[原创]手脱!EP(EXE Pack)1.4-加壳脱壳-看雪-安全社区|安全招聘|kanxue.com

[原创]手脱!EP(EXE Pack)1.4

发表于: 2011-4-23 20:26 7456

[原创]手脱!EP(EXE Pack)1.4

leavekwong 活跃值

2011-4-23 20:26

7456

这个壳  好像没有脱壳机可以脱的   linhanshi的一个贴
"2009-07-31, 22:15:58   【转帖】RL!dePacker v1.5 release vs TitanEngine"
http://bbs.pediy.com/showthread.php?t=94764
那个脱壳机虽然有说可以脱  !EP (ExE Pack) 1.x  可是经本人测试,脱不了!EP(EXE Pack)1.4

用peidv0.95 查壳    yoda's Protector v1.02 (.dll,.ocx) -> Ashkbiz Danehkar (h) *

看EP区段显示 .!ep

突然发现peid 查壳很一般了越来越不能相信它了

下面是我的脱壳手记:

用OD载入:
程序入口:          看壳的入口,好像是!EP(EXE Pack)1.4的,就暂且相信它吧
004B3000 >  F8              clc
004B3001    57              push    edi
004B3002    A9 426688BC     test    eax, BC886642
004B3007    5F              pop     edi
004B3008    51              push    ecx
004B3009    66:B9 A7AB      mov     cx, 0ABA7
004B300D    59              pop     ecx
004B300E    81EE 00000000   sub     esi, 0
004B3014    C0C5 60         rol     ch, 60
004B3017    F6C6 74         test    dh, 74
004B301A    0BDB            or      ebx, ebx
004B301C    40              inc     eax
004B301D    48              dec     eax
004B301E    84D2            test    dl, dl
004B3020    50              push    eax
004B3021    E8 56000000     call    UnPackMe.004B307C              在此call F7 否则程序运行了
004B3026    73 22           jnb     short UnPackMe.004B304A
004B3028    F2:             prefix repne:
004B3029    D20C7E          ror     byte ptr ds:[esi+edi*2], cl
004B302C    DED8            ficomp  eax                              ; 非法使用寄存器
004B302E  - 71 B4           jno     short UnPackMe.004B2FE4

F7之后来到

004B307C    58              pop     eax                              ; UnPackMe.004B3026
004B307D    58              pop     eax
004B307E    53              push    ebx
004B307F    53              push    ebx
004B3080    66:83FB E7      cmp     bx, 0FFE7
004B3084    5B              pop     ebx
004B3085    5B              pop     ebx
004B3086    66:83F5 00      xor     bp, 0
004B308A    52              push    edx
004B308B    52              push    edx
004B308C    53              push    ebx
004B308D    66:A9 1435      test    ax, 3514
004B3091    5B              pop     ebx
004B3092    5A              pop     edx
004B3093    5A              pop     edx
004B3094    F9              stc
004B3095    2D 00000000     sub     eax, 0
004B309A    57              push    edi
004B309B    E8 42000000     call    UnPackMe.004B30E2         在此call F7 否则程序运行了
004B30A0    4A              dec     edx
004B30A1    EE              out     dx, al

之后来到

004B30E2    5F              pop     edi                              ; UnPackMe.004B30A0
004B30E3    5F              pop     edi
004B30E4    57              push    edi
004B30E5    52              push    edx
004B30E6    53              push    ebx
004B30E7    51              push    ecx
004B30E8    83C4 04         add     esp, 4
004B30EB    5B              pop     ebx
004B30EC    5A              pop     edx
004B30ED    5F              pop     edi
004B30EE    66:C1C6 B0      rol     si, 0B0
004B30F2    74 05           je      short UnPackMe.004B30F9
004B30F4    74 03           je      short UnPackMe.004B30F9
004B30F6    C1FF 40         sar     edi, 40
004B30F9    F8              clc
004B30FA    F8              clc
004B30FB    53              push    ebx
004B30FC    E8 FB020000     call    UnPackMe.004B33FC          在此call F7 否则程序运行了
004B3101    45              inc     ebp
004B3102    9B              wait
004B3103    BF B0A79629     mov     edi, 2996A7B0

