【文章标题】: PESpin 1.33全保护脱壳笔记
【文章作者】: Nerin
【下载地址】: 见附件
【加壳方式】: PESpin
【使用工具】: OllyIce PEID LordPE ImportRec
【操作平台】: Windows XP SP2
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
PEID查壳,显示为“PESpin 0.3x - 1.xx -> cyberbob”。双击文件运行,打开任务管理器发现有两个进程,我们脱壳的第一步就是要去掉双进程保护。用OllyIce载入文件,开始我们的脱壳之旅。
单步F7几次之后,发现了我们很熟悉的几条指令:
0041C0D7 60 PUSHAD
0041C0D8 E8 00000000 CALL UnPackMe.0041C0DD
0041C0DD 8B1C24 MOV EBX,DWORD PTR SS:[ESP]
0041C0E0 83C3 12 ADD EBX,12
0041FE1E 8985 6E6E4000 MOV DWORD PTR SS:[EBP+406E6E],EAX
0041FE24 8D85 E2281F03 LEA EAX,DWORD PTR SS:[EBP+31F28E2]
0041FE2A 2D FCCEDE02 SUB EAX,2DECEFC
0041FE2F FF10 CALL DWORD PTR DS:[EAX]
0041FE31 BB CA7DB9FE MOV EBX,FEB97DCA
0041FE36 81EB 137DB9FE SUB EBX,FEB97D13
0041FE3C 3BC3 CMP EAX,EBX
0041FE3E 9C PUSHFD ★走到这里将ZF标志位改成1
0041FE3F C12C24 06 SHR DWORD PTR SS:[ESP],6
0041FE43 F71424 NOT DWORD PTR SS:[ESP]
0041FE46 832424 01 AND DWORD PTR SS:[ESP],1
0041FE4A 58 POP EAX
0041FE4B 2BD2 SUB EDX,EDX
0041FE4D BB BAE74D02 MOV EBX,24DE7BA
0041FE52 81EB 86E74D02 SUB EBX,24DE786
0041FE58 F7E3 MUL EBX
0041FE5A 81CB FE12F40E OR EBX,0EF412FE
0041FE60 8D8428 4E0E91ED LEA EAX,DWORD PTR DS:[EAX+EBP+ED910E4E]
0041FE67 2D 179B50ED SUB EAX,ED509B17
0041FE6C FFE0 JMP EAX ★父子进程的分水岭
0041FE85 F1 INT1
0041FE86 E8 1C030000 CALL UnPackMe.004201A7
0041FE8B 85C0 TEST EAX,EAX
0041FE8D 75 23 JNZ SHORT UnPackMe.0041FEB2
0041FE8F 8BC3 MOV EAX,EBX
0041FE91 35 08001F0E XOR EAX,0E1F0008
0041FE96 C3 RETN
0041C51B B8 4AAC1C95 MOV EAX,951CAC4A ★此处新建EIP
0041C520 2BC9 SUB ECX,ECX
0041C522 83C9 15 OR ECX,15
0041C525 0FA3C8 BT EAX,ECX
0041C528 0F83 81000000 JNB UnPackMe.0041C5AF
004207AD F1 INT1
004207AE 87DF XCHG EDI,EBX
004207B0 57 PUSH EDI
004207B1 C3 RETN
0041D6D4 /EB 04 JMP SHORT UnPackMe.0041D6DA ★新建EIP
0041D6D6 |7A EB JPE SHORT UnPackMe.0041D6C3
0041D6D8 |04 9A ADD AL,9A
0041D6DA ^\EB FB JMP SHORT UnPackMe.0041D6D7
0041D6DC FFF6 PUSH ESI
0041CE25 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
0041CE27 8BC6 MOV EAX,ESI
0041CE29 8BF7 MOV ESI,EDI
0041CE2B 5F POP EDI
0041CD64 83FA 12 CMP EDX,12
0041CD67 73 7B JNB SHORT UnPackMe.0041CDE4 ★直接跳过这里的循环
0041CD69 8B18 MOV EBX,DWORD PTR DS:[EAX]
0041CD6B EB 07 JMP SHORT UnPackMe.0041CD74
0041D08D /0F84 92000000 JE UnPackMe.0041D125 ★这里的循环也直接跳
0041D093 |47 INC EDI
0041D094 |EB 01 JMP SHORT UnPackMe.0041D097
0041D1A0 8907 MOV DWORD PTR DS:[EDI],EAX ★这里就是关键了,在这里下一个硬件执行断点
0041D1A2 EB 02 JMP SHORT UnPackMe.0041D1A6
0041D1A4 02F5 ADD DH,CH
0041D1A6 F9 STC
0041D1A7 72 08 JB SHORT UnPackMe.0041D1B1
0041D1A9 73 0E JNB SHORT UnPackMe.0041D1B9
0041D1AB - E9 83042417 JMP 1765D633
0041D1B0 C3 RETN
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)