关于UPX-Scrambler RC1.x -> ┫nT?L的问题-加壳脱壳-看雪-安全社区|安全招聘|kanxue.com

最新回复 (2)
noNaMe-mOnk 雪币： 218 活跃值： (70) 能力值： ( LV2，RANK：10 ) 在线值：发帖 12 回帖 77 粉丝 0 关注私信	noNaMe-mOnk 2 楼是aspack。受脱 od载入后： 00421001 > 60 PUSHAD 00421002 E8 03000000 CALL QQfree.0042100A F7跟进 00421007 -E9 EB045D45 JMP 459F14F7 0042100C 55 PUSH EBP 0042100D C3 RETN 0042100E E8 01000000 CALL QQfree.00421014 00421013 EB 5D JMP SHORT QQfree.00421072 00421015 BB EDFFFFFF MOV EBX,-13 0042101A 03DD ADD EBX,EBP 0042101C 81EB 00100200 SUB EBX,21000 00421022 83BD 22040000 00 CMP DWORD PTR SS:[EBP+422],0 00421029 899D 22040000 MOV DWORD PTR SS:[EBP+422],EBX 0042102F 0F85 65030000 JNZ QQfree.0042139A 00421035 8D85 2E040000 LEA EAX,DWORD PTR SS:[EBP+42E] 0042103B 50 PUSH EAX 0042103C FF95 4D0F0000 CALL DWORD PTR SS:[EBP+F4D] 00421042 8985 26040000 MOV DWORD PTR SS:[EBP+426],EAX 00421048 8BF8 MOV EDI,EAX 0042104A 8D5D 5E LEA EBX,DWORD PTR SS:[EBP+5E] 0042104D 53 PUSH EBX 0042104E 50 PUSH EAX ****到这里： 0042100A 5D POP EBP ; QQfree.00421007 0042100B 45 INC EBP 0042100C 55 PUSH EBP 0042100D C3 RETN返回 *到这里： 00421008 EB 04 JMP SHORT QQfree.0042100E 0042100A 5D POP EBP 0042100B 45 INC EBP 0042100C 55 PUSH EBP 0042100D C3 RETN 0042100E E8 01000000 CALL QQfree.00421014跳到这里F7跟进这里： 00421014 5D POP EBP ; QQfree.00421013 00421015 BB EDFFFFFF MOV EBX,-13 0042101A 03DD ADD EBX,EBP 0042101C 81EB 00100200 SUB EBX,21000 00421022 83BD 22040000 00 CMP DWORD PTR SS:[EBP+422],0 00421029 899D 22040000 MOV DWORD PTR SS:[EBP+422],EBX 0042102F 0F85 65030000 JNZ QQfree.0042139A 00421035 8D85 2E040000 LEA EAX,DWORD PTR SS:[EBP+42E] 0042103B 50 PUSH EAX 0042103C FF95 4D0F0000 CALL DWORD PTR SS:[EBP+F4D] 00421042 8985 26040000 MOV DWORD PTR SS:[EBP+426],EAX 00421048 8BF8 MOV EDI,EAX 0042104A 8D5D 5E LEA EBX,DWORD PTR SS:[EBP+5E] F8一直往下：到这里 0042138F 8B95 22040000 MOV EDX,DWORD PTR SS:[EBP+422] 00421395 ^E9 EBFEFFFF JMP QQfree.00421285 0042139A B8 7FEF0100 MOV EAX,1EF7F 0042139F 50 PUSH EAX 004213A0 0385 22040000 ADD EAX,DWORD PTR SS:[EBP+422] 004213A6 59 POP ECX 004213A7 0BC9 OR ECX,ECX 004213A9 8985 A8030000 MOV DWORD PTR SS:[EBP+3A8],EAX 004213AF 61 POPAD **看这里 004213B0 75 08 JNZ SHORT QQfree.004213BA 004213B2 B8 01000000 MOV EAX,1 004213B7 C2 0C00 RETN 0C 004213BA 68 00000000 PUSH 0 004213BF C3 RETN****返回到OEP 这里： 0041EF7F 90 NOP**好像是假OEP,继续往下根，好像是upx 0041EF80 61 POPAD 0041EF81 BE 00704100 MOV ESI,QQfree.00417000 0041EF86 8DBE 00A0FEFF LEA EDI,DWORD