Od手脱ASPack加的IASProtect2.0主程序
ASProtect2.0主程序脱壳
【目 标】:ASProtect2.0主程序
【工 具】:Olydbg1.10、LordPE、FixResDemo、eXeScope
【操作平台】:Windows XP sp2
【软件简介】:ASPack加壳的ASPROTECT
【加壳方式】:ASPack 2.12b -> Alexey Solodovnikov
【保护方式】:ASPack
【作 者】:神话灵芝
【相关链接】:自己找找哦
【脱壳声明】:新手啦!脱来玩玩,练练手~~
―――――――――――――――――――――――――――――――――
【脱壳过程】:
―――――――――――――――――――――――――――――――――
一、用Od载入程序.
代码:
--------------------------------------------------------------------------------
005CA001 90 nop
005CA002 60 pushad
005CA003 E8 03000000 call ASPROTEC.005CA00B
//F7进入,不然飞,近的Call用F7
005CA00B 5D pop ebp; ASPROTEC.005CA008
005CA00C 45 inc ebp
005CA00D 55 push ebp
005CA00E C3 retn
.................................................................
005CA009 /EB 04 jmp short ASPROTEC.005CA00F
005CA00B |5D pop ebp
005CA00C |45 inc ebp
005CA00D |55 push ebp
005CA00E |C3 retn
005CA00F \E8 01000000 call ASPROTEC.005CA015
//F7进入,不然飞,近的Call用F7
005CA015 5D pop ebp
005CA016 BB ECFFFFFF mov ebx,-14
005CA01B 03DD add ebx,ebp
005CA01D 81EB 00A01C00 sub ebx,1CA000
005CA023 83BD 22040000 0>cmp dword ptr ss:[ebp+422],0
005CA02A 899D 22040000 mov dword ptr ss:[ebp+422],ebx
005CA030 0F85 65030000 jnz ASPROTEC.005CA39B
005CA036 8D85 2E040000 lea eax,dword ptr ss:[ebp+42E]
005CA03C 50 push eax
005CA03D FF95 4C0F0000 call dword ptr ss:[ebp+F4C]
005CA043 8985 26040000 mov dword ptr ss:[ebp+426],eax
005CA049 8BF8 mov edi,eax
005CA04B 8D5D 5E lea ebx,dword ptr ss:[ebp+5E]
005CA04E 53 push ebx
005CA04F 50 push eax
005CA050 FF95 480F0000 call dword ptr ss:[ebp+F48]
005CA056 8985 4C050000 mov dword ptr ss:[ebp+54C],eax
005CA05C 8D5D 6B lea ebx,dword ptr ss:[ebp+6B]
005CA05F 53 push ebx
005CA060 57 push edi
005CA061 FF95 480F0000 call dword ptr ss:[ebp+F48]
005CA067 8985 50050000 mov dword ptr ss:[ebp+550],eax
005CA06D 8D45 77 lea eax,dword ptr ss:[ebp+77]
005CA070 FFE0 jmp eax; ASPROTEC.005CA08B
.................................................................
005CA08B 8B9D 30050000 mov ebx,dword ptr ss:[ebp+530]
005CA091 0BDB or ebx,ebx
005CA093 74 0A je short ASPROTEC.005CA09F
005CA095 8B03 mov eax,dword ptr ds:[ebx]
005CA097 8785 34050000 xchg dword ptr ss:[ebp+534],eax
005CA09D 8903 mov dword ptr ds:[ebx],eax
005CA09F 8DB5 68050000 lea esi,dword ptr ss:[ebp+568]
005CA0A5 833E 00 cmp dword ptr ds:[esi],0
005CA0A8 0F84 21010000 je ASPROTEC.005CA1CF
005CA0AE 6A 04 push 4
005CA0B0 68 00100000 push 1000
005CA0B5 68 00180000 push 1800
005CA0BA 6A 00 push 0
005CA0BC FF95 4C050000 call dword ptr ss:[ebp+54C]
005CA0C2 8985 56010000 mov dword ptr ss:[ebp+156],eax
005CA0C8 8B46 04 mov eax,dword ptr ds:[esi+4]
005CA0CB 05 0E010000 add eax,10E
005CA0D0 6A 04 push 4
005CA0D2 68 00100000 push 1000
005CA0D7 50 push eax
005CA0D8 6A 00 push 0
005CA0DA FF95 4C050000 call dword ptr ss:[ebp+54C]
005CA0E0 8985 52010000 mov dword ptr ss:[ebp+152],eax
005CA0E6 56 push esi
005CA0E7 8B1E mov ebx,dword ptr ds:[esi]
005CA0E9 039D 22040000 add ebx,dword ptr ss:[ebp+422]