之后一直单步跟踪.......直到

004B3573    5D              pop     ebp
004B3574    83ED 05         sub     ebp, 5
004B3577    8B3424          mov     esi, dword ptr ss:[esp]
004B357A    89F7            mov     edi, esi
004B357C    81E7 00000070   and     edi, 70000000
004B3582    85FF            test    edi, edi
004B3584    0F84 F8020000   je      UnPackMe.004B3882           //注意这行凡是这个都是不跳的.下面还有几个和这行一样的代码.随便一个跳了我们就跳出了1.4版本的防调试.所以我们就让它跳吧,呵呵  这就是1.4版本和1.0版本的最大区别
004B358A    E8 67010000     call    UnPackMe.004B36F6
004B358F    89C7            mov     edi, eax
004B3591    89C3            mov     ebx, eax
004B3593    8D85 36020000   lea     eax, dword ptr ss:[ebp+236]
004B3599    E8 82010000     call    UnPackMe.004B3720
004B359E    85C0            test    eax, eax
004B35A0    0F84 DC020000   je      UnPackMe.004B3882                 //注意这行
004B35A6    89C6            mov     esi, eax
004B35A8    8D9D FE020000   lea     ebx, dword ptr ss:[ebp+2FE]
004B35AE    53              push    ebx
004B35AF    8D9D 45020000   lea     ebx, dword ptr ss:[ebp+245]
004B35B5    53              push    ebx
004B35B6    57              push    edi
004B35B7    FFD6            call    esi
004B35B9    85C0            test    eax, eax
004B35BB    0F84 C1020000   je      UnPackMe.004B3882             //注意这行
004B35C1    FFD0            call    eax
004B35C3    66:85C0         test    ax, ax
004B35C6    0F85 BA010000   jnz     UnPackMe.004B3786
004B35CC    E8 01010000     call    UnPackMe.004B36D2
004B35D1    83F8 05         cmp     eax, 5
004B35D4    0F84 A8020000   je      UnPackMe.004B3882                //注意这行
004B35DA    8D9D FE020000   lea     ebx, dword ptr ss:[ebp+2FE]
004B35E0    53              push    ebx
004B35E1    8D9D 55020000   lea     ebx, dword ptr ss:[ebp+255]
004B35E7    53              push    ebx
004B35E8    57              push    edi
004B35E9    FFD6            call    esi
004B35EB    85C0            test    eax, eax
004B35ED    0F84 8F020000   je      UnPackMe.004B3882                   //注意这行
004B35F3    FFD0            call    eax
004B35F5    66:85C0         test    ax, ax
004B35F8    0F84 C1000000   je      UnPackMe.004B36BF
004B35FE    C785 AA020000 4>mov     dword ptr ss:[ebp+2AA], 44
004B3608    C785 AE020000 0>mov     dword ptr ss:[ebp+2AE], 0
004B3612    C785 B2020000 0>mov     dword ptr ss:[ebp+2B2], 0
004B361C    C785 B6020000 0>mov     dword ptr ss:[ebp+2B6], 0
004B3626    C785 D6020000 0>mov     dword ptr ss:[ebp+2D6], 0
004B3630    C785 DC020000 0>mov     dword ptr ss:[ebp+2DC], 0
004B363A    C785 DE020000 0>mov     dword ptr ss:[ebp+2DE], 0
004B3644    8D9D EE020000   lea     ebx, dword ptr ss:[ebp+2EE]
004B364A    53              push    ebx
004B364B    8D9D AA020000   lea     ebx, dword ptr ss:[ebp+2AA]
004B3651    53              push    ebx
004B3652    6A 00           push    0
004B3654    6A 00           push    0
004B3656    6A 00           push    0
004B3658    6A 00           push    0
004B365A    6A 00           push    0
004B365C    6A 00           push    0
004B365E    8D9D 84020000   lea     ebx, dword ptr ss:[ebp+284]
004B3664    53              push    ebx
004B3665    57              push    edi
004B3666    FFD6            call    esi
004B3668    85C0            test    eax, eax
004B366A    0F84 12020000   je      UnPackMe.004B3882                 //注意这行
004B3670    FFD0            call    eax
004B3672    50              push    eax
004B3673    6A 00           push    0
004B3675    8D9D 75020000   lea     ebx, dword ptr ss:[ebp+275]
004B367B    53              push    ebx
004B367C    57              push    edi
004B367D    FFD6            call    esi
004B367F    85C0            test    eax, eax
004B3681    0F84 FB010000   je      UnPackMe.004B3882               //注意这行  之前的都不跳,这行再不跳的话下面的那个程序就运行了
004B3687    FFD0            call    eax
004B3689    8B9D EE020000   mov     ebx, dword ptr ss:[ebp+2EE]
004B368F    53              push    ebx
004B3690    8D9D 94020000   lea     ebx, dword ptr ss:[ebp+294]
004B3696    53              push    ebx
004B3697    57              push    edi
004B3698    FFD6            call    esi
004B369A    85C0            test    eax, eax
004B369C    0F84 E0010000   je      UnPackMe.004B3882                  //注意这行
004B36A2    FFD0            call    eax
004B36A4    8B9D F2020000   mov     ebx, dword ptr ss:[ebp+2F2]
004B36AA    53              push    ebx
004B36AB    8D9D 94020000   lea     ebx, dword ptr ss:[ebp+294]
004B36B1    53              push    ebx
004B36B2    57              push    edi
004B36B3    FFD6            call    esi
004B36B5    85C0            test    eax, eax
004B36B7    0F84 C5010000   je      UnPackMe.004B3882          //注意这行
004B36BD    FFD0            call    eax
004B36BF    6A 00           push    0
004B36C1    8D9D A0020000   lea     ebx, dword ptr ss:[ebp+2A0]
004B36C7    53              push    ebx
004B36C8    57              push    edi
004B36C9    FFD6            call    esi
004B36CB    85C0            test    eax, eax
004B36CD    74 02           je      short UnPackMe.004B36D1
004B36CF    FFD0            call    eax
004B36D1    C3              retn
004B36D2    64:A1 18000000  mov     eax, dword ptr fs:[18]
004B36D8    8B40 34         mov     eax, dword ptr ds:[eax+34]
004B36DB    C3              retn

