手把手教你脱FSG2.0加的98记事本
手把手教你脱FSG2.0加的98记事本[ 作者:佚名 来源:不详 点击数:97 更新时间:2006-8-14 文章录入:admin ]【字体: http://1026.w23.eluto.com/images/fgcolor.gif】一、用PEiD先查一下程序有无加壳,得到有加了壳:FSG 2.0 -> bart/xt
二、用OllySTC载入程序,如下:
00400154 >8725 74A24100 XCHG DWORD PTR DS:,ESP -->载入后到这里
F8单步进入,
0040015A 61 POPAD
0040015B 94 XCHG EAX,ESP
0040015C 55 PUSH EBP
0040015D A4 MOVS BYTE PTR ES:,BYTE PTR DS:
0040015E B6 80 MOV DH,80
00400160 FF13 CALL DWORD PTR DS:
00400162^ 73 F9 JNB SHORT FSG2_0.0040015D -->没有回跳,按F8
00400164 33C9 XOR ECX,ECX
00400166 FF13 CALL DWORD PTR DS:
00400168 73 16 JNB SHORT FSG2_0.00400180 -->没有回跳,按F8
0040016A 33C0 XOR EAX,EAX
0040016C FF13 CALL DWORD PTR DS:
0040016E 73 1F JNB SHORT FSG2_0.0040018F -->跳到0040018F
F8来到了0040018F处:
0040018F AC LODS BYTE PTR DS:
00400190 D1E8 SHR EAX,1
00400192 74 2D JE SHORT FSG2_0.004001C1 -->没有回跳,按F8
00400194 13C9 ADC ECX,ECX
00400196 EB 18 JMP SHORT FSG2_0.004001B0 -->跳到004001B0处
00400198 91 XCHG EAX,ECX
00400199 48 DEC EAX
0040019A C1E0 08 SHL EAX,8
0040019D AC LODS BYTE PTR DS:
0040019E FF53 04 CALL DWORD PTR DS:
004001A1 3B43 F8 CMP EAX,DWORD PTR DS:
004001A4 73 0A JNB SHORT FSG2_0.004001B0
004001A6 80FC 05 CMP AH,5
004001A9 73 06 JNB SHORT FSG2_0.004001B1
004001AB 83F8 7F CMP EAX,7F
004001AE 77 02 JA SHORT FSG2_0.004001B2
004001B0 41 INC ECX -->到这里了
004001B1 41 INC ECX
004001B2 95 XCHG EAX,EBP
004001B3 8BC5 MOV EAX,EBP
004001B5 B6 00 MOV DH,0
004001B7 56 PUSH ESI ; FSG2_0.00416393
004001B8 8BF7 MOV ESI,EDI
004001BA 2BF0 SUB ESI,EAX
004001BC F3:A4 REP MOVS BYTE PTR ES:,BYTE PTR DS:[>
004001BE 5E POP ESI
004001BF^ EB 9F JMP SHORT FSG2_0.00400160 -->回跳到00400160处,用F4跳试到下一行
004001C1 5E POP ESI -->F8继续
004001C2 AD LODS DWORD PTR DS:
004001C3 97 XCHG EAX,EDI
004001C4 AD LODS DWORD PTR DS:
004001C5 50 PUSH EAX
004001C6 FF53 10 CALL DWORD PTR DS:
004001C9 95 XCHG EAX,EBP
004001CA 8B07 MOV EAX,DWORD PTR DS:
004001CC 40 INC EAX
004001CD^ 78 F3 JS SHORT FSG2_0.004001C2 -->没有回跳,按F8
004001CF 75 03 JNZ SHORT FSG2_0.004001D4 -->这里千万不要再F8了,不信自己试一下。用F4跳试到下一行
004001D1- FF63 0C JMP DWORD PTR DS: ; FSG2_0.004010CC这是Win98记事本程序的入口点F8进入
004001D4 50 PUSH EAX
到这里来了:
004010CC 55 DB 55 ;CHAR ’U’
004010CD 8B DB 8B
004010CE EC DB EC
004010CF 83 DB 83
窗口中右击“Analysis”-->“Analysis Code”或者Ctrl+A,分析代码:
004010CC/.55 PUSH EBP -->就是OEP,好了,转存一下,就OK了
004010CD|.8BEC MOV EBP,ESP
004010CF|.83EC 44 SUB ESP,44
004010D2|.56 PUSH ESI
004010D3|.FF15 E4634000 CALL DWORD PTR DS: ; [GetCommandLineA
004010D9|.8BF0 MOV ESI,EAX
004010DB|.8A00 MOV AL,BYTE PTR DS:
004010DD|.3C 22 CMP AL,22
004010DF|.75 1B JNZ SHORT FSG2_0.004010FC
三、现在不要关闭OD,接着修复一下,因为脱壳后我发现不能运行它:
选中004010D3这一行,右击“Follow in Dump”-->“Memory address”或者Ctrl+A:
004010D3|.FF15 E4634000 CALL DWORD PTR DS: ; [GetCommandLineA
注意数据窗口中变化:(忘了说了数据窗口中要处于反汇编状态)
004062E4 .8378DA77 DD ADVAPI32.RegQueryValueExA
004062E8 .F06BDA77 DD ADVAPI32.RegCloseKey
004062EC .E7EBDA77 DD ADVAPI32.RegSetValueExA
004062F0 .1BC4DC77 DD ADVAPI32.RegOpenKeyA
.
.
.
004064F8 .27BED177 DD USER32.IsIconic
004064FC .1112D277 DD USER32.PostQuitMessage
00406500 .9CFAD277 DD USER32.TranslateAcceleratorA
00406504 FF DB FF
修复时填:
OEP=004010CC
RVA=62E4
SIZE=00406504-004062E4=220
用ImportREC修复函数就可以了。
搞定!
页:
[1]