首页
社区
课程
招聘
[原创]UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo [Overlay]壳分析
发表于: 2010-10-24 21:28 8310

[原创]UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo [Overlay]壳分析

2010-10-24 21:28
8310
006005D0 > $  60            PUSHAD
006005D1   .  BE 00C05400   MOV ESI,VSClient.0054C000                ;  ESI指向UPX1块
006005D6   .  8DBE 0050EBFF LEA EDI,DWORD PTR DS:[ESI+FFEB5000]      ;  EDI指向UPX0块
006005DC   .  57            PUSH EDI
006005DD   .  83CD FF       OR EBP,FFFFFFFF
006005E0   .  EB 10         JMP SHORT VSClient.006005F2
006005E2      90            NOP
006005E3      90            NOP
006005E4      90            NOP
006005E5      90            NOP
006005E6      90            NOP
006005E7      90            NOP
006005E8   >  8A06          MOV AL,BYTE PTR DS:[ESI]
006005EA   .  46            INC ESI
006005EB   .  8807          MOV BYTE PTR DS:[EDI],AL
006005ED   .  47            INC EDI
006005EE   >  01DB          ADD EBX,EBX
006005F0   .  75 07         JNZ SHORT VSClient.006005F9              ;  EBX!=0 && EBX!=80000000h跳转
006005F2   >  8B1E          MOV EBX,DWORD PTR DS:[ESI]               ;  EBX为标志控制字节;EBX无论为何值,都会ADD 32次,因为sub esi,-4后CF恒为1
006005F4   .  83EE FC       SUB ESI,-4                               ;  影响CF位,CF=1;正数减负数CF=1,CF flags  indicate a borrow
006005F7   .  11DB          ADC EBX,EBX                              ;  EBX=EBX+EBX+CF
006005F9   >^ 72 ED         JB SHORT VSClient.006005E8               ;  CF=1时直接从[esi]中拷贝;CF=0时,从[edi]中拷贝
006005FB   .  B8 01000000   MOV EAX,1                                ;  EBX最高位为0
00600600   >  01DB          ADD EBX,EBX                              ;  拼接为偏移长度EAX的bit位
00600602   .  75 07         JNZ SHORT VSClient.0060060B
00600604   .  8B1E          MOV EBX,DWORD PTR DS:[ESI]
00600606   .  83EE FC       SUB ESI,-4
00600609   .  11DB          ADC EBX,EBX
0060060B   >  11C0          ADC EAX,EAX                              ;  EAX=EAX+EAX+EBX的最高位
0060060D   .  01DB          ADD EBX,EBX                              ;  EBX此时移出的CF表示是否偏移位;CF=1表示偏移
0060060F   .  73 0B         JNB SHORT VSClient.0060061C              ;  CF=0时跳转,需要修正EAX偏移
00600611   .  75 28         JNZ SHORT VSClient.0060063B
00600613   .  8B1E          MOV EBX,DWORD PTR DS:[ESI]               ;  进行此操作说明已经ADD EBX ,EBX 32次,这个控制字节应该从[ESI]中读取
00600615   .  83EE FC       SUB ESI,-4
00600618   .  11DB          ADC EBX,EBX
0060061A   .  72 1F         JB SHORT VSClient.0060063B
0060061C   >  48            DEC EAX
0060061D   .  01DB          ADD EBX,EBX
0060061F   .  75 07         JNZ SHORT VSClient.00600628
00600621   .  8B1E          MOV EBX,DWORD PTR DS:[ESI]
00600623   .  83EE FC       SUB ESI,-4
00600626   .  11DB          ADC EBX,EBX
00600628   >  11C0          ADC EAX,EAX
0060062A   .^ EB D4         JMP SHORT VSClient.00600600
0060062C   >  01DB          ADD EBX,EBX                              ;  修正数据长度
0060062E   .  75 07         JNZ SHORT VSClient.00600637
00600630   .  8B1E          MOV EBX,DWORD PTR DS:[ESI]
00600632   .  83EE FC       SUB ESI,-4
00600635   .  11DB          ADC EBX,EBX
00600637   >  11C9          ADC ECX,ECX
00600639   .  EB 52         JMP SHORT VSClient.0060068D
0060063B   >  31C9          XOR ECX,ECX
0060063D   .  83E8 03       SUB EAX,3
00600640   .  72 11         JB SHORT VSClient.00600653
00600642   .  C1E0 08       SHL EAX,8                                ;  11
00600645   .  8A06          MOV AL,BYTE PTR DS:[ESI]                 ;  (EAX<<8)+byte ptr [ESI]
00600647   .  46            INC ESI
00600648   .  83F0 FF       XOR EAX,FFFFFFFF                         ;  EAX各位取反,EAX==-1时解码完毕
0060064B   .  74 75         JE SHORT VSClient.006006C2
0060064D   .  D1F8          SAR EAX,1
0060064F   .  89C5          MOV EBP,EAX
00600651   .  EB 0B         JMP SHORT VSClient.0060065E
