[求助]这是神马情况？-加壳脱壳-看雪-安全社区|安全招聘|kanxue.com

[求助]这是神马情况？

发表于: 2014-1-12 11:45 4614

[求助]这是神马情况？

小刀xiaodao

2014-1-12 11:45

4614

脱完UPX壳DUMP后，原程序1MB变成20+MB，PEID查VC8，运行提示异常，

0062827B E8 48060000    CALL game.006288C8 过了UPX壳后到这里，
00628280  ^ E9 DDFCFFFF    JMP game.00627F62
00628285 CC             INT3
00628286  - FF25 3C036500 JMP DWORD PTR DS:[65033C]             ; MSVCR80.strtoul
0062828C  - FF25 38036500 JMP DWORD PTR DS:[650338]             ; MSVCR80._ismbcalpha
00628292  - FF25 34036500 JMP DWORD PTR DS:[650334]             ; MSVCR80._mbschr
00628298  - FF25 30036500 JMP DWORD PTR DS:[650330]             ; MSVCR80._mbscspn
0062829E  - FF25 2C036500 JMP DWORD PTR DS:[65032C]             ; MSVCR80._mbsnbcpy
006282A4  - FF25 28036500 JMP DWORD PTR DS:[650328]             ; MSVCR80._mbsspn
006282AA  - FF25 24036500 JMP DWORD PTR DS:[650324]             ; MSVCR80._mbsnbcmp
006282B0  - FF25 20036500 JMP DWORD PTR DS:[650320]             ; MSVCR80.isalpha
006282B6  - FF25 1C036500 JMP DWORD PTR DS:[65031C]             ; MSVCR80.tolower
006282BC  - FF25 70026500 JMP DWORD PTR DS:[650270]             ; MSVCR80.toupper
006282C2  - FF25 74026500 JMP DWORD PTR DS:[650274]             ; MSVCR80.isalnum
006282C8  - FF25 78026500 JMP DWORD PTR DS:[650278]             ; MSVCR80._vsnprintf
006282CE  - FF25 7C026500 JMP DWORD PTR DS:[65027C]             ; MSVCR80.strrchr
006282D4  - FF25 80026500 JMP DWORD PTR DS:[650280]             ; MSVCR80._mbslwr
006282DA FF7424 10    PUSH DWORD PTR SS:[ESP+10]
006282DE FF7424 10    PUSH DWORD PTR SS:[ESP+10]
006282E2 FF7424 10    PUSH DWORD PTR SS:[ESP+10]
006282E6 FF7424 10    PUSH DWORD PTR SS:[ESP+10]
006282EA 68 AE796200    PUSH game.006279AE                      ; ASCII ";\r8Yj"
006282EF 68 38596A00    PUSH game.006A5938
006282F4 E8 63060000    CALL game.0062895C                      ; JMP 到 MSVCR80._except_handler4_common
006282F9 83C4 18       ADD ESP,18
006282FC C3             RETN
006282FD CC             INT3
006282FE  - FF25 84026500 JMP DWORD PTR DS:[650284]             ; MSVCR80._ctime32
00628304 6A 10          PUSH 10
00628306 68 60F66800    PUSH game.0068F660
0062830B E8 24020000    CALL game.00628534
00628310 33C0          XOR EAX,EAX
00628312 8945 E0       MOV DWORD PTR SS:[EBP-20],EAX
00628315 8945 FC       MOV DWORD PTR SS:[EBP-4],EAX
00628318 8945 E4       MOV DWORD PTR SS:[EBP-1C],EAX
0062831B 33FF          XOR EDI,EDI
0062831D 47             INC EDI
0062831E 8B45 E4       MOV EAX,DWORD PTR SS:[EBP-1C]
00628321 3B45 10       CMP EAX,DWORD PTR SS:[EBP+10]
00628324 7D 14          JGE SHORT game.0062833A
00628326 57             PUSH EDI
00628327 8B75 08       MOV ESI,DWORD PTR SS:[EBP+8]
0062832A 8BCE          MOV ECX,ESI
0062832C FF55 14       CALL DWORD PTR SS:[EBP+14]
0062832F 0375 0C       ADD ESI,DWORD PTR SS:[EBP+C]
00628332 8975 08       MOV DWORD PTR SS:[EBP+8],ESI
00628335 FF45 E4       INC DWORD PTR SS:[EBP-1C]
00628338  ^ EB E4          JMP SHORT game.0062831E
0062833A 897D E0       MOV DWORD PTR SS:[EBP-20],EDI
0062833D C745 FC FEFFFFF>MOV DWORD PTR SS:[EBP-4],-2
00628344 E8 08000000    CALL game.00628351
00628349 E8 2B020000    CALL game.00628579
0062834E C2 1400       RETN 14
00628351 837D E0 00    CMP DWORD PTR SS:[EBP-20],0
00628355 75 11          JNZ SHORT game.00628368
00628357 FF75 18       PUSH DWORD PTR SS:[EBP+18]
0062835A FF75 E4       PUSH DWORD PTR SS:[EBP-1C]
0062835D FF75 0C       PUSH DWORD PTR SS:[EBP+C]
00628360 FF75 08       PUSH DWORD PTR SS:[EBP+8]
00628363 E8 15F8FFFF    CALL game.00627B7D
00628368 C3             RETN