004B3584    0F84 F8020000   je      UnPackMe.004B3882
跳了之后来到

004B3882    90              nop
004B3883    E2 4E           loopd   short UnPackMe.004B38D3
004B3885    E3 4C           jecxz   short UnPackMe.004B38D3
004B3887    6A EE           push    -12
004B3889    92              xchg    eax, edx

单步跟踪一下下来到
004B38D3    41              inc     ecx
004B38D4    C1FA 60         sar     edx, 60
004B38D7    57              push    edi
004B38D8    E8 45000000     call    UnPackMe.004B3922      //在这F7进去  否则又飞了呵呵  这个壳也太贼啊
004B38DD    57              push    edi
004B38DE    0F4A0F          cmovpe  ecx, dword ptr ds:[edi]
004B38E1    A8 03           test    al, 3
004B38E3    B2 CC           mov     dl, 0CC
004B38E5    5C              pop     esp
004B38E6    8976 C2         mov     dword ptr ds:[esi-3E], esi
004B38E9    AB              stos    dword ptr es:[edi]

之后来到

004B3983    41              inc     ecx
004B3984    51              push    ecx
004B3985    81E4 FFFFFFFF   and     esp, FFFFFFFF
004B398B    59              pop     ecx
004B398C    51              push    ecx
004B398D    E8 F6000000     call    UnPackMe.004B3A88          //在这F7进去  否则又飞了我突然变得有点不耐烦了
004B3992    53              push    ebx
004B3993    D27F 1B         sar     byte ptr ds:[edi+1B], cl
004B3996    3F              aas
004B3997    A8 50           test    al, 50

之后来到
004B3A88    83C4 04         add     esp, 4
004B3A8B    59              pop     ecx
004B3A8C    31C0            xor     eax, eax
004B3A8E    55              push    ebp
004B3A8F    E8 00000000     call    UnPackMe.004B3A94
004B3A94    830424 34       add     dword ptr ss:[esp], 34
004B3A98    64:FF30         push    dword ptr fs:[eax]
004B3A9B    64:8920         mov     dword ptr fs:[eax], esp
004B3A9E    9C              pushfd
004B3A9F    58              pop     eax
004B3AA0    0D 00010000     or      eax, 100
004B3AA5    6A 00           push    0
004B3AA7    6A FF           push    -1
004B3AA9    6A 00           push    0
004B3AAB    6A 00           push    0
004B3AAD    50              push    eax
004B3AAE    B8 01010000     mov     eax, 101
004B3AB3    89E2            mov     edx, esp
004B3AB5    83C2 04         add     edx, 4
004B3AB8    C74424 FC 0F340>mov     dword ptr ss:[esp-4], 340F
004B3AC0    89E1            mov     ecx, esp
004B3AC2    83E9 04         sub     ecx, 4
004B3AC5    9D              popfd
004B3AC6  - FFE1            jmp     ecx    //F7 或者 F8 都提示错误
004B3AC8    58              pop     eax          //  所以在这个下断  F9
004B3AC9    58              pop     eax
004B3ACA    58              pop     eax
004B3ACB    58              pop     eax
004B3ACC    31C0            xor     eax, eax
004B3ACE    5A              pop     edx
004B3ACF    59              pop     ecx
然后又是单步跟踪.........