00600653   >  01DB          ADD EBX,EBX                              ;  01情况
00600655   .  75 07         JNZ SHORT VSClient.0060065E
00600657   .  8B1E          MOV EBX,DWORD PTR DS:[ESI]
00600659   .  83EE FC       SUB ESI,-4
0060065C   .  11DB          ADC EBX,EBX
0060065E   >^ 72 CC         JB SHORT VSClient.0060062C
00600660   .  41            INC ECX
00600661   .  01DB          ADD EBX,EBX
00600663   .  75 07         JNZ SHORT VSClient.0060066C
00600665   .  8B1E          MOV EBX,DWORD PTR DS:[ESI]
00600667   .  83EE FC       SUB ESI,-4
0060066A   .  11DB          ADC EBX,EBX
0060066C   >^ 72 BE         JB SHORT VSClient.0060062C
0060066E   >  01DB          ADD EBX,EBX                              ;  00
00600670   .  75 07         JNZ SHORT VSClient.00600679
00600672   .  8B1E          MOV EBX,DWORD PTR DS:[ESI]
00600674   .  83EE FC       SUB ESI,-4
00600677   .  11DB          ADC EBX,EBX
00600679   >  11C9          ADC ECX,ECX
0060067B   .  01DB          ADD EBX,EBX
0060067D   .^ 73 EF         JNB SHORT VSClient.0060066E
0060067F   .  75 09         JNZ SHORT VSClient.0060068A
00600681   .  8B1E          MOV EBX,DWORD PTR DS:[ESI]
00600683   .  83EE FC       SUB ESI,-4
00600686   .  11DB          ADC EBX,EBX
00600688   .^ 73 E4         JNB SHORT VSClient.0060066E
0060068A   >  83C1 02       ADD ECX,2
0060068D   >  81FD 00FBFFFF CMP EBP,-500                             ;  后面为从已解压的数据[edx]处复制ecx字节到[edi]中
00600693   .  83D1 02       ADC ECX,2                                ;  此句可见最少复制2字节数据
00600696   .  8D142F        LEA EDX,DWORD PTR DS:[EDI+EBP]
00600699   .  83FD FC       CMP EBP,-4
0060069C   .  76 0E         JBE SHORT VSClient.006006AC              ;  当偏移大于4时,可直接移动32位,而非8位,速度更快
0060069E   >  8A02          MOV AL,BYTE PTR DS:[EDX]                 ;  从已经生成的数据[EDX]中复制ECX个字节到EDI中
006006A0   .  42            INC EDX
006006A1   .  8807          MOV BYTE PTR DS:[EDI],AL
006006A3   .  47            INC EDI
006006A4   .  49            DEC ECX
006006A5   .^ 75 F7         JNZ SHORT VSClient.0060069E
006006A7   .^ E9 42FFFFFF   JMP VSClient.006005EE
006006AC   >  8B02          MOV EAX,DWORD PTR DS:[EDX]
006006AE   .  83C2 04       ADD EDX,4
006006B1   .  8907          MOV DWORD PTR DS:[EDI],EAX
006006B3   .  83C7 04       ADD EDI,4
006006B6   .  83E9 04       SUB ECX,4
006006B9   .^ 77 F1         JA SHORT VSClient.006006AC
006006BB   .  01CF          ADD EDI,ECX                              ;  修正数据
006006BD   .^ E9 2CFFFFFF   JMP VSClient.006005EE
006006C2   >  5E            POP ESI                                  ;  解压完毕;修正指令中的相对偏移地址
006006C3   .  89F7          MOV EDI,ESI
006006C5   .  B9 8BA70000   MOV ECX,0A78B
006006CA   >  8A07          MOV AL,BYTE PTR DS:[EDI]
006006CC   .  47            INC EDI
006006CD   .  2C E8         SUB AL,0E8
006006CF   >  3C 01         CMP AL,1
006006D1   .^ 77 F7         JA SHORT VSClient.006006CA
006006D3   .  803F 42       CMP BYTE PTR DS:[EDI],42                 ;  AL==E8(call Jz)或E9(jmp jz类型);指令中只有这两个指令是Jz类型.J表示后面有加上IP的偏移,z表示32位后面就跟doubleword
006006D6   .^ 75 F2         JNZ SHORT VSClient.006006CA
006006D8   .  8B07          MOV EAX,DWORD PTR DS:[EDI]
006006DA   .  8A5F 04       MOV BL,BYTE PTR DS:[EDI+4]
006006DD   .  66:C1E8 08    SHR AX,8
006006E1   .  C1C0 10       ROL EAX,10
006006E4   .  86C4          XCHG AH,AL
006006E6   .  29F8          SUB EAX,EDI
006006E8   .  80EB E8       SUB BL,0E8
006006EB   .  01F0          ADD EAX,ESI
006006ED   .  8907          MOV DWORD PTR DS:[EDI],EAX               ;  JMP地址修改
006006EF   .  83C7 05       ADD EDI,5
006006F2   .  88D8          MOV AL,BL
006006F4   .^ E2 D9         LOOPD SHORT VSClient.006006CF
006006F6   .  8DBE 00A01F00 LEA EDI,DWORD PTR DS:[ESI+1FA000]