0062836A  - FF25 88026500 JMP DWORD PTR DS:[650288]             ; MSVCR80.exit
00628370  - FF25 8C026500 JMP DWORD PTR DS:[65028C]             ; MSVCR80._mkdir
00628376  - FF25 90026500 JMP DWORD PTR DS:[650290]             ; MSVCR80.strncmp
0062837C  - FF25 94026500 JMP DWORD PTR DS:[650294]             ; MSVCR80.vsprintf
00628382  - FF25 98026500 JMP DWORD PTR DS:[650298]             ; MSVCR80._CIsqrt
00628388  - FF25 9C026500 JMP DWORD PTR DS:[65029C]             ; MSVCR80.puts
0062838E  - FF25 A0026500 JMP DWORD PTR DS:[6502A0]             ; MSVCR80.floor
00628394 6A 10          PUSH 10
00628396 68 80F66800    PUSH game.0068F680
0062839B E8 94010000    CALL game.00628534
006283A0 33C0          XOR EAX,EAX

F7跟进 0062827B E8 48060000    CALL game.006288C8 的代码，

006288C8 55             PUSH EBP
006288C9 8BEC          MOV EBP,ESP
006288CB 83EC 10       SUB ESP,10
006288CE A1 38596A00    MOV EAX,DWORD PTR DS:[6A5938]
006288D3 8365 F8 00    AND DWORD PTR SS:[EBP-8],0
006288D7 8365 FC 00    AND DWORD PTR SS:[EBP-4],0
006288DB 53             PUSH EBX
006288DC 57             PUSH EDI
006288DD BF 4EE640BB    MOV EDI,BB40E64E
006288E2 3BC7          CMP EAX,EDI
006288E4 BB 0000FFFF    MOV EBX,FFFF0000
006288E9 74 0D          JE SHORT game.006288F8
006288EB 85C3          TEST EBX,EAX
006288ED 74 09          JE SHORT game.006288F8
006288EF F7D0          NOT EAX
006288F1 A3 3C596A00    MOV DWORD PTR DS:[6A593C],EAX
006288F6 EB 60          JMP SHORT game.00628958
006288F8 56             PUSH ESI
006288F9 8D45 F8       LEA EAX,DWORD PTR SS:[EBP-8]
006288FC 50             PUSH EAX
006288FD FF15 44016500 CALL DWORD PTR DS:[650144]             ; kernel32.GetSystemTimeAsFileTime
00628903 8B75 FC       MOV ESI,DWORD PTR SS:[EBP-4]
00628906 3375 F8       XOR ESI,DWORD PTR SS:[EBP-8]
00628909 FF15 60016500 CALL DWORD PTR DS:[650160]             ; kernel32.GetCurrentProcessId
0062890F 33F0          XOR ESI,EAX
00628911 FF15 48016500 CALL DWORD PTR DS:[650148]             ; kernel32.GetCurrentThreadId
00628917 33F0          XOR ESI,EAX
00628919 FF15 FC006500 CALL DWORD PTR DS:[6500FC]             ; kernel32.GetTickCount
0062891F 33F0          XOR ESI,EAX
00628921 8D45 F0       LEA EAX,DWORD PTR SS:[EBP-10]
00628924 50             PUSH EAX
00628925 FF15 4C016500 CALL DWORD PTR DS:[65014C]             ; kernel32.QueryPerformanceCounter
0062892B 8B45 F4       MOV EAX,DWORD PTR SS:[EBP-C]
0062892E 3345 F0       XOR EAX,DWORD PTR SS:[EBP-10]
00628931 33F0          XOR ESI,EAX
00628933 3BF7          CMP ESI,EDI
00628935 75 07          JNZ SHORT game.0062893E
00628937 BE 4FE640BB    MOV ESI,BB40E64F
0062893C EB 0B          JMP SHORT game.00628949
0062893E 85F3          TEST EBX,ESI
00628940 75 07          JNZ SHORT game.00628949
00628942 8BC6          MOV EAX,ESI
00628944 C1E0 10       SHL EAX,10
00628947 0BF0          OR ESI,EAX
00628949 8935 38596A00 MOV DWORD PTR DS:[6A5938],ESI
0062894F F7D6          NOT ESI
00628951 8935 3C596A00 MOV DWORD PTR DS:[6A593C],ESI
00628957 5E             POP ESI
