菜鸟教你脱重壳破解
大家好,拍花.QQ545235297
今天又给大家继续上一节的课程了,还是脱壳破解技术
首先今天脱的壳是重壳,对于菜鸟来说还是有一定的难度的
首先我们来 来看操作吧.!
脱EXEStealth 2.5x - 2.7x+Aspack2.12+Upx(变形)壳
脱壳平台:Winxp+sp1
脱壳工具:ollydbg1.10 ImportREC1.6 Peid0.92
先用peid侦查发现是EXEStealth 2.5x - 2.7x -> WebToolMaster [Overlay]
用ollydbg载入,在选项---调试选项--异常中 选择除了内存访问异常外的其它全部异常,隐藏ollydbg.
--------------------------------------------------------
0042C060 > /EB 00 JMP SHORT 练习.0042C062 \程序载入时的地址,按shift+F9
0042C062 EB 17 JMP SHORT 练习.0042C07B
0042C064 53 PUSH EBX
0042C065 68 61726577 PUSH 77657261
0042C06A 61 POPAD
0042C06B 72 65 JB SHORT 练习.0042C0D2
第一次异常
------------------------------------------------------
0042C76B CD 68 INT 68 //运行在这里
0042C76D 33DB XOR EBX,EBX
0042C76F 64:8F03 POP DWORD PTR FS:[EBX]
0042C772 83C4 04 ADD ESP,4
0042C775 66:81FF 9712 CMP DI,1297
0042C77A 74 0E JE SHORT 练习.0042C78A
0042C77C 66:81FF 7712 CMP DI,1277
0042C781 74 07 JE SHORT 练习.0042C78A
0042C783 66:81FF 3013 CMP DI,1330
0042C788 75 08 JNZ SHORT 练习.0042C792
第二次异常
----------------------------------------------------
0042C7F7 0000 ADD BYTE PTR DS:[EAX],AL
0042C7F9 0000 ADD BYTE PTR DS:[EAX],AL
0042C7FB 0000 ADD BYTE PTR DS:[EAX],AL
0042C7FD 0000 ADD BYTE PTR DS:[EAX],AL
0042C7FF 0000 ADD BYTE PTR DS:[EAX],AL
0042C801 0000 ADD BYTE PTR DS:[EAX],AL
0042C803 0000 ADD BYTE PTR DS:[EAX],AL
0042C805 0000 ADD BYTE PTR DS:[EAX],AL
0042C807 0000 ADD BYTE PTR DS:[EAX],AL
0042C809 0000 ADD BYTE PTR DS:[EAX],AL
此时看右下角的堆栈:
0012FFBC 0012FFE0 指针到下一个 SEH 记录
0012FFC0 0042C79A SE 句柄...........................//异常产生
0012FFC4 77E614C7 返回到 kernel32.77E614C7
0012FFC8 77F5164E 返回到 ntdll.77F5164E 来自 ntdll.77F5166D
0012FFCC 00560718
0012FFD0 7FFDF000
0012FFD4 F3EEECF0
ctrl+g 到 0042C79A
0042C79A 55 PUSH EBP //在这里下断点,再按shift+f9 断下,然后取消断点,f8慢慢跟
0042C79B 8BEC MOV EBP,ESP
0042C79D 57 PUSH EDI
0042C79E 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
0042C7A1 8BB8 C4000000 MOV EDI,DWORD PTR DS:[EAX+C4]
0042C7A7 FF37 PUSH DWORD PTR DS:[EDI]
0042C7A9 33FF XOR EDI,EDI
0042C7AB 64:8F07 POP DWORD PTR FS:[EDI]
0042C7AE 8380 C4000000 0>ADD DWORD PTR DS:[EAX+C4],8
0042C7B5 8BB8 A4000000 MOV EDI,DWORD PTR DS:[EAX+A4]
0042C7BB C1C7 07 ROL EDI,7
0042C7BE 89B8 B8000000 MOV DWORD PTR DS:[EAX+B8],EDI
0042C7C4 B8 00000000 MOV EAX,0
0042C7C9 5F POP EDI //在这里停下来,注意这里的edi= 00429001
0042C7CA C9 LEAVE
0042C7CB C3 RETN
0042C7CC 32C0 XOR AL,AL
-------------------------------------------------------------
ctrl+g 到 00429001
00429001 60 PUSHAD //在这里下断点,再按shift+f9 断下,然后取消断点,
应该很熟悉了吧,aspack的特征,用esp定律也可以,今天我们不用了。
00429002 E8 03000000 CALL 练习.0042900A................ //f7进入
00429007 - E9 EB045D45 JMP 459F94F7
0042900C 55 PUSH EBP
0042900D C3 RETN
--------------------------------------------------------
0042900A 5D POP EBP ; 练习.00429007
0042900B 45 INC EBP
0042900C 55 PUSH EBP
0042900D C3 RETN //返回到00429008
-------------------------------------------------------
00429008 /EB 04 JMP SHORT 练习.0042900E
0042900A |5D POP EBP
0042900B |45 INC EBP
0042900C |55 PUSH EBP
0042900D |C3 RETN
0042900E E8 01000000 CALL 练习.00429014 .............//f7进入
00429013 EB 5D JMP SHORT 练习.00429072
-------------------------------------------------------
00429014 5D POP EBP ; 练习.00429013
00429015 BB EDFFFFFF MOV EBX,-13
0042901A 03DD ADD EBX,EBP
0042901C 81EB 00900200 SUB EBX,29000
00429022 83BD 22040000 0>CMP DWORD PTR SS:[EBP+422],0
00429029 899D 22040000 MOV DWORD PTR SS:[EBP+422],EBX
0042902F 0F85 65030000 JNZ 练习.0042939A ............//实现这个跳转
00429035 8D85 2E040000 LEA EAX,DWORD PTR SS:[EBP+42E]
0042903B 50 PUSH EAX
0042903C FF95 4D0F0000 CALL DWORD PTR SS:[EBP+F4D]
--------------------------------------------------------
0042939A B8 0F6F0200 MOV EAX,26F0F
0042939F 50 PUSH EAX
004293A0 0385 22040000 ADD EAX,DWORD PTR SS:[EBP+422]
004293A6 59 POP ECX
004293A7 0BC9 OR ECX,ECX
004293A9 8985 A8030000 MOV DWORD PTR SS:[EBP+3A8],EAX
004293AF 61 POPAD
004293B0 75 08 JNZ SHORT 练习.004293BA
004293B2 B8 01000000 MOV EAX,1
004293B7 C2 0C00 RETN 0C
004293BA 68 0F6F4200 PUSH 练习.00426F0F //此时aspack解压完毕
----------------------------------------------------------
00426F0F 90 NOP
00426F10 61 POPAD //是不是很特别,本应该是pushad才对,所以我称他为变形的Upx,不管它是否变形,
upx壳的特征不会有什么变化,向下找
00426F11 BE 00D04100 MOV ESI,练习.0041D000
00426F16 8DBE 0040FEFF LEA EDI,DWORD PTR DS:[ESI+FFFE4000]
00426F1C 57 PUSH EDI
00426F1D 83CD FF OR EBP,FFFFFFFF
00426F20 EB 10 JMP SHORT 练习.00426F32
00426F22 EB 00 JMP SHORT 练习.00426F24
00426F24 ^ EB EA JMP SHORT 练习.00426F10
00426F26 ^ EB E8 JMP SHORT 练习.00426F10
00426F28 8A06 MOV AL,BYTE PTR DS:[ESI]
00426F2A 46 INC ESI
00426F2B 8807 MOV BYTE PTR DS:[EDI],AL
00426F2D 47 INC EDI
00426F2E 01DB ADD EBX,EBX
00426F30 75 07 JNZ SHORT 练习.00426F39
00426F32 8B1E MOV EBX,DWORD PTR DS:[ESI]
00426F34 83EE FC SUB ESI,-4
00426F37 11DB ADC EBX,EBX
00426F39 ^ 72 ED JB SHORT 练习.00426F28
00426F3B B8 01000000 MOV EAX,1
00426F40 01DB ADD EBX,EBX
00426F42 75 07 JNZ SHORT 练习.00426F4B
