ _/ ~ ) 忍把浮名
_-~~~-.) )__/;;,. _ //'
/'_, --~ ~~~- ,;;___( (.-~~~-. 换了破解轻狂
`~ _( ,_..-- ( ,;'' / ~-- /._`
/~~//' /' `~ ) /--.._, )_ `~
" `~" " `" /~'` `\~~
" " "~' ""
Cracked By 巢水工作坊――fly [OCN][FCG]
2003-10-02 02:20