手把手教你脱PEncrypt 4.0壳

1、PEID查壳为PEncrypt 4.0 Gamma / 4.0 Phi -> junkcode
2、寻找OEP，OD忽略异常，停在这里：
00401000 > 66:83F3 00 XOR BX,0 ; OD载入，停在这里，逐步F7
00401004 FC CLD
00401005 FC CLD
00401006 90 NOP
00401007 FC CLD
00401008 BD F8DE4500 MOV EBP,game0.0045DEF8
0040100D FFE5 JMP EBP
0040100F 43 INC EBX
00401010 0C A2 OR AL,0A2
00401012 A2 3AC271A3 MOV BYTE PTR DS:[A371C23A],AL

…..
0045DFF0 FC CLD
0045DFF1 85DB TEST EBX,EBX
0045DFF3 ^\0F85 9CFFFFFF JNZ game0.0045DF95 ; 死循环，F4到下面
0045DFF9 60 PUSHAD ; F4下来，继续F7
0045DFFA BE 00104000 MOV ESI,game0.
0045DFFF B8 FA69A33A MOV EAX,3AA369FA
0045E004 8906 MOV DWORD PTR DS:[ESI],EAX
0045E006 B8 B455A33A MOV EAX,3AA355B4
0045E00B 8946 04 MOV DWORD PTR DS:[ESI+4],EAX
0045E00E B8 EEB2AD3A MOV EAX,3AADB2EE
0045E013 8946 08 MOV DWORD PTR DS:[ESI+8],EAX
0045E016 B8 A05DA23A MOV EAX,3AA25DA0
0045E01B 8946 0C MOV DWORD PTR DS:[ESI+C],EAX
0045E01E B8 0CA2A23A MOV EAX,3AA2A20C
0045E023 8946 10 MOV DWORD PTR DS:[ESI+10],EAX
0045E026 B8 C271A33A MOV EAX,3AA371C2
0045E02B 8946 14 MOV DWORD PTR DS:[ESI+14],EAX
0045E02E B8 DEB2AD3A MOV EAX,3AADB2DE
0045E033 8946 18 MOV DWORD PTR DS:[ESI+18],EAX
0045E036 61 POPAD
0045E037 EB 02 JMP SHORT game0.0045E03B
0045E039 FB STI
0045E03A DA60 9C FISUB DWORD PTR DS:[EAX-64]
0045E03D BE 00104000 MOV ESI,game0.
0045E042 8BFE MOV EDI,ESI
0045E044 B9 00040100 MOV ECX,10400 ; UNICODE “EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH”
0045E049 BB ACF9EA49 MOV EBX,49EAF9AC
0045E04E AD LODS DWORD PTR DS:[ESI]
0045E04F 33C3 XOR EAX,EBX
0045E051 AB STOS DWORD PTR ES:[EDI]
0045E052 ^ E2 FA LOOPD SHORT game0.0045E04E ; 循环
0045E054 9D POPFD ; F4下来
0045E055 61 POPAD
0045E056 EB 02 JMP SHORT game0.0045E05A
0045E058 FB STI
0045E059 DA60 9C FISUB DWORD PTR DS:[EAX-64]
0045E05C BE 00204400 MOV ESI,game0.00442000
0045E061 8BFE MOV EDI,ESI
0045E063 B9 00040000 MOV ECX,400
0045E068 BB ACF9EA49 MOV EBX,49EAF9AC
0045E06D AD LODS DWORD PTR DS:[ESI]
0045E06E 33C3 XOR EAX,EBX
0045E070 AB STOS DWORD PTR ES:[EDI]
0045E071 ^ E2 FA LOOPD SHORT game0.0045E06D ; 又一个循环
0045E073 9D POPFD ; F4下来
0045E074 61 POPAD
0045E075 BA C37A4400 MOV EDX,game0.00447AC3 ; 注意这里，CTRL+G到00447AC3看看
0045E07A FFD2 CALL EDX