PTR DS:[ESI+FFFEA000] 0041EF8C 57 PUSH EDI 0041EF8D 83CD FF OR EBP,FFFFFFFF 0041EF90 EB 10 JMP SHORT QQfree.0041EFA2 0041EF92 EB 00 JMP SHORT QQfree.0041EF94 0041EF94 ^EB EA JMP SHORT QQfree.0041EF80 0041EF96 ^EB E8 JMP SHORT QQfree.0041EF80 0041EF98 8A06 MOV AL,BYTE PTR DS:[ESI] 0041EF9A 46 INC ESI 0041EF9B 8807 MOV BYTE PTR DS:[EDI],AL 0041EF9D 47 INC EDI 0041EF9E 01DB ADD EBX,EBX 0041EFA0 75 07 JNZ SHORT QQfree.0041EFA9 0041EFA2 8B1E MOV EBX,DWORD PTR DS:[ESI] 0041EFA4 83EE FC SUB ESI,-4 0041EFA7 11DB ADC EBX,EBX 到这里： 0041F0AE ^74 DC JE SHORT QQfree.0041F08C 0041F0B0 89F9 MOV ECX,EDI 0041F0B2 79 07 JNS SHORT QQfree.0041F0BB 0041F0B4 0FB707 MOVZX EAX,WORD PTR DS:[EDI] 0041F0B7 47 INC EDI 0041F0B8 50 PUSH EAX 0041F0B9 47 INC EDI 0041F0BA B9 5748F2AE MOV ECX,AEF24857 0041F0BF 55 PUSH EBP 0041F0C0 FF96 68F70100 CALL DWORD PTR DS:[ESI+1F768] 0041F0C6 09C0 OR EAX,EAX 0041F0C8 74 07 JE SHORT QQfree.0041F0D1 0041F0CA 8903 MOV DWORD PTR DS:[EBX],EAX 0041F0CC 83C3 04 ADD EBX,4 0041F0CF ^EB D8 JMP SHORT QQfree.0041F0A9 0041F0D1 FF96 6CF70100 CALL DWORD PTR DS:[ESI+1F76C] 0041F0D7 60 PUSHAD 0041F0D8 -E9 C320FEFF JMP QQfree.004011A0********跳到OEP 0041F0DD 0000 ADD BYTE PTR DS:[EAX],AL 0041F0DF 0000 ADD BYTE PTR DS:[EAX],AL 0041F0E1 0000 ADD BYTE PTR DS:[EAX],AL 这里： 004011A0 68 64144000 PUSH QQfree.00401464 004011A5 E8 F0FFFFFF CALL QQfree.0040119A ; JMP to msvbvm60.ThunRTMain 004011AA 0000 ADD BYTE PTR DS:[EAX],AL 004011AC 60 PUSHAD 004011AD 0000 ADD BYTE PTR DS:[EAX],AL 004011AF 0030 ADD BYTE PTR DS:[EAX],DH 004011B1 0000 ADD BYTE PTR DS:[EAX],AL 004011B3 0058 00 ADD BYTE PTR DS:[EAX],BL 004011B6 0000 ADD BYTE PTR DS:[EAX],AL 004011B8 3800 CMP BYTE PTR DS:[EAX],AL 004011BA 0000 ADD BYTE PTR DS:[EAX],AL 004011BC 3F AAS 004011BD E8 1A95C714 CALL 1507A6DC 004011C2 74 44 JE SHORT QQfree.00401208 004011C4 A0 FC800A2E MOV AL,BYTE PTR DS:[2E0A80FC] 004011C9 AF SCAS DWORD PTR ES:[EDI] 004011CA AD LODS DWORD PTR DS:[ESI] 004011CB EB 00 JMP SHORT QQfree.004011CD 004011CD 0000 ADD BYTE PTR DS:[EAX],AL 004011CF 0000 ADD BYTE PTR DS:[EAX],AL 004011D1 0001 ADD BYTE PTR DS:[ECX],AL 004011D3 0000 ADD BYTE PTR DS:[EAX],AL dump,importREC修复。是个两层壳（aspack+upx)，真tmd. 2004-5-28 13:06 0
iceplus 雪币： 227 活跃值： (130) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 96 粉丝 0 关注私信	iceplus 3 楼谢谢 2004-5-29 01:59 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (2)

noNaMe-mOnk

雪币： 218

活跃值： (70)

