【脱文标题】:WinUpack 0.29 beta主程序脱壳
【脱文作者】:KuNgBiM[DFCG]
【作者邮箱】:gb_1227@163.com
【软件名称】:(Win)Upack (ultimate PE packer) Version: 0.29 beta
【软件大小】:20.4 KB
【整理时间】:2005-07-16
【开 发 商】:http://dwing.go.nease.net
http://dwing.51.net
http://www.dwing.net
【下载地址】: [本地下载] 【软件简介】:
Upack is a packer that can compress Windows PE file,
which can be run without decompressing manually.
It packs all kinds of PE files with best compression ratio.
It
's only for compression, not for protection mainly.
Upack can only deal with executable files of PE format.
DOS-EXEs(MZ), Win3.x-EXE/DLLs(NE) can
't be packed by Upack.
I didn
't test many programs and will go on improving it.
This is a beta version.
So
if it does
't pack one PE file, try UPX first.
If UPX can pack it normally,
send the original PE file to me.
Remember that it can
't pack some weird or self-check PE files.
So you
'd better make backup for your PE file before packing it.
====<
使用命令 >===================================================
Syntax: Syntax: Upack <PE-filename> [-switches...]
Switches: -c{0...6} Set LC param of compression [default:3]
-f{5...255} Set FB param of compression [default:128]
-
test Only show the result
-red Preserve extra
data
-set Strip export table
-srt Strip relocation table
-rlc XXXX Relocate base address to XXXX (HEX)
-rai Reserve all icons (don
't compress them)
-force Force packing suspicious PE file
Examples: Upack winrar.exe -set
Upack msvcrt.dll
Upack notepad.exe -c2 -f32
Upack winword.exe -c3 -f255 -rlc 400000
Upack acdsee.exe -c3 -rai
Upack flash.exe -red -force
Upack mydll.dll -rlc 60000000
* This version only runs under Windows command line
* DO
NOT pack multi-files at the same time
* Support
"Icon Drag&Drop" and "SendTo"
* Compression result maybe affected by memory size
*
"-rlc" needs base relocation table
*
"-test" does
not modify your original file
【编译语言】:Microsoft Visual C++ 6.0
【调试环境】:WinXP、Ollydbg、LordPE、ImportREC
【破解日期】:2005-07-17
【破解目的】:研究与学习使用Ollydbg手动脱壳
【作者声明】:初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
―――――――――――――――――――――――――――――――――
【脱壳过程】
一、设置Ollydbg忽略所有的异常选项,用IsDebug 1.4插件去掉Ollydbg的调试器标志。
00401030 >- E9 3A1D0100
jmp Upack.00412D6F
; 载入程序后停在这里
00401035 42
inc edx
00401036 79 44
jns short Upack.0040107C
00401038 77 69
ja short Upack.004010A3
0040103A 6E
outs dx ,
byte ptr es :[
edi ]
0040103B 67:40
inc eax
0040103D 0000
add byte ptr ds :[
eax ],
al
0040103F 0050 45
add byte ptr ds :[
eax +45],
dl
二、避开检测API断点
下断:bp GetProcAddress,F9运行:
77E5B332 > 55
push ebp ; 断在这,注意观察堆栈变化
77E5B333 8BEC
mov ebp ,
esp
77E5B335 51
push ecx
77E5B336 51
push ecx
77E5B337 53
push ebx
77E5B338 57
push edi
77E5B339 8B7D 0C
mov edi ,
dword ptr ss :[
ebp +C]
77E5B33C BB FFFF0000
mov ebx ,0FFFF
77E5B341 3BFB
cmp edi ,
ebx
77E5B343 ^ 0F86 894BFFFF
jbe kernel32.77E4FED2
77E5B349 57
push edi
77E5B34A 8D45 F8
lea eax ,
dword ptr ss :[
ebp -8]
在这里中断53次,然后Alt+F9返回程序,判断的时机很容易把握,很多高手都点明了^_^
★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77E40000 |hModule = 77E40000 (kernel32)
0012FFC0 0040D011 \ProcNameOrOrdinal =
"SetConsoleTextAttribute"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77E40000 |hModule = 77E40000 (kernel32)
0012FFC0 0040D029 \ProcNameOrOrdinal =
"GetStdHandle"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77E40000 |hModule = 77E40000 (kernel32)
0012FFC0 0040D036 \ProcNameOrOrdinal =
"GlobalMemoryStatus"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77E40000 |hModule = 77E40000 (kernel32)
0012FFC0 0040D049 \ProcNameOrOrdinal =
"CloseHandle"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77E40000 |hModule = 77E40000 (kernel32)
0012FFC0 0040D055 \ProcNameOrOrdinal =
"GetTempPathA"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77E40000 |hModule = 77E40000 (kernel32)
0012FFC0 0040D062 \ProcNameOrOrdinal =
"GetLastError"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77E40000 |hModule = 77E40000 (kernel32)
0012FFC0 0040D06F \ProcNameOrOrdinal =
"CreateEventA"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77E40000 |hModule = 77E40000 (kernel32)
0012FFC0 0040D07C \ProcNameOrOrdinal =