00628958 5F             POP EDI
00628959 5B             POP EBX
0062895A C9             LEAVE
0062895B C3             RETN
0062895C  - FF25 08036500 JMP DWORD PTR DS:[650308]             ; MSVCR80._except_handler4_common
00628962  - FF25 0C036500 JMP DWORD PTR DS:[65030C]             ; MSVCR80._crt_debugger_hook
00628968  - FF25 10036500 JMP DWORD PTR DS:[650310]             ; MSVCR80.?_type_info_dtor_internal_method@type_info@@QAEXXZ
0062896E  - FF25 14036500 JMP DWORD PTR DS:[650314]             ; MSVCR80._invoke_watson
00628974  - FF25 18036500 JMP DWORD PTR DS:[650318]             ; MSVCR80._controlfp_s
0062897A  - FF25 68086500 JMP DWORD PTR DS:[650868]             ; engine.??1KIniFile@@QAE@XZ
00628980  - FF25 64086500 JMP DWORD PTR DS:[650864]             ; engine.?GetString@KIniFile@@QAEHPBD00PADK@Z
00628986  - FF25 60086500 JMP DWORD PTR DS:[650860]             ; engine.?Load@KIniFile@@QAEHPBD@Z
0062898C  - FF25 5C086500 JMP DWORD PTR DS:[65085C]             ; engine.??0KIniFile@@QAE@XZ
00628992  - FF25 58086500 JMP DWORD PTR DS:[650858]             ; engine.?GetInteger@KIniFile@@QAEHPBD0HPAH@Z
00628998  - FF25 54086500 JMP DWORD PTR DS:[650854]             ; engine.?printf_t@KSG_LogFile@@QAAXPBDZZ
0062899E  - FF25 50086500 JMP DWORD PTR DS:[650850]             ; engine.TEncodeText
006289A4  - FF25 4C086500 JMP DWORD PTR DS:[65084C]             ; engine.?WriteString@KIniFile@@QAEXPBD00@Z
006289AA  - FF25 48086500 JMP DWORD PTR DS:[650848]             ; engine.??1KFile@@QAE@XZ
006289B0  - FF25 44086500 JMP DWORD PTR DS:[650844]             ; engine.?Close@KFile@@QAEXXZ
006289B6  - FF25 40086500 JMP DWORD PTR DS:[650840]             ; engine.?Write@KFile@@QAEKPBXK@Z
006289BC  - FF25 3C086500 JMP DWORD PTR DS:[65083C]             ; engine.?Create@KFile@@QAEHPBD@Z
006289C2  - FF25 38086500 JMP DWORD PTR DS:[650838]             ; engine.??0KFile@@QAE@XZ
006289C8  - FF25 34086500 JMP DWORD PTR DS:[650834]             ; engine.?g_HashString2Id@@YAKPBD@Z
006289CE  - FF25 30086500 JMP DWORD PTR DS:[650830]             ; engine.??0KSG_LogFile@@QAE@PBD@Z
006289D4  - FF25 2C086500 JMP DWORD PTR DS:[65082C]             ; engine.??1KSG_LogFile@@UAE@XZ
006289DA  - FF25 28086500 JMP DWORD PTR DS:[650828]             ; engine.?g_CreatePath@@YAXPBD@Z
006289E0  - FF25 24086500 JMP DWORD PTR DS:[650824]             ; engine.?g_GetMainHWnd@@YAPAUHWND__@@XZ
006289E6  - FF25 20086500 JMP DWORD PTR DS:[650820]             ; engine.?g_GetFullPath@@YAXPADIPBD@Z

请问是什么情况？还有壳吗？用什么方法搞？

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・0

免费・0

支持

最新回复 (1)
cnxxm 雪币： 478 活跃值： (50) 能力值： ( LV2，RANK：10 ) 在线值：发帖 53 回帖 473 粉丝 1 关注私信	cnxxm 2 楼手脱upx？我都是直接upx -d 2014-1-12 13:27 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

小刀xiaodao

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (1)
cnxxm 雪币： 478 活跃值： (50) 能力值： ( LV2，RANK：10 ) 在线值：发帖 53 回帖 473 粉丝 1 关注私信	cnxxm 2 楼手脱upx？我都是直接upx -d 2014-1-12 13:27 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复