004B3D15    68 FF242400     push    2424FF
004B3D1A    E8 00000000     call    UnPackMe.004B3D1F
004B3D1F    830424 0B       add     dword ptr ss:[esp], 0B
004B3D23    89E3            mov     ebx, esp
004B3D25    83C3 04         add     ebx, 4
004B3D28    FFE3            jmp     ebx
004B3D2A    5B              pop     ebx
004B3D2B    5B              pop     ebx
004B3D2C    B8 FF204B00     mov     eax, UnPackMe.004B20FF           ; ASCII "`hT K"
004B3D31    FFE0            jmp     eax              //跳到原程序代码开始解压的地方去了呵呵  所以让他跳吧
004B3D33    51              push    ecx
004B3D34    E8 C3020000     call    UnPackMe.004B3FFC
004B3D39    B6 B7           mov     dh, 0B7
004B3D3B    AB              stos    dword ptr es:[edi]
004B3D3C    74 69           je      short UnPackMe.004B3DA7
004B3D3E    54              push    esp

来到这里
004B20FF    60              pushad                        //让人觉得很熟悉啊   这就是1.0版本的壳的开始啊  呵呵
004B2100    68 54204B00     push    UnPackMe.004B2054              //单步来到这行使用ESP定律
004B2105    B8 48204B00     mov     eax, <&KERNEL32.GetModuleHandleA>
004B210A    FF10            call    dword ptr ds:[eax]
004B210C    68 B3204B00     push    UnPackMe.004B20B3                ; ASCII "GlobalAlloc"
004B2111    50              push    eax
004B2112    B8 44204B00     mov     eax, <&KERNEL32.GetProcAddress>
004B2117    FF10            call    dword ptr ds:[eax]
004B2119    68 004A0900     push    94A00

断下来时候来到
004B229A    BA EC584900     mov     edx, UnPackMe.004958EC
004B229F    FFE2            jmp     edx                //跳向OEP
004B22A1    90              nop
004B22A2    C3              retn
004B22A3    44              inc     esp
004B22A4    0000            add     byte ptr ds:[eax], al
004B22A6    0000            add     byte ptr ds:[eax], al

再单步一下下就来到OEP了
004958EC    55              push    ebp
004958ED    8BEC            mov     ebp, esp
004958EF    83C4 F0         add     esp, -10
004958F2    53              push    ebx
004958F3    B8 84564900     mov     eax, UnPackMe.00495684
004958F8    E8 C712F7FF     call    UnPackMe.00406BC4
004958FD    8B1D D8744900   mov     ebx, dword ptr ds:[4974D8]       ; UnPackMe.00498C34
00495903    8B03            mov     eax, dword ptr ds:[ebx]
00495905    E8 8E19FDFF     call    UnPackMe.00467298
0049590A    8B0D D0744900   mov     ecx, dword ptr ds:[4974D0]       ; UnPackMe.00498D38
00495910    8B03            mov     eax, dword ptr ds:[ebx]
00495912    8B15 D8064900   mov     edx, dword ptr ds:[4906D8]       ; UnPackMe.00490724
00495918    E8 9319FDFF     call    UnPackMe.004672B0
0049591D    8B0D B4724900   mov     ecx, dword ptr ds:[4972B4]       ; UnPackMe.00498D18
00495923    8B03            mov     eax, dword ptr ds:[ebx]
00495925    8B15 74FD4800   mov     edx, dword ptr ds:[48FD74]       ; UnPackMe.0048FDC0

直接dump  不用修复IAT  真开心呵呵
!EP(EXE Pack)1.0版本的壳非常容易脱但是对于1.4版本的时候就有点耐人寻味了.

原程序是用Borland Delphi 6.0 - 7.0

登录后可查看完整内容

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！

上传的附件：

UnPackMe_!EP(EXE Pack)1.4.zip （302.35kb，68次下载）
dump.zip （314.25kb，31次下载）

收藏・1

免费・7

支持

最新回复 (2)
热火朝天雪币： 210 活跃值： (20) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 172 粉丝 0 关注私信	热火朝天 2 楼不错哈，写得好清晰，学习了 2011-4-23 22:27 0
jfztaq 雪币： 200 活跃值： (1240) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 344 粉丝 1 关注私信	jfztaq 3 楼向高手学习一下，谢谢啦 2011-4-26 13:59 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

leavekwong

发帖

215

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (2)
热火朝天雪币： 210 活跃值： (20) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 172 粉丝 0 关注私信	热火朝天 2 楼不错哈，写得好清晰，学习了 2011-4-23 22:27 0
jfztaq 雪币： 200 活跃值： (1240) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 344 粉丝 1 关注私信	jfztaq 3 楼向高手学习一下，谢谢啦 2011-4-26 13:59 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复