首页
社区
课程
招聘
关于UPX-Scrambler RC1.x -> ┫nT?L的问题
发表于: 2004-5-27 22:25 5639

关于UPX-Scrambler RC1.x -> ┫nT?L的问题

2004-5-27 22:25
5639
点击下载:附件!
此文件用VB6.0写的.用PEID查出是UPX-Scrambler RC1.x -> ┫nT?L的壳
用upxripper1.3脱壳,失败.用OD载入,手动脱,发现问题,脱壳后,程序不能正常运行,估计是脱壳上出错了,请大家帮忙看一下,并把详细的手动脱壳步骤告知,非常感谢,

[招生]系统0day安全班,企业级设备固件漏洞挖掘,Linux平台漏洞挖掘!

收藏
免费 6
支持
分享
最新回复 (2)
雪    币: 218
活跃值: (70)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
是aspack。受脱
od载入后:
00421001 > 60               PUSHAD
00421002   E8 03000000      CALL QQfree.0042100A  F7跟进
00421007  -E9 EB045D45      JMP 459F14F7
0042100C   55               PUSH EBP
0042100D   C3               RETN
0042100E   E8 01000000      CALL QQfree.00421014
00421013   EB 5D            JMP SHORT QQfree.00421072
00421015   BB EDFFFFFF      MOV EBX,-13
0042101A   03DD             ADD EBX,EBP
0042101C   81EB 00100200    SUB EBX,21000
00421022   83BD 22040000 00 CMP DWORD PTR SS:[EBP+422],0
00421029   899D 22040000    MOV DWORD PTR SS:[EBP+422],EBX
0042102F   0F85 65030000    JNZ QQfree.0042139A
00421035   8D85 2E040000    LEA EAX,DWORD PTR SS:[EBP+42E]
0042103B   50               PUSH EAX
0042103C   FF95 4D0F0000    CALL DWORD PTR SS:[EBP+F4D]
00421042   8985 26040000    MOV DWORD PTR SS:[EBP+426],EAX
00421048   8BF8             MOV EDI,EAX
0042104A   8D5D 5E          LEA EBX,DWORD PTR SS:[EBP+5E]
0042104D   53               PUSH EBX
0042104E   50               PUSH EAX



******到这里:

0042100A   5D               POP EBP                                  ; QQfree.00421007
0042100B   45               INC EBP
0042100C   55               PUSH EBP
0042100D   C3               RETN***返回



****到这里:

00421008   EB 04            JMP SHORT QQfree.0042100E
0042100A   5D               POP EBP
0042100B   45               INC EBP
0042100C   55               PUSH EBP
0042100D   C3               RETN
0042100E   E8 01000000      CALL QQfree.00421014****跳到这里F7跟进



这里:

00421014   5D               POP EBP                                  ; QQfree.00421013
00421015   BB EDFFFFFF      MOV EBX,-13
0042101A   03DD             ADD EBX,EBP
0042101C   81EB 00100200    SUB EBX,21000
00421022   83BD 22040000 00 CMP DWORD PTR SS:[EBP+422],0
00421029   899D 22040000    MOV DWORD PTR SS:[EBP+422],EBX
0042102F   0F85 65030000    JNZ QQfree.0042139A
00421035   8D85 2E040000    LEA EAX,DWORD PTR SS:[EBP+42E]
0042103B   50               PUSH EAX
0042103C   FF95 4D0F0000    CALL DWORD PTR SS:[EBP+F4D]
00421042   8985 26040000    MOV DWORD PTR SS:[EBP+426],EAX
00421048   8BF8             MOV EDI,EAX
0042104A   8D5D 5E          LEA EBX,DWORD PTR SS:[EBP+5E]



F8一直往下:到这里


0042138F   8B95 22040000    MOV EDX,DWORD PTR SS:[EBP+422]
00421395  ^E9 EBFEFFFF      JMP QQfree.00421285
0042139A   B8 7FEF0100      MOV EAX,1EF7F
0042139F   50               PUSH EAX
004213A0   0385 22040000    ADD EAX,DWORD PTR SS:[EBP+422]
004213A6   59               POP ECX
004213A7   0BC9             OR ECX,ECX
004213A9   8985 A8030000    MOV DWORD PTR SS:[EBP+3A8],EAX
004213AF   61               POPAD   ******看这里
004213B0   75 08            JNZ SHORT QQfree.004213BA
004213B2   B8 01000000      MOV EAX,1
004213B7   C2 0C00          RETN 0C
004213BA   68 00000000      PUSH 0
004213BF   C3               RETN********返回到OEP



这里:

0041EF7F   90               NOP******好像是假OEP,继续往下根,好像是upx
0041EF80   61               POPAD
0041EF81   BE 00704100      MOV ESI,QQfree.00417000
0041EF86   8DBE 00A0FEFF    LEA EDI,DWORD PTR DS:[ESI+FFFEA000]
0041EF8C   57               PUSH EDI
0041EF8D   83CD FF          OR EBP,FFFFFFFF
0041EF90   EB 10            JMP SHORT QQfree.0041EFA2
0041EF92   EB 00            JMP SHORT QQfree.0041EF94
0041EF94  ^EB EA            JMP SHORT QQfree.0041EF80
0041EF96  ^EB E8            JMP SHORT QQfree.0041EF80
0041EF98   8A06             MOV AL,BYTE PTR DS:[ESI]
0041EF9A   46               INC ESI
0041EF9B   8807             MOV BYTE PTR DS:[EDI],AL
0041EF9D   47               INC EDI
0041EF9E   01DB             ADD EBX,EBX
0041EFA0   75 07            JNZ SHORT QQfree.0041EFA9
0041EFA2   8B1E             MOV EBX,DWORD PTR DS:[ESI]
0041EFA4   83EE FC          SUB ESI,-4
0041EFA7   11DB             ADC EBX,EBX



到这里:


0041F0AE  ^74 DC            JE SHORT QQfree.0041F08C
0041F0B0   89F9             MOV ECX,EDI
0041F0B2   79 07            JNS SHORT QQfree.0041F0BB
0041F0B4   0FB707           MOVZX EAX,WORD PTR DS:[EDI]
0041F0B7   47               INC EDI
0041F0B8   50               PUSH EAX
0041F0B9   47               INC EDI
0041F0BA   B9 5748F2AE      MOV ECX,AEF24857
0041F0BF   55               PUSH EBP
0041F0C0   FF96 68F70100    CALL DWORD PTR DS:[ESI+1F768]
0041F0C6   09C0             OR EAX,EAX
0041F0C8   74 07            JE SHORT QQfree.0041F0D1
0041F0CA   8903             MOV DWORD PTR DS:[EBX],EAX
0041F0CC   83C3 04          ADD EBX,4
0041F0CF  ^EB D8            JMP SHORT QQfree.0041F0A9
0041F0D1   FF96 6CF70100    CALL DWORD PTR DS:[ESI+1F76C]
0041F0D7   60               PUSHAD
0041F0D8  -E9 C320FEFF      JMP QQfree.004011A0**********跳到OEP
0041F0DD   0000             ADD BYTE PTR DS:[EAX],AL
0041F0DF   0000             ADD BYTE PTR DS:[EAX],AL
0041F0E1   0000             ADD BYTE PTR DS:[EAX],AL



这里:

004011A0   68 64144000      PUSH QQfree.00401464
004011A5   E8 F0FFFFFF      CALL QQfree.0040119A                     ; JMP to msvbvm60.ThunRTMain
004011AA   0000             ADD BYTE PTR DS:[EAX],AL
004011AC   60               PUSHAD
004011AD   0000             ADD BYTE PTR DS:[EAX],AL
004011AF   0030             ADD BYTE PTR DS:[EAX],DH
004011B1   0000             ADD BYTE PTR DS:[EAX],AL
004011B3   0058 00          ADD BYTE PTR DS:[EAX],BL
004011B6   0000             ADD BYTE PTR DS:[EAX],AL
004011B8   3800             CMP BYTE PTR DS:[EAX],AL
004011BA   0000             ADD BYTE PTR DS:[EAX],AL
004011BC   3F               AAS
004011BD   E8 1A95C714      CALL 1507A6DC
004011C2   74 44            JE SHORT QQfree.00401208
004011C4   A0 FC800A2E      MOV AL,BYTE PTR DS:[2E0A80FC]
004011C9   AF               SCAS DWORD PTR ES:[EDI]
004011CA   AD               LODS DWORD PTR DS:[ESI]
004011CB   EB 00            JMP SHORT QQfree.004011CD
004011CD   0000             ADD BYTE PTR DS:[EAX],AL
004011CF   0000             ADD BYTE PTR DS:[EAX],AL
004011D1   0001             ADD BYTE PTR DS:[ECX],AL
004011D3   0000             ADD BYTE PTR DS:[EAX],AL




dump,importREC修复。是个两层壳(aspack+upx),真tmd.

2004-5-28 13:06
0
雪    币: 227
活跃值: (130)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
谢谢
2004-5-29 01:59
0
游客
登录 | 注册 方可回帖
返回
//