00426F44 8B1E MOV EBX,DWORD PTR DS:[ESI]
00426F46 83EE FC SUB ESI,-4
00426F49 11DB ADC EBX,EBX
00426F4B 11C0 ADC EAX,EAX
00426F4D 01DB ADD EBX,EBX
00426F4F ^ 73 EF JNB SHORT 练习.00426F40
00426F51 75 09 JNZ SHORT 练习.00426F5C
00426F53 8B1E MOV EBX,DWORD PTR DS:[ESI]
00426F55 83EE FC SUB ESI,-4
00426F58 11DB ADC EBX,EBX
00426F5A ^ 73 E4 JNB SHORT 练习.00426F40
00426F5C 31C9 XOR ECX,ECX
00426F5E 83E8 03 SUB EAX,3
00426F61 72 0D JB SHORT 练习.00426F70
00426F63 C1E0 08 SHL EAX,8
00426F66 8A06 MOV AL,BYTE PTR DS:[ESI]
00426F68 46 INC ESI
00426F69 83F0 FF XOR EAX,FFFFFFFF
00426F6C 74 74 JE SHORT 练习.00426FE2
00426F6E 89C5 MOV EBP,EAX
00426F70 01DB ADD EBX,EBX
00426F72 75 07 JNZ SHORT 练习.00426F7B
00426F74 8B1E MOV EBX,DWORD PTR DS:[ESI]
00426F76 83EE FC SUB ESI,-4
00426F79 11DB ADC EBX,EBX
00426F7B 11C9 ADC ECX,ECX
00426F7D 01DB ADD EBX,EBX
00426F7F 75 07 JNZ SHORT 练习.00426F88
00426F81 8B1E MOV EBX,DWORD PTR DS:[ESI]
00426F83 83EE FC SUB ESI,-4
00426F86 11DB ADC EBX,EBX
00426F88 11C9 ADC ECX,ECX
00426F8A 75 20 JNZ SHORT 练习.00426FAC
00426F8C 41 INC ECX
00426F8D 01DB ADD EBX,EBX
00426F8F 75 07 JNZ SHORT 练习.00426F98
00426F91 8B1E MOV EBX,DWORD PTR DS:[ESI]
00426F93 83EE FC SUB ESI,-4
00426F96 11DB ADC EBX,EBX
00426F98 11C9 ADC ECX,ECX
00426F9A 01DB ADD EBX,EBX
00426F9C ^ 73 EF JNB SHORT 练习.00426F8D
00426F9E 75 09 JNZ SHORT 练习.00426FA9
00426FA0 8B1E MOV EBX,DWORD PTR DS:[ESI]
00426FA2 83EE FC SUB ESI,-4
00426FA5 11DB ADC EBX,EBX
00426FA7 ^ 73 E4 JNB SHORT 练习.00426F8D
00426FA9 83C1 02 ADD ECX,2
00426FAC 81FD 00F3FFFF CMP EBP,-0D00
00426FB2 83D1 01 ADC ECX,1
00426FB5 8D142F LEA EDX,DWORD PTR DS:[EDI+EBP]
00426FB8 83FD FC CMP EBP,-4
00426FBB 76 0F JBE SHORT 练习.00426FCC
00426FBD 8A02 MOV AL,BYTE PTR DS:[EDX]
00426FBF 42 INC EDX
00426FC0 8807 MOV BYTE PTR DS:[EDI],AL
00426FC2 47 INC EDI
00426FC3 49 DEC ECX
00426FC4 ^ 75 F7 JNZ SHORT 练习.00426FBD
00426FC6 ^ E9 63FFFFFF JMP 练习.00426F2E
00426FCB 90 NOP
00426FCC 8B02 MOV EAX,DWORD PTR DS:[EDX]
00426FCE 83C2 04 ADD EDX,4
00426FD1 8907 MOV DWORD PTR DS:[EDI],EAX
00426FD3 83C7 04 ADD EDI,4
00426FD6 83E9 04 SUB ECX,4
00426FD9 ^ 77 F1 JA SHORT 练习.00426FCC
00426FDB 01CF ADD EDI,ECX
00426FDD ^ E9 4CFFFFFF JMP 练习.00426F2E
00426FE2 5E POP ESI
00426FE3 89F7 MOV EDI,ESI
00426FE5 B9 E1060000 MOV ECX,6E1
00426FEA 8A07 MOV AL,BYTE PTR DS:[EDI]
00426FEC 47 INC EDI
00426FED 2C E8 SUB AL,0E8
00426FEF 3C 01 CMP AL,1
00426FF1 ^ 77 F7 JA SHORT 练习.00426FEA
