【文章标题】: eXPressor 1.6.0.1 (All Protections)
【文章作者】: hxqlky
【作者邮箱】: zmunlky@gmail.com
【作者主页】: http://www.x5dj.com/hxqlky
【软件名称】: unpackme
【下载地址】: 自己搜索下载
【加壳方式】: eXPressor 1.6.0.1
【保护方式】: eXPressor 1.6.0.1
【使用工具】: od,uif,LordPE,ImportREC
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
【详细过程】
脱壳eXPressor 1.5.0.1 (All Protections)
DeRoX 设置下
00469000 U> 68 92144900 PUSH UnPackMe.00491492 停在这里
00469005 C3 RETN
00469006 2B15 CDE39EC0 SUB EDX,DWORD PTR DS:[C09EE3CD]
0046900C CC INT3
0046900D 77 3F JA SHORT UnPackMe.0046904E
f9 运行有debug检测ollydbg
0012F6D4 00D18E77 RETURN to 00D18E77
0012F6D8 0012F6E4 ASCII "OLLYDBG"
0012F6DC 00000000
模块e USER32.dll
Executable modules, item 13
Base=77D10000
Size=0008F000 (585728.)
Entry=77D2E966 USER32.UserClientDllInitialize
Name=USER32 (system)
File version=5.1.2600.3099 (xpsp_sp2_gdr.070
Path=C:\WINDOWS\system32\USER32.dll
ctrl+n FindWindow
Names in USER32, item 507
Address=77D2DE87
Section=.text
Type=Library (Known)
Name=Names in USER32, item 507
Address=77D2DE87
Section=.text
Type=Library (Known)
Name=FindWindowA
77D2DE87 U> 8BFF MOV EDI,EDI
77D2DE89 55 PUSH EBP
77D2DE8A 8BEC MOV EBP,ESP
77D2DE8C 33C0 XOR EAX,EAX
77D2DE8E 50 PUSH EAX
77D2DE8F FF75 0C PUSH DWORD PTR SS:[EBP+C] ;
ntdll.7C920000
77D2DE92 FF75 08 PUSH DWORD PTR SS:[EBP+8]
77D2DE95 50 PUSH EAX
77D2DE96 50 PUSH EAX
77D2DE97 E8 4CFFFFFF CALL USER32.77D2DDE8
77D2DE9C 5D POP EBP ;
ntdll.7C960456
77D2DE9D C2 0800 RETN 8 f2 f9断在这里f7
0012F6AC 00C096ED RETURN to 00C096ED
0012F6B0 0012F6BC ASCII "OLLYDBG"
0012F6B4 00000000
0012F6B8 FFFFFFFF
00C096ED 85C0 TEST EAX,EAX
00C096EF 74 03 JE SHORT 00C096F4
00C096F1 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00C096F4 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00C096F7 85C0 TEST EAX,EAX
00C096F9 75 06 JNZ SHORT 00C09701 jmp
00C096FB 46 INC ESI
00C096FC 83FE 04 CMP ESI,4
00C096FF ^ 7C D2 JL SHORT 00C096D3
00C09701 5E POP ESI
00C09702 C9 LEAVE
00C09703 C3 RETN
00C05235 A3 A810C000 MOV DWORD PTR DS:[C010A8],EAX
00C0523A EB 01 JMP SHORT 00C0523D
00C0523C 0D 833DA810 OR EAX,10A83D83
00C05241 C000 00 ROL BYTE PTR DS:[EAX],0 ; Shift
constant out of range 1..31
00C05244 75 0A JNZ SHORT 00C05250
00C05246 E8 D8420000 CALL 00C09523
00C0524B A3 A810C000 MOV DWORD PTR DS:[C010A8],EAX
00C05250 EB 01 JMP SHORT 00C05253
----------------------------------------------------
Magic IAT jump:
搜索
393d????????0f84
00C63FF4 55 PUSH EBP
00C63FF5 8BEC MOV EBP,ESP
00C63FF7 83EC 10 SUB ESP,10
00C63FFA 56 PUSH ESI
00C63FFB 57 PUSH EDI ;
ntdll.7C930228
00C63FFC 33FF XOR EDI,EDI ;
ntdll.7C930228
00C63FFE 393D 3C10C600 CMP DWORD PTR DS:[C6103C],EDI ;
ntdll.7C930228
00C64004 0F84 F4000000 JE 00C640FE jmp
00C6400A EB 01 JMP SHORT 00C6400D
--------------------------------------------------------
Directly Imports:
搜索
83c0058b4df42bc8
00C64546 83C0 05 ADD EAX,5
00C64549 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
00C6454C 2BC8 SUB ECX,EAX
00C6454E 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