"VirtualAlloc"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77E40000 |hModule = 77E40000 (kernel32)
0012FFC0 0040D089 \ProcNameOrOrdinal =
"SetEndOfFile"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77E40000 |hModule = 77E40000 (kernel32)
0012FFC0 0040D096 \ProcNameOrOrdinal =
"WriteFile"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77E40000 |hModule = 77E40000 (kernel32)
0012FFC0 0040D0A0 \ProcNameOrOrdinal =
"ReadFile"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77E40000 |hModule = 77E40000 (kernel32)
0012FFC0 0040D0A9 \ProcNameOrOrdinal =
"SetFilePointer"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77E40000 |hModule = 77E40000 (kernel32)
0012FFC0 0040D0B8 \ProcNameOrOrdinal =
"GetFileSize"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77E40000 |hModule = 77E40000 (kernel32)
0012FFC0 0040D0C4 \ProcNameOrOrdinal =
"CreateFileA"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77E40000 |hModule = 77E40000 (kernel32)
0012FFC0 0040D0D0 \ProcNameOrOrdinal =
"VirtualFree"
0012F7F0 77C05A0C /
CALL 到 GetProcAddress 来自 77C05A06
0012F7F4 77E40000 |hModule = 77E40000 (kernel32)
0012F7F8 77BE3184 \ProcNameOrOrdinal =
"InitializeCriticalSectionAndSpinCount"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77BE0000 |hModule = 77BE0000
0012FFC0 0040D0EC \ProcNameOrOrdinal =
"remove"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77BE0000 |hModule = 77BE0000
0012FFC0 0040D0F3 \ProcNameOrOrdinal =
"sscanf"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77BE0000 |hModule = 77BE0000
0012FFC0 0040D0FA \ProcNameOrOrdinal =
"atoi"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77BE0000 |hModule = 77BE0000
0012FFC0 0040D0FF \ProcNameOrOrdinal =
"__CxxFrameHandler"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77BE0000 |hModule = 77BE0000
0012FFC0 0040D111 \ProcNameOrOrdinal =
"malloc"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77BE0000 |hModule = 77BE0000
0012FFC0 0040D118 \ProcNameOrOrdinal =
"_CxxThrowException"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77BE0000 |hModule = 77BE0000
0012FFC0 0040D12B \ProcNameOrOrdinal =
"memmove"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77BE0000 |hModule = 77BE0000
0012FFC0 0040D133 \ProcNameOrOrdinal =
"_exit"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77BE0000 |hModule = 77BE0000
0012FFC0 0040D139 \ProcNameOrOrdinal =
"fwrite"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77BE0000 |hModule = 77BE0000
0012FFC0 0040D140 \ProcNameOrOrdinal =
"exit"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77BE0000 |hModule = 77BE0000
0012FFC0 0040D145 \ProcNameOrOrdinal =
"__p___initenv"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77BE0000 |hModule = 77BE0000
0012FFC0 0040D153 \ProcNameOrOrdinal =
"__getmainargs"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77BE0000 |hModule = 77BE0000
0012FFC0 0040D161 \ProcNameOrOrdinal =
"_initterm"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77BE0000 |hModule = 77BE0000
0012FFC0 0040D16B \ProcNameOrOrdinal =
"__setusermatherr"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77BE0000 |hModule = 77BE0000
0012FFC0 0040D17C \ProcNameOrOrdinal =
"_adjust_fdiv"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77BE0000 |hModule = 77BE0000
0012FFC0 0040D189 \ProcNameOrOrdinal =
"__p__commode"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77BE0000 |hModule = 77BE0000
0012FFC0 0040D196 \ProcNameOrOrdinal =
"__p__fmode"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77BE0000 |hModule = 77BE0000
0012FFC0 0040D1A1 \ProcNameOrOrdinal =
"__set_app_type"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77BE0000 |hModule = 77BE0000
0012FFC0 0040D1B0 \ProcNameOrOrdinal =
"_except_handler3"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77BE0000 |hModule = 77BE0000
0012FFC0 0040D1C1 \ProcNameOrOrdinal =
"??1type_info@@UAE@XZ"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77BE0000 |hModule = 77BE0000
0012FFC0 0040D1D6 \ProcNameOrOrdinal =
"_controlfp"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77BE0000 |hModule = 77BE0000