能力值：

( LV2，RANK：10 )

在线值：

发帖

回帖

粉丝

关注

私信

noNaMe-mOnk: 2 楼

是aspack。受脱
od载入后：

00421001 > 60               PUSHAD
00421002   E8 03000000      CALL QQfree.0042100A  F7跟进
00421007  -E9 EB045D45      JMP 459F14F7
0042100C   55               PUSH EBP
0042100D   C3               RETN
0042100E   E8 01000000      CALL QQfree.00421014
00421013   EB 5D            JMP SHORT QQfree.00421072
00421015   BB EDFFFFFF      MOV EBX,-13
0042101A   03DD             ADD EBX,EBP
0042101C   81EB 00100200    SUB EBX,21000
00421022   83BD 22040000 00 CMP DWORD PTR SS:[EBP+422],0
00421029   899D 22040000    MOV DWORD PTR SS:[EBP+422],EBX
0042102F   0F85 65030000    JNZ QQfree.0042139A
00421035   8D85 2E040000    LEA EAX,DWORD PTR SS:[EBP+42E]
0042103B   50               PUSH EAX
0042103C   FF95 4D0F0000    CALL DWORD PTR SS:[EBP+F4D]
00421042   8985 26040000    MOV DWORD PTR SS:[EBP+426],EAX
00421048   8BF8             MOV EDI,EAX
0042104A   8D5D 5E          LEA EBX,DWORD PTR SS:[EBP+5E]
0042104D   53               PUSH EBX
0042104E   50               PUSH EAX

******到这里：

0042100A   5D               POP EBP                                  ; QQfree.00421007
0042100B   45               INC EBP
0042100C   55               PUSH EBP
0042100D   C3               RETN***返回

****到这里：

00421008   EB 04            JMP SHORT QQfree.0042100E
0042100A   5D               POP EBP
0042100B   45               INC EBP
0042100C   55               PUSH EBP
0042100D   C3               RETN
0042100E   E8 01000000      CALL QQfree.00421014****跳到这里F7跟进

这里：

00421014   5D               POP EBP                                  ; QQfree.00421013
00421015   BB EDFFFFFF      MOV EBX,-13
0042101A   03DD             ADD EBX,EBP
0042101C   81EB 00100200    SUB EBX,21000
00421022   83BD 22040000 00 CMP DWORD PTR SS:[EBP+422],0
00421029   899D 22040000    MOV DWORD PTR SS:[EBP+422],EBX
0042102F   0F85 65030000    JNZ QQfree.0042139A
00421035   8D85 2E040000    LEA EAX,DWORD PTR SS:[EBP+42E]
0042103B   50               PUSH EAX
0042103C   FF95 4D0F0000    CALL DWORD PTR SS:[EBP+F4D]
00421042   8985 26040000    MOV DWORD PTR SS:[EBP+426],EAX
00421048   8BF8             MOV EDI,EAX
0042104A   8D5D 5E          LEA EBX,DWORD PTR SS:[EBP+5E]

F8一直往下：到这里


0042138F   8B95 22040000    MOV EDX,DWORD PTR SS:[EBP+422]
00421395  ^E9 EBFEFFFF      JMP QQfree.00421285
0042139A   B8 7FEF0100      MOV EAX,1EF7F
0042139F   50               PUSH EAX
004213A0   0385 22040000    ADD EAX,DWORD PTR SS:[EBP+422]
004213A6   59               POP ECX
004213A7   0BC9             OR ECX,ECX
004213A9   8985 A8030000    MOV DWORD PTR SS:[EBP+3A8],EAX
004213AF   61               POPAD   ******看这里
004213B0   75 08            JNZ SHORT QQfree.004213BA
004213B2   B8 01000000      MOV EAX,1
004213B7   C2 0C00          RETN 0C
004213BA   68 00000000      PUSH 0
004213BF   C3               RETN********返回到OEP