006006FC   >  8B07          MOV EAX,DWORD PTR DS:[EDI]               ;  dll名字偏移
006006FE   .  09C0          OR EAX,EAX
00600700   .  74 45         JE SHORT VSClient.00600747               ;  IAT构造以00000000结束
00600702   .  8B5F 04       MOV EBX,DWORD PTR DS:[EDI+4]             ;  IAT地址偏移
00600705   .  8D8430 845A20>LEA EAX,DWORD PTR DS:[EAX+ESI+205A84]
0060070C   .  01F3          ADD EBX,ESI
0060070E   .  50            PUSH EAX
0060070F   .  83C7 08       ADD EDI,8
00600712   .  FF96 185D2000 CALL DWORD PTR DS:[ESI+205D18]           ;  00606D18 >778D2864  kernel32.LoadLibraryA
00600718   .  95            XCHG EAX,EBP
00600719   >  8A07          MOV AL,BYTE PTR DS:[EDI]                 ;  AL为同一dll函数名分隔符
0060071B   .  47            INC EDI
0060071C   .  08C0          OR AL,AL
0060071E   .^ 74 DC         JE SHORT VSClient.006006FC
00600720   .  89F9          MOV ECX,EDI
00600722   .  79 07         JNS SHORT VSClient.0060072B
00600724   .  0FB707        MOVZX EAX,WORD PTR DS:[EDI]
00600727   .  47            INC EDI
00600728   .  50            PUSH EAX
00600729   .  47            INC EDI
0060072A      B9            DB B9
0060072B   .  57            PUSH EDI
0060072C   .  48            DEC EAX
0060072D   .  F2:AE         REPNE SCAS BYTE PTR ES:[EDI]
0060072F   .  55            PUSH EBP                                 ;  dll handle
00600730   .  FF96 1C5D2000 CALL DWORD PTR DS:[ESI+205D1C]
00600736   .  09C0          OR EAX,EAX
00600738   .  74 07         JE SHORT VSClient.00600741               ;  不能得到输入函数
0060073A   .  8903          MOV DWORD PTR DS:[EBX],EAX               ;  修正IAT为实际API地址
0060073C   .  83C3 04       ADD EBX,4
0060073F   .^ EB D8         JMP SHORT VSClient.00600719
00600741   >  FF96 2C5D2000 CALL DWORD PTR DS:[ESI+205D2C]           ;  00606D2C >76262AEF  kernel32.ExitProcess
00600747   >  8BAE 205D2000 MOV EBP,DWORD PTR DS:[ESI+205D20]        ;  00606D20 >762550AB  kernel32.VirtualProtect
0060074D   .  8DBE 00F0FFFF LEA EDI,DWORD PTR DS:[ESI-1000]
00600753   .  BB 00100000   MOV EBX,1000
00600758   .  50            PUSH EAX
00600759   .  54            PUSH ESP
0060075A   .  6A 04         PUSH 4                                   ;  PAGE_EXECUTE_READWRITE
0060075C   .  53            PUSH EBX
0060075D   .  57            PUSH EDI
0060075E   .  FFD5          CALL EBP                                 ;  获得文件头的写权限
00600760   .  8D87 37020000 LEA EAX,DWORD PTR DS:[EDI+237]
00600766   .  8020 7F       AND BYTE PTR DS:[EAX],7F                 ;  remove sec UPX0 UNINITIALIZED_DATA character
00600769   .  8060 28 7F    AND BYTE PTR DS:[EAX+28],7F              ;  remove sec UPX1 UNINITIALIZED_DATA character
0060076D   .  58            POP EAX
0060076E   .  50            PUSH EAX
0060076F   .  54            PUSH ESP
00600770   .  50            PUSH EAX                                 ;  文件头原属性
00600771   .  53            PUSH EBX
00600772   .  57            PUSH EDI
00600773   .  FFD5          CALL EBP                                 ;  恢复文件头属性
00600775   .  58            POP EAX
00600776   .  61            POPAD
00600777   .  8D4424 80     LEA EAX,DWORD PTR SS:[ESP-80]
0060077B   >  6A 00         PUSH 0
0060077D   .  39C4          CMP ESP,EAX
0060077F   .^ 75 FA         JNZ SHORT VSClient.0060077B
00600781   .  83EC 80       SUB ESP,-80                              ;  同前面循环80/4次push 0保持ESP不变,只是初始化堆栈环境为0
00600784   .- E9 2122F0FF   JMP VSClient.005029AA                    ;  跳到OEP


[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 7
支持
分享
最新回复 (2)
雪    币: 205
活跃值: (15)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
压缩壳                           upx
2010-10-28 05:28
0
雪    币: 47147
活跃值: (20445)
能力值: (RANK:350 )
在线值:
发帖
回帖
粉丝
3
期待看到更精彩的帖。比如可以更深层些研究,静态脱壳等。(论坛精华中有文章参考)
2010-10-30 22:17
0
游客
登录 | 注册 方可回帖
返回
//