| 发表于:2007-08-02 09:12:33 楼主 |
如果你对pe结构一无所知,那么估计是看不懂。
所用工具
uedit,ollydbg,win98记事本,计算器,peid,加pe脱壳知识。
'窗体代码
'btw,一直看不懂这个程序,基本拿下了。
option explicit
dim mbakfilename$
private sub form_load()
option1(0).value = true
end sub
private sub cmdbrow_click()
commondialog1.filter = "exe ¦*.exe ¦ "
commondialog1.showopen
text1.text = commondialog1.filename
end sub
private sub cmdok_click()
dim bytposition as byte
dim address&
dim pearray(5) as byte
dim i&
dim operateflag as boolean
dim newoep&
dim oldoep&
dim freeaddressarray() as byte
if text1.text = " " then
msgbox "请先选择需要伪装的文件! ", vbinformation, "提示 "
exit sub
else
mbakfilename$ = left$(text1, len(text1) - 4) & ".bak "
filecopy text1, mbakfilename$
end if
address& = 1
open text1.text for binary as #1
operateflag = false
'从文件第一个字节位置开始
do
get #1, address&, bytposition
'寻找pe头
if bytposition = &h50 then
for i = 0 to 5
get #1, address& + i, pearray(i)
next
'通用特制码
if pearray(0) = &h50 and pearray(1) = &h45 and pearray(4) = &h4c and pearray(5) = 1 then
operateflag = true
exit do
end if
end if
address& = address& + 1
loop while operateflag = false
'pe头附近40个字节就是oep!?
newoep& = address& + 40
get #1, newoep&, oldoep&
oldoep& = oldoep& + &h400000 '加上偏移量
'选择一个空地放存放伪装码,地大物博啊,有身份证就能当业主
address& = 800
operateflag = false
'选择的vc++
if option1(0).value = true then
redim freeaddressarray(51)
do
address& = address& + 4
for i = 0 to 51
'分配52个字节写伪装代码
get #1, address& + i, freeaddressarray(i)
if freeaddressarray(i) <> &h0 then
exit for
else
if i = 51 then
operateflag = true
end if
end if
next
loop while operateflag = false
'在原来oep位置写新oep
put #1, newoep&, address&
address& = address& + 1
address& = maskvc(address&)
oldoep& = (oldoep& - (address& + &h400000))
'写跳转地址,伪装代码当然要跳往真正入口了
put #1, address&, oldoep& - 3
end if
'选择的vc++6.0
if option1(1).value = true then
redim freeaddressarray(63)
do
address& = address& + 4
for i = 0 to 63
get #1, address& + i, freeaddressarray(i)
if freeaddressarray(i) <> &h0 then
exit for
else
if i = 63 then operateflag = true
end if
next
loop while operateflag = false
put #1, newoep&, address&
address& = address& + 1
maskvc60 (address&)
oldoep& = (oldoep& - (address& + 54 + &h400000))
put #1, address& + 54, oldoep& - 3
end if
'选择的delphi 6.0-7.0
if option1(2).value = true then
redim freeaddressarray(16)
do
address& = address& + 4
for i = 0 to 16
get #1, address& + i, freeaddressarray(i)
if freeaddressarray(i) <> &h0 then
exit for
else
if i = 16 then operateflag = true
end if
next
loop while operateflag = false
put #1, newoep&, address&
address& = address& + 1
maskdelphi60 (address&)
oldoep& = (oldoep& - (address& + 11 + &h400000))
put #1, address& + 11, oldoep& - 3
end if
msgbox "恭喜,伪装成功! ", vbinformation
close #1
cmdok.enabled = false
cmdtest.enabled = true
end sub
private sub cmdtest_click()
shellwait (text1)
if vbno = msgbox( "程序正常运行没? ", vbquestion + vbyesno, "提问 ") then
kill text1
name mbakfilename$ as left$(text1, len(text1) - 4) & ".exe "
cmdok.enabled = true
cmdtest.enabled = false
else
kill mbakfilename$
cmdok.enabled = true
cmdtest.enabled = false
end if
end sub
原文
http://www.vbgood.com/viewthread.php?tid=55083&extra=page%3d1 |
|
|
|
|