00426FF3 803F 05 CMP BYTE PTR DS:[EDI],5
00426FF6 ^ 75 F2 JNZ SHORT 练习.00426FEA
00426FF8 8B07 MOV EAX,DWORD PTR DS:[EDI]
00426FFA 8A5F 04 MOV BL,BYTE PTR DS:[EDI+4]
00426FFD 66:C1E8 08 SHR AX,8
00427001 C1C0 10 ROL EAX,10
00427004 86C4 XCHG AH,AL
00427006 29F8 SUB EAX,EDI
00427008 80EB E8 SUB BL,0E8
0042700B 01F0 ADD EAX,ESI
0042700D 8907 MOV DWORD PTR DS:[EDI],EAX
0042700F 83C7 05 ADD EDI,5
00427012 88D8 MOV AL,BL
00427014 ^ E2 D9 LOOPD SHORT 练习.00426FEF
00427016 8DBE 00400200 LEA EDI,DWORD PTR DS:[ESI+24000]
0042701C 8B07 MOV EAX,DWORD PTR DS:[EDI]
0042701E 09C0 OR EAX,EAX
00427020 74 45 JE SHORT 练习.00427067
00427022 8B5F 04 MOV EBX,DWORD PTR DS:[EDI+4]
00427025 8D8430 94790200 LEA EAX,DWORD PTR DS:[EAX+ESI+27994]
0042702C 01F3 ADD EBX,ESI
0042702E 50 PUSH EAX
0042702F 83C7 08 ADD EDI,8
00427032 FF96 707A0200 CALL DWORD PTR DS:[ESI+27A70]
00427038 95 XCHG EAX,EBP
00427039 8A07 MOV AL,BYTE PTR DS:[EDI]
0042703B 47 INC EDI
0042703C 08C0 OR AL,AL
0042703E ^ 74 DC JE SHORT 练习.0042701C
00427040 89F9 MOV ECX,EDI
00427042 79 07 JNS SHORT 练习.0042704B
00427044 0FB707 MOVZX EAX,WORD PTR DS:[EDI]
00427047 47 INC EDI
00427048 50 PUSH EAX
00427049 47 INC EDI
0042704A B9 5748F2AE MOV ECX,AEF24857
0042704F 55 PUSH EBP
00427050 FF96 747A0200 CALL DWORD PTR DS:[ESI+27A74]
00427056 09C0 OR EAX,EAX
00427058 74 07 JE SHORT 练习.00427061
0042705A 8903 MOV DWORD PTR DS:[EBX],EAX
0042705C 83C3 04 ADD EBX,4
0042705F ^ EB D8 JMP SHORT 练习.00427039
00427061 FF96 787A0200 CALL DWORD PTR DS:[ESI+27A78]
00427067 60 PUSHAD ..........................//与popad对应,这里就是关键,在这里下断点,
再按shift+f9 断下,再取消断点
00427068 - E9 7979FEFF JMP 练习.0040E9E6...............//跳向程序的oep
0042706D 0000 ADD BYTE PTR DS:[EAX],AL
0042706F 0000 ADD BYTE PTR DS:[EAX],AL
00427071 0000 ADD BYTE PTR DS:[EAX],AL
-----------------------------------------------------------
0040E9E6 55 PUSH EBP //可以dump了
0040E9E7 8BEC MOV EBP,ESP
0040E9E9 6A FF PUSH -1
0040E9EB 68 60124100 PUSH 练习.00411260
0040E9F0 68 72EB4000 PUSH 练习.0040EB72 ; JMP to MSVCRT._except_handler3
0040E9F5 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0040E9FB 50 PUSH EAX
0040E9FC 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
0040EA03 83EC 68 SUB ESP,68
0040EA06 53 PUSH EBX
0040EA07 56 PUSH ESI
0040EA08 57 PUSH EDI
0040EA09 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
----------------------------------------------------
再用importREC修复
oep:E9E6 rav:fffc size:055C
- 文章
- 推荐
- 热门新闻