Themida/WinLicense V1.8.2.0 +脫殼 FOR PcShare遠端控制會員版本20070826
阿新 • • 發佈:2018-12-19
【文章作者】: 冰橙子【詳細過程】今天拿到PcShare遠端控制會員版本20070826,看看說明一、加了插預設瀏覽器的功能二、重新修改了檔案下載,一目瞭然,肉機不上線也可以管理。三、加了視窗管理的功能、四、加了群發訊息的功能五、加了強制肉機訪問網頁的功能六、增加代理(不完善測試階段)七、增加了記錄系統登入密碼功能看著看著 就想破解,說幹就幹,不管是不是菜鳥,還是先查殼把, 用PEID查殼: Themida/WinLicense V1.8.2.0 + -> Oreans Technologies * Sign.By.fly *如果你的查不到,可以下載最新的特徵庫由於是Themida殼,1.9版本的後反OD的外掛,只能用工具隱藏,PEID分辨不是很好,所以乾脆就用HideToolz.exe 把OD隱藏起來在HideToolz.exe裡新增上你的OD的目錄,在隱藏選項裡選上:Hide processProtect processHide windowsProtect form windowsAnti-anti debugAuto Start設定好後開啟OD,1、設定OllyDBG忽略所有異常選項。2、用HideOD外掛:勾選Auto Run HideOD、HideNtdebugBit。勾選ZwQueryInformationProcess-->method2。OD載入後,到這裡:00556014 P> B8 00000000 mov eax,000556019 60 pushad0055601A 0BC0 or eax,eax0055601C 74 68 je short 00556086 ; PcShare.005560860055601E E8 00000000 call 00556023 ; PcShare.0055602300556023 58 pop eax ; kernel32.7C816FD700556024 05 53000000 add eax,5300556029 8038 E9 cmp byte ptr ds:[eax],0E90055602C 75 13 jnz short 00556041 ; PcShare.005560410055602E 61 popad0055602F EB 45 jmp short 00556076 ; PcShare.0055607600556031 DB2D 37605500 fld tbyte ptr ds:[556037]00556037 FFFF ??? ; Unknown command00556039 FFFF ??? ; Unknown command0055603B FFFF ??? ; Unknown command0055603D FFFF ??? ; Unknown command0055603F 3D 40E80000 cmp eax,0E84000556044 0000 add byte ptr ds:[eax],al00556046 58 pop eax ; kernel32.7C816FD700556047 25 00F0FFFF and eax,FFFFF0000055604C 33FF xor edi,edi ; ntdll.7C930738接著執行okdodo大俠的Themida指令碼後:執行完成後有提示:指令碼執行完畢,請注意OEP是否被偷程式碼!點確定,來到這裡:00422C05 50 push eax00422C06 64:8925 00000000 mov dword ptr fs:[0],esp00422C0D 83EC 68 sub esp,6800422C10 53 push ebx00422C11 56 push esi ; PcShare.0067B53900422C12 57 push edi00422C13 8965 E8 mov dword ptr ss:[ebp-18],esp00422C16 33DB xor ebx,ebx00422C18 895D FC mov dword ptr ss:[ebp-4],ebx00422C1B 6A 02 push 200422C1D FF15 4C0D4800 call dword ptr ds:[480D4C] ; msvcrt.__set_app_type00422C23 59 pop ecx ; PcShare.00422D5A00422C24 830D 34EA4900 FF or dword ptr ds:[49EA34],FFFFFFFF被偷了OEP。拿一個VC++的程式來參考下:00401F10 D> 55 push ebp00401F11 8BEC mov ebp,esp00401F13 6A FF push -100401F15 68 E8394000 push 4039E800401F1A 68 96204000 push 40209600401F1F 64:A1 00000000 mov eax,dword ptr fs:[0]00401F25 50 push eax00401F26 64:8925 00000000 mov dword ptr fs:[0],esp00401F2D 83EC 68 sub esp,6800401F30 53 push ebx00401F31 56 push esi00401F32 57 push edi ; ntdll.7C93073800401F33 8965 E8 mov dword ptr ss:[ebp-18],esp00401F36 33DB xor ebx,ebx00401F38 895D FC mov dword ptr ss:[ebp-4],ebx00401F3B 6A 02 push 200401F3D FF15 4C334000 call dword ptr ds:[40334C] ; msvcrt.__set_app_type00401F43 59 pop ecx ; kernel32.7C816FD700401F44 830D 6C514000 FF or dword ptr ds:[40516C],FFFFFFFF00401F4B 830D 70514000 FF or dword ptr ds:[405170],FFFFFFFF00401F52 FF15 48334000 call dword ptr ds:[403348] ; msvcrt.__p__fmode為了防止程式碼混淆,點分析程式碼,向上看 :00422BEA . C3 retn00422BEB > E9 70010000 jmp 00422D60 ; jmp to msvcrt.terminate00422BF0 96 db 9600422BF1 85 db 8500422BF2 CB db CB00422BF3 1B db 1B00422BF4 1D db 1D00422BF5 . A6 cmps byte ptr ds:[esi],byte ptr es:[e>00422BF6 . AD lods dword ptr ds:[esi]00422BF7 . 9B wait00422BF8 . DDD0 fst st00422BFA . A9 7B8C7D46 test eax,467D8C7B00422BFF . 2AF8 sub bh,al00422C01 . 4C dec esp00422C02 . 014E 2B add dword ptr ds:[esi+2B],ecx00422C05 . 50 push eax00422C06 . 64:8925 00000000 mov dword ptr fs:[0],esp00422C0D . 83EC 68 sub esp,6800422C10 . 53 push ebx00422C11 . 56 push esi ; PcShare.0067B53900422C12 . 57 push edi00422C13 . 8965 E8 mov dword ptr ss:[ebp-18],esp00422C16 . 33DB xor ebx,ebx00422C18 . 895D FC mov dword ptr ss:[ebp-4],ebx00422C1B . 6A 02 push 200422C1D . FF15 4C0D4800 call dword ptr ds:[480D4C] ; msvcrt.__set_app_type確定OEP:00422BF0並補上OEP:00422BF0 55 push ebp00422BF1 8BEC mov ebp,esp00422BF3 6A FF push -100422BF5 68 E8394000 push 4039E8-------------------------①00422BFA 68 96204000 push 402096-------------------------②00422BFF 64:A1 00000000 mov eax,dword ptr fs:[0]00422C05 . 50 push eax00422C06 . 64:8925 00000000 mov dword ptr fs:[0],esp00422C0D . 83EC 68 sub esp,6800422C10 . 53 push ebx00422C11 . 56 push esi ; PcShare.0067B53900422C12 . 57 push edi00422C13 . 8965 E8 mov dword ptr ss:[ebp-18],esp00422C16 . 33DB xor ebx,ebx00422C18 . 895D FC mov dword ptr ss:[ebp-4],ebx00422C1B . 6A 02 push 2其中①和②處的資料可以看考堆疊裡的資料在堆疊裡找到:0012FF7C 000002120012FF80 00422C05 PcShare.00422C050012FF84 00422D5A jmp to msvcrt._except_handler3----------------------------③0012FF88 004873E8 PcShare.004873E8------------------------------------------④0012FF8C FFFFFFFF0012FF90 79ED15990012FF94 5300CF5B0012FF98 006CB800 PcShare.006CB8000012FF9C 0012FFE00012FFA0 006BF644 PcShare.006BF6440012FFA4 7C930738 ntdll.7C9307380012FFA8 FFFFFFFF0012FFAC 0012FFF00012FFB0 0012FFC40012FFB4 7FFDC0000012FFB8 0012FFC40012FFBC 0012FFB00012FFC0 745438A60012FFC4 7C816FD7 RETURN to kernel32.7C816FD70012FFC8 7C930738 ntdll.7C9307380012FFCC FFFFFFFF0012FFD0 7FFDC0000012FFD4 8054BB380012FFD8 0012FFC80012FFDC FEFE6D780012FFE0 FFFFFFFF End of SEH chain0012FFE4 7C839AA8 SE handler0012FFE8 7C816FE0 kernel32.7C816FE00012FFEC 000000000012FFF0 000000000012FFF4 000000000012FFF8 00556014 offset PcShare.<ModuleEntryPoint>0012FFFC 00000000④處的資料就是①,③處的資料就是②補好OEP後 把EIP指標改到OEP處 用LordPE_fix.EXE脫殼開啟ImportREC 填上OEP後自動查詢IAT,獲取函式輸入表 如果有無效的就剪下掉。到此脫殼完成,PEID 查殼:Microsoft Visual C++ 6.0 脫殼後3.85 MB 執行程式,程式有時候提示作業系統錯誤,原因我不是很清楚,用OD載入 F9執行,找到出錯的地方 修改下跳轉就可以了,不過後來沒修改的也可以運行了。