0012FFC0 0040D1E1 \ProcNameOrOrdinal =
"free"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77BE0000 |hModule = 77BE0000
0012FFC0 0040D1E6 \ProcNameOrOrdinal =
"time"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77BE0000 |hModule = 77BE0000
0012FFC0 0040D1EB \ProcNameOrOrdinal =
"srand"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77BE0000 |hModule = 77BE0000
0012FFC0 0040D1F1 \ProcNameOrOrdinal =
"rand"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77BE0000 |hModule = 77BE0000
0012FFC0 0040D1F6 \ProcNameOrOrdinal =
"fread"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77BE0000 |hModule = 77BE0000
0012FFC0 0040D1FC \ProcNameOrOrdinal =
"fseek"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77BE0000 |hModule = 77BE0000
0012FFC0 0040D202 \ProcNameOrOrdinal =
"calloc"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77BE0000 |hModule = 77BE0000
0012FFC0 0040D209 \ProcNameOrOrdinal =
"ftell"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77BE0000 |hModule = 77BE0000
0012FFC0 0040D20F \ProcNameOrOrdinal =
"fopen"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77BE0000 |hModule = 77BE0000
0012FFC0 0040D215 \ProcNameOrOrdinal =
"fgetc"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77BE0000 |hModule = 77BE0000
0012FFC0 0040D21B \ProcNameOrOrdinal =
"fputc"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77BE0000 |hModule = 77BE0000
0012FFC0 0040D221 \ProcNameOrOrdinal =
"fclose"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77BE0000 |hModule = 77BE0000
0012FFC0 0040D228 \ProcNameOrOrdinal =
"printf"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77BE0000 |hModule = 77BE0000
0012FFC0 0040D22F \ProcNameOrOrdinal =
"_XcptFilter"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77BE0000 |hModule = 77BE0000
0012FFC0 0040D23B \ProcNameOrOrdinal =
"_fileno"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39
0012FFBC 77BE0000 |hModule = 77BE0000
0012FFC0 0040D243 \ProcNameOrOrdinal =
"_filelength"
0012FFB8 00412F3B /
CALL 到 GetProcAddress 来自 Upack.00412F39 ; 别犹豫了,返回的好时机,GO!再一下F9就跑飞咯~
0012FFBC 77BE0000 |hModule = 77BE0000
0012FFC0 0040D24F \ProcNameOrOrdinal =
"_chsize"
★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★
00412F3B AB
stos dword ptr es :[
edi ]
; 返回这里,F7单步运行!
00412F3C ^ EB E7
jmp short Upack.00412F25
; 让它跳!
00412F3E 50
push eax
00412F3F 8B45 08
mov eax ,
dword ptr ss :[
ebp +8]
00412F42 52
push edx
00412F43 C1E8 0B
shr eax ,0B
00412F25 AC
lods byte ptr ds :[
esi ]
; 跳到这里,继续F7单步继续运行!
00412F26 84C0
test al ,
al
00412F28 ^ 75 FB
jnz short Upack.00412F25
00412F2A 3806
cmp byte ptr ds :[
esi ],
al
00412F2C ^ 74 E7
je short Upack.00412F15
; 准备跳向程序返回领空,必须跳!(大约用了27次F7)
00412F2E 8BC6
mov eax ,
esi
00412F15 46
inc esi ; 第28次F7后来到这里,继续F7!(3次F7)
00412F16 AD
lods dword ptr ds :[
esi ]
00412F17 85C0
test eax ,
eax
00412F19 - 0F84 F077FFFF
je Upack.0040A70F
; 飞向光明之巅!再给它一个F7!
00412F1F 56
push esi
00412F20 97
xchg eax ,
edi
00412F21 FF53 FC
call dword ptr ds :[
ebx -4]
00412F24 95
xchg eax ,
ebp
三、脱壳修复输入表
承接上述讲的内容,也就是 je Upack.0040A70F 之后的事了,F7后就会来到下面代码:
0040A70F 55
push ebp ; 在这儿用LordPE纠正ImageSize
后完全Dump这个进程
0040A710 8BEC
mov ebp ,
esp
0040A712 6A FF
push -1
0040A714 68 58274000
push Upack.00402758
0040A719 68 D2A84000
push Upack.0040A8D2
0040A71E 64:A1 00000000
mov eax ,
dword ptr fs :[0]
0040A724 50
push eax
0040A725 64:8925 0000000>
mov dword ptr fs :[0],
esp
0040A72C 83EC 20
sub esp ,20
0040A72F 53
push ebx
0040A730 56
push esi
0040A731 57
push edi
0040A732 8965 E8
mov dword ptr ss :[
ebp -18],
esp
0040A735 8365 FC 00
and dword ptr ss :[
ebp -4],0
0040A739 6A 01
push 1
0040A73B FF15 84104000
call dword ptr ds :[401084]
运行ImportREC 1.6,选择这个进程。把OEP改为0000A70F,点IT AutoSearch,点“Get Import”,函数全部有效,FixDump,正常运行!
-----------------------------------------------------------------------------------------
版权所有(C)2005 KuNgBiM[DFCG] Copyright (C) 2005 KuNgBiM[DFCG]
-----------------------------------------------------------------------------------------
Unpacked By KuNgBiM[DFCG]
2005-07-17
04:54:18 AM
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