CTRL+G到00447AC3：
00447AC3 55 PUSH EBP ; F4到这里，继续F7下去
00447AC4 8BEC MOV EBP,ESP
00447AC6 81EC B8000000 SUB ESP,0B8
00447ACC 53 PUSH EBX
00447ACD 56 PUSH ESI
00447ACE 57 PUSH EDI
00447ACF 56 PUSH ESI
00447AD0 57 PUSH EDI
00447AD1 52 PUSH EDX
00447AD2 51 PUSH ECX
00447AD3 53 PUSH EBX
00447AD4 50 PUSH EAX
00447AD5 833D 58AC4500 0>CMP DWORD PTR DS:[45AC58],0
00447ADC 0F85 99100000 JNZ game0.00448B7B ; 这里就是跳往OEP的地方，下面是一堆花指令，我们直接跳到00448B7B看看（不要更改这里的跳转，否则找不到输入表）。
…..
00448B7D 59 POP ECX
00448B7E 5A POP EDX
00448B7F 5F POP EDI
00448B80 5E POP ESI
00448B81 C9 LEAVE
00448B82 – FF25 18A04500 JMP DWORD PTR DS:[45A018] ; 可疑，这里就是跳到OEP处，F4下来，F8一下

下面就是OEP了：
0040188C 68 E81B4000 PUSH game0.00401BE8 ; OEP
00401891 E8 EEFFFFFF CALL game0.00401884 ; JMP to MSVBVM60.ThunRTMain
00401896 0000 ADD BYTE PTR DS:[EAX],AL
00401898 0000 ADD BYTE PTR DS:[EAX],AL
0040189A 0000 ADD BYTE PTR DS:[EAX],AL

3、修复IAT
事实上，此时在OEP处我们可以直接右击脱壳，转储时去掉重建IAT项，但好象不能跨系统运行。我们用IMPREC修复一下。
在OEP处用LOADPE纠正IMAGE后转储为DUMP.EXE，IMPREC载入软件线程，填入OEP=188C，点击自动获取IAT，居然没有反应，看来要手动查找IAT。

我们F7跟进00401891处的CALL，右击，在数据窗口中跟随内存地址，下面的内存窗口中右击选“长型”-“地址”就可以看到IAT表了：
00401000 >6610782A MSVBVM60.__vbaVarSub
00401004 66109881 MSVBVM60.__vbaVarTstGt
00401008 660DF9B9 MSVBVM60.__vbaStrI2
0040100C 660F8806 MSVBVM60._CIcos
00401010 660EFE79 MSVBVM60._adj_fptan
00401014 66106B2E MSVBVM60.__vbaVarMove
00401018 660DF9E9 MSVBVM60.__vbaStrI4
…

004011C0 66109868 MSVBVM60.__vbaVarTstGe
004011C4 660E8C60 MSVBVM60.__vbaR8IntI2
004011C8 660E6271 MSVBVM60.rtcLeftCharVar
004011CC 660F8740 MSVBVM60._CIatan
004011D0 660E60F4 MSVBVM60.__vbaStrMove
004011D4 660EE36D MSVBVM60._allmul
004011D8 66108B84 MSVBVM60.__vbaLateIdSt
004011DC 660F8AC4 MSVBVM60._CItan
004011E0 660E8C8E MSVBVM60.__vbaFPInt
004011E4 6610943A MSVBVM60.__vbaVarForNext
004011E8 660ED191 MSVBVM60._CIexp
004011EC 660DFAC5 MSVBVM60.__vbaStrCy
004011F0 660D9A27 MSVBVM60.__vbaFreeObj
004011F4 660E60B0 MSVBVM60.__vbaFreeStr
004011F8 660D2DD4 MSVBVM60.rtcR8ValFromBstr
004011FC 00000000

可以看出RVA=1000，大小=1FC，我们在IMPREC中填入RVA=1000，大小=1FC，获取输入表，指针全部正确，不用修复了，OEP处填入0000188C，修复DUMP后运行正常。

//PEncrypt 4.0 OEP finder by langxang

var addr1
var addr2
var addr3
findop eip,#60#
bphws $RESULT, “r”
run
bphwc $RESULT
sto
sto
sto
mov addr1,esp
bphws addr1,”r”
run
bphwc $RESULT
sto
sto
sto
sto
mov addr2,esp
bphws addr2,”r”
run
BPHWC addr2
sto
sto
sti
sto
mov addr3,esp
bphws addr3,”r”
run
sto
BPHWC addr3
cmt eip, “This is OEP,enjoy it!”
ret