这里：

0041EF7F   90               NOP******好像是假OEP,继续往下根，好像是upx
0041EF80   61               POPAD
0041EF81   BE 00704100      MOV ESI,QQfree.00417000
0041EF86   8DBE 00A0FEFF    LEA EDI,DWORD PTR DS:[ESI+FFFEA000]
0041EF8C   57               PUSH EDI
0041EF8D   83CD FF          OR EBP,FFFFFFFF
0041EF90   EB 10            JMP SHORT QQfree.0041EFA2
0041EF92   EB 00            JMP SHORT QQfree.0041EF94
0041EF94  ^EB EA            JMP SHORT QQfree.0041EF80
0041EF96  ^EB E8            JMP SHORT QQfree.0041EF80
0041EF98   8A06             MOV AL,BYTE PTR DS:[ESI]
0041EF9A   46               INC ESI
0041EF9B   8807             MOV BYTE PTR DS:[EDI],AL
0041EF9D   47               INC EDI
0041EF9E   01DB             ADD EBX,EBX
0041EFA0   75 07            JNZ SHORT QQfree.0041EFA9
0041EFA2   8B1E             MOV EBX,DWORD PTR DS:[ESI]
0041EFA4   83EE FC          SUB ESI,-4
0041EFA7   11DB             ADC EBX,EBX

到这里：


0041F0AE  ^74 DC            JE SHORT QQfree.0041F08C
0041F0B0   89F9             MOV ECX,EDI
0041F0B2   79 07            JNS SHORT QQfree.0041F0BB
0041F0B4   0FB707           MOVZX EAX,WORD PTR DS:[EDI]
0041F0B7   47               INC EDI
0041F0B8   50               PUSH EAX
0041F0B9   47               INC EDI
0041F0BA   B9 5748F2AE      MOV ECX,AEF24857
0041F0BF   55               PUSH EBP
0041F0C0   FF96 68F70100    CALL DWORD PTR DS:[ESI+1F768]
0041F0C6   09C0             OR EAX,EAX
0041F0C8   74 07            JE SHORT QQfree.0041F0D1
0041F0CA   8903             MOV DWORD PTR DS:[EBX],EAX
0041F0CC   83C3 04          ADD EBX,4
0041F0CF  ^EB D8            JMP SHORT QQfree.0041F0A9
0041F0D1   FF96 6CF70100    CALL DWORD PTR DS:[ESI+1F76C]
0041F0D7   60               PUSHAD
0041F0D8  -E9 C320FEFF      JMP QQfree.004011A0**********跳到OEP
0041F0DD   0000             ADD BYTE PTR DS:[EAX],AL
0041F0DF   0000             ADD BYTE PTR DS:[EAX],AL
0041F0E1   0000             ADD BYTE PTR DS:[EAX],AL

这里：

004011A0   68 64144000      PUSH QQfree.00401464
004011A5   E8 F0FFFFFF      CALL QQfree.0040119A                     ; JMP to msvbvm60.ThunRTMain
004011AA   0000             ADD BYTE PTR DS:[EAX],AL
004011AC   60               PUSHAD
004011AD   0000             ADD BYTE PTR DS:[EAX],AL
004011AF   0030             ADD BYTE PTR DS:[EAX],DH
004011B1   0000             ADD BYTE PTR DS:[EAX],AL
004011B3   0058 00          ADD BYTE PTR DS:[EAX],BL
004011B6   0000             ADD BYTE PTR DS:[EAX],AL
004011B8   3800             CMP BYTE PTR DS:[EAX],AL
004011BA   0000             ADD BYTE PTR DS:[EAX],AL
004011BC   3F               AAS
004011BD   E8 1A95C714      CALL 1507A6DC
004011C2   74 44            JE SHORT QQfree.00401208
004011C4   A0 FC800A2E      MOV AL,BYTE PTR DS:[2E0A80FC]
004011C9   AF               SCAS DWORD PTR ES:[EDI]
004011CA   AD               LODS DWORD PTR DS:[ESI]
004011CB   EB 00            JMP SHORT QQfree.004011CD
004011CD   0000             ADD BYTE PTR DS:[EAX],AL
004011CF   0000             ADD BYTE PTR DS:[EAX],AL
004011D1   0001             ADD BYTE PTR DS:[ECX],AL
004011D3   0000             ADD BYTE PTR DS:[EAX],AL

dump,importREC修复。是个两层壳（aspack+upx)，真tmd.

2004-5-28 13:06

iceplus

雪币： 227

活跃值： (130)

能力值：

( LV2，RANK：10 )

在线值：

发帖

回帖

粉丝

关注

私信

iceplus: 3 楼

谢谢

2004-5-29 01:59