00C64551 8908 MOV DWORD PTR DS:[EAX],ECX ;
ntdll.7C93005D
00C64553 EB 01 JMP SHORT 00C64556
00C64549 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-2C] 改后
------------------------------------------------
搜索 near OEP
5F 5E 5B 8B E5 5D EB 01
00C01918 5F POP EDI ; 00C01EC3
00C01919 5E POP ESI ; 00C01EC3
00C0191A 5B POP EBX ; 00C01EC3
00C0191B 8BE5 MOV ESP,EBP
00C0191D 5D POP EBP ; 00C01EC3
00C0191E EB 01 JMP SHORT 00C01921
00C63BBD BA 58A15010 MOV EDX,1050A158
00C63BC2 C600 5F MOV BYTE PTR DS:[EAX],5F
00C63BC5 5E POP ESI ; 00C61EC3
00C63BC6 5B POP EBX ; 00C61EC3
00C63BC7 8BE5 MOV ESP,EBP
00C63BC9 5D POP EBP ; 00C61EC3
00C63BCA EB 01 JMP SHORT 00C63BCD f2 后面这个断点用的到
00B80000 C3 RETN
00B80001 0000 ADD BYTE PTR DS:[EAX],AL
00B80003 0000 ADD BYTE PTR DS:[EAX],AL
00B80005 0000 ADD BYTE PTR DS:[EAX],AL
00B80007 0000 ADD BYTE PTR DS:[EAX],AL
00C6913B 64:8F05 00000000 POP DWORD PTR FS:[0] ; 0012F6E4
00C69142 C745 F8 01000000 MOV DWORD PTR SS:[EBP-8],1
00C69149 C3 RETN nop
00C651A0 50 PUSH EAX
00C651A1 E8 03000000 CALL 00C651A9 f7
00C651A6 01EB ADD EBX,EBP
00C651A8 0A8B 04248B00 OR CL,BYTE PTR DS:[EBX+8B2404]
00C651B3 58 POP EAX ;
kernel32.7C816FE7
00C651B4 85C0 TEST EAX,EAX
00C651B6 75 15 JNZ SHORT 00C651CD nop f9
00C651B8 EB 01 JMP SHORT 00C651BB
00C651BA F7E8 IMUL EAX
00C651BC 50 PUSH EAX
00C651BD 40 INC EAX
00C63BCA /EB 01 JMP SHORT 00C63BCD 来到这里
00C63BCC |C8 50A130 ENTER 0A150,30
00C63BD0 10C6 ADC DH,AL
00C63BD2 0083 785C0075 ADD BYTE PTR DS:[EBX+75005C78],AL
alt+m 00400000下断 f9
Memory map, item 22
Address=00400000
Size=000A3000 (667648.)
Owner=UnPackMe 00400000 (itself)
Section=
Contains=PE header
Type=Imag 01001040
Access=RWE
Initial access=RWE
00CE867C 300E XOR BYTE PTR DS:[ESI],CL 一直f9, 断在这里 一直f9
00CE867E EB 01 JMP SHORT 00CE8681
00CE8680 BB 433B5D0C MOV EBX,0C5D3B43
00CE8685 895D 10 MOV DWORD PTR SS:[EBP+10],EBX
0012FFB0 00400000 UnPackMe.00400000
0012FFB4 7C930228 ntdll.7C930228
0012FFB8 FFFFFFFF
004271B0 55 PUSH EBP oep
004271B1 8BEC MOV EBP,ESP
004271B3 6A FF PUSH -1
004271B5 68 600E4500 PUSH UnPackMe.00450E60
004271BA 68 C8924200 PUSH UnPackMe.004292C8
004271BF 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
004271C5 50 PUSH EAX ;
UnPackMe.004271B0
004271C6 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
004271CD 83C4 A8 ADD ESP,-58
004271D0 53 PUSH EBX
004271D1 56 PUSH ESI
004271D2 57 PUSH EDI ;
ntdll.7C930228
004271D3 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
004271D6 FF15 DC0A4600 CALL DWORD PTR DS:[460ADC] ;
kernel32.GetVersion
004271DC 33D2 XOR EDX,EDX
00460818 77DA6C07 ADVAPI32.RegCloseKey iat ------0
0046081C 77DA7832 ADVAPI32.RegOpenKeyExA
00460820 77DAE834 ADVAPI32.RegCreateKeyExA
Fixing Success...
Fixed Module : UnPackMe_eXPressor 1.6.0.1.f.exe
Image Base : 00400000
IAT VA : 00460000
IAT Size : 0000070C
Normal Imports : 1386
Directly Imports : 199
All Imports : 1585
LordPE 目录 清0 tls
.date 删除
LordPE重建pe
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