005CA0EF FFB5 56010000 push dword ptr ss:[ebp+156]
005CA0F5 FF76 04 push dword ptr ds:[esi+4]
005CA0F8 50 push eax
005CA0F9 53 push ebx
005CA0FA E8 6D050000 call ASPROTEC.005CA66C
005CA0FF B3 00 mov bl,0
005CA101 80FB 00 cmp bl,0
005CA104 75 5E jnz short ASPROTEC.005CA164
005CA106 FE85 EC000000 inc byte ptr ss:[ebp+EC]
005CA10C 8B3E mov edi,dword ptr ds:[esi]
005CA10E 03BD 22040000 add edi,dword ptr ss:[ebp+422]
005CA114 FF37 push dword ptr ds:[edi]
005CA116 C607 C3 mov byte ptr ds:[edi],0C3
005CA119 FFD7 call edi
005CA11B 8F07 pop dword ptr ds:[edi]
005CA11D 50 push eax
005CA11E 51 push ecx
005CA11F 56 push esi
005CA120 53 push ebx
005CA121 8BC8 mov ecx,eax
005CA123 83E9 06 sub ecx,6
005CA126 8BB5 52010000 mov esi,dword ptr ss:[ebp+152]
005CA12C 33DB xor ebx,ebx
005CA12E 0BC9 or ecx,ecx
005CA130 74 2E je short ASPROTEC.005CA160
005CA132 /78 2C js short ASPROTEC.005CA160
005CA134 |AC lods byte ptr ds:[esi]
005CA135 |3C E8 cmp al,0E8
005CA137 |74 0A je short ASPROTEC.005CA143
005CA139 |EB 00 jmp short ASPROTEC.005CA13B
005CA13B |3C E9 cmp al,0E9
005CA13D |74 04 je short ASPROTEC.005CA143
005CA13F |43 inc ebx
005CA140 |49 dec ecx
005CA141 ^|EB EB jmp short ASPROTEC.005CA12E
//往回跳,指向下一条,F4
005CA143 8B06 mov eax,dword ptr ds:[esi]; ASPROTEC.004CC32A
005CA145 /EB 00 jmp short ASPROTEC.005CA147
005CA147 \803E 2A cmp byte ptr ds:[esi],2A
005CA14A ^\75 F3 jnz short ASPROTEC.005CA13F
005CA14C 24 00 and al,0
005CA14E C1C0 18 rol eax,18
005CA151 2BC3 sub eax,ebx
005CA153 8906 mov dword ptr ds:[esi],eax
005CA155 83C3 05 add ebx,5
005CA158 83C6 04 add esi,4
005CA15B 83E9 05 sub ecx,5
005CA15E ^ EB CE jmp short ASPROTEC.005CA12E
//往回跳,指向下一条,F4
005CA160 5B pop ebx; ASPROTEC.00401000
005CA161 5E pop esi
005CA162 59 pop ecx
005CA163 58 pop eax
005CA164 /EB 08 jmp short ASPROTEC.005CA16E
005CA16E 8BC8 mov ecx,eax
005CA170 8B3E mov edi,dword ptr ds:[esi]
005CA172 03BD 22040000 add edi,dword ptr ss:[ebp+422]
005CA178 8BB5 52010000 mov esi,dword ptr ss:[ebp+152]
005CA17E C1F9 02 sar ecx,2
005CA181 F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
//F8过快
005CA183 8BC8 mov ecx,eax
005CA185 83E1 03 and ecx,3
005CA188 F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]
//F8过快
005CA18A 5E pop esi
005CA18B 68 00800000 push 8000
005CA190 6A 00 push 0
005CA192 FFB5 52010000 push dword ptr ss:[ebp+152]
005CA198 FF95 50050000 call dword ptr ss:[ebp+550]; kernel32.VirtualFree//f7orf8
005CA19E 83C6 08 add esi,8
005CA1A1 833E 00 cmp dword ptr ds:[esi],0
005CA1A4 ^ 0F85 1EFFFFFF jnz ASPROTEC.005CA0C8
//往回跳,指向下一条,F4
005CA1AA 68 00800000 push 8000
005CA1AF 6A 00 push 0
005CA1B1 FFB5 56010000 push dword ptr ss:[ebp+156]
005CA1B7 FF95 50050000 call dword ptr ss:[ebp+550]
005CA1BD 8B9D 30050000 mov ebx,dword ptr ss:[ebp+530]
005CA1C3 0BDB or ebx,ebx
005CA1C5 /74 08 je short ASPROTEC.005CA1CF
005CA1C7 |8B03 mov eax,dword ptr ds:[ebx]
005CA1C9 |8785 34050000 xchg dword ptr ss:[ebp+534],eax
005CA1CF \8B95 22040000 mov edx,dword ptr ss:[ebp+422]
005CA1D5 8B85 2C050000 mov eax,dword ptr ss:[ebp+52C]
005CA1DB 2BD0 sub edx,eax
005CA1DD /74 79 je short ASPROTEC.005CA258
005CA258 8B95 22040000 mov edx,dword ptr ss:[ebp+422]; ASPROTEC.00400000
005CA25E 8BB5 40050000 mov esi,dword ptr ss:[ebp+540]
005CA264 0BF6 or esi,esi
005CA266 /74 11 je short ASPROTEC.005CA279
005CA268 |03F2 add esi,edx
005CA26A |AD lods dword ptr ds:[esi]
005CA26B |0BC0 or eax,eax
005CA26D |74 0A je short ASPROTEC.005CA279
005CA26F |03C2 add eax,edx
005CA271 |8BF8 mov edi,eax
005CA273 |66:AD lods word ptr ds:[esi]
005CA275 |66:AB stos word ptr es:[edi]
005CA277 ^|EB F1 jmp short ASPROTEC.005CA26A
005CA279 BE 00801400 mov esi,148000
005CA27E 8B95 22040000 mov edx,dword ptr ss:[ebp+422]
005CA284 03F2 add esi,edx
005CA286 8B46 0C mov eax,dword ptr ds:[esi+C]
005CA289 85C0 test eax,eax
005CA28B 0F84 0A010000 je ASPROTEC.005CA39B
005CA291 03C2 add eax,edx
005CA293 8BD8 mov ebx,eax
005CA295 50 push eax
005CA296 FF95 4C0F0000 call dword ptr ss:[ebp+F4C]
005CA29C 85C0 test eax,eax
005CA29E 75 07 jnz short ASPROTEC.005CA2A7
005CA2A0 53 push ebx
005CA2A1 FF95 500F0000 call dword ptr ss:[ebp+F50]
005CA2A7 8985 44050000 mov dword ptr ss:[ebp+544],eax; kernel32.77E40000
005CA2AD C785 48050000 0>mov dword ptr ss:[ebp+548],0
005CA2B7 8B95 22040000 mov edx,dword ptr ss:[ebp+422]
005CA2BD 8B06 mov eax,dword ptr ds:[esi]
005CA2BF 85C0 test eax,eax
005CA2C1 /75 03 jnz short ASPROTEC.005CA2C6
005CA2C3 |8B46 10 mov eax,dword ptr ds:[esi+10]
005CA2C6 \03C2 add eax,edx
005CA2C8 0385 48050000 add eax,dword ptr ss:[ebp+548]
005CA2CE 8B18 mov ebx,dword ptr ds:[eax]
005CA2D0 8B7E 10 mov edi,dword ptr ds:[esi+10]
005CA2D3 03FA add edi,edx
005CA2D5 03BD 48050000 add edi,dword ptr ss:[ebp+548]
005CA2DB 85DB test ebx,ebx
005CA2DD 0F84 A2000000 je ASPROTEC.005CA385
005CA2E3 F7C3 00000080 test ebx,80000000
005CA2E9 /75 04 jnz short ASPROTEC.005CA2EF
005CA2EB |03DA add ebx,edx
005CA2ED |43 inc ebx
005CA2EE |43 inc ebx
005CA2EF \53 push ebx
005CA2F0 81E3 FFFFFF7F and ebx,7FFFFFFF
005CA2F6 53 push ebx
005CA2F7 FFB5 44050000 push dword ptr ss:[ebp+544]
005CA2FD FF95 480F0000 call dword ptr ss:[ebp+F48]
005CA303 85C0 test eax,eax
005CA305 5B pop ebx
005CA306 75 6F jnz short ASPROTEC.005CA377
005CA377 8907 mov dword ptr ds:[edi],eax; kernel32.GetCurrentThreadId
005CA379 8385 48050000 0>add dword ptr ss:[ebp+548],4
005CA380 ^ E9 32FFFFFF jmp ASPROTEC.005CA2B7//f4
005CA385 8906 mov dword ptr ds:[esi],eax
005CA387 8946 0C mov dword ptr ds:[esi+C],eax
005CA38A 8946 10 mov dword ptr ds:[esi+10],eax
005CA38D 83C6 14 add esi,14
005CA390 8B95 22040000 mov edx,dword ptr ss:[ebp+422]
005CA396 ^ E9 EBFEFFFF jmp ASPROTEC.005CA286
//往回跳,指向下一条,F4
005CA396 ^\E9 EBFEFFFF jmp ASPROTEC.005CA286
005CA39B B8 94210E00 mov eax,0E2194
005CA3A0 50 push eax
005CA3A1 0385 22040000 add eax,dword ptr ss:[ebp+422]
005CA3A7 59 pop ecx
005CA3A8 0BC9 or ecx,ecx
005CA3AA 8985 A8030000 mov dword ptr ss:[ebp+3A8],eