通过PEID进行分析,得到如下结果,
UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo [Overlay]
通过OLLYICE加载,
到达入口点,
00416B80 > 60 pushad >>入口点
00416B81 BE 00F04000 mov esi, 0040F000
00416B86 8DBE 0020FFFF lea edi, dword ptr [esi+FFFF2000]
00416B8C 57 push edi
00416B8D 83CD FF or ebp, FFFFFFFF
00416B90 EB 10 jmp short 00416BA2
进行CTR +f 找到 popad F2下断,F9运行,并运行直到长跳转点,如下,
00416CF6 8020 7F and byte ptr [eax], 7F
00416CF9 8060 28 7F and byte ptr [eax+28], 7F
00416CFD 58 pop eax
00416CFE 50 push eax
00416CFF 54 push esp
00416D00 50 push eax
00416D01 53 push ebx
00416D02 57 push edi
00416D03 FFD5 call ebp
00416D05 58 pop eax
00416D06 61 popad 〉下断,并F9运行
00416D07 8D4424 80 lea eax, dword ptr [esp-80]
00416D0B 6A 00 push 0
00416D0D 39C4 cmp esp, eax
00416D0F ^ 75 FA jnz short 00416D0B
00416D11 83EC 80 sub esp, -80
00416D14 - E9 654BFFFF jmp 0040B87E >>长跳转
00416D19 0000 add byte ptr [eax], al
00416D1B 0000 add byte ptr [eax], al
00416D1D 0000 add byte ptr [eax], al
00416D1F 0000 add byte ptr [eax], al
00416D21 0000 add byte ptr [eax], al
00416D23 0000 add byte ptr [eax], al
00416D25 0000 add byte ptr [eax], al
00416D27 0000 add byte ptr [eax], al
跳转后单步到 0040B87E
0040B87E 6A 70 push 70>>主程序入口?直接DUMP,选方法一
0040B880 68 90C34000 push 0040C390
0040B885 E8 06020000 call 0040BA90
0040B88A 33FF xor edi, edi
0040B88C 57 push edi
0040B88D FF15 8CC04000 call dword ptr [40C08C] ; kernel32.GetModuleHandleA
0040B893 66:8138 4D5A cmp word ptr [eax], 5A4D
0040B898 75 1F jnz short 0040B8B9
0040B89A 8B48 3C mov ecx, dword ptr [eax+3C]
0040B89D 03C8 add ecx, eax
0040B89F 8139 50450000 cmp dword ptr [ecx], 4550
0040B8A5 75 12 jnz short 0040B8B9
结果出来后,再用PEID分析,为Microsoft Visual C++ 6.0 - 8.0 *
想再去更改里面的资源,采用RESOURCE HACKER,发现如下告警:
This file has a non-standard resource layout...
it has probable been comprssed with an "exe compressor"
是我没有脱成功吗?
等指点!谢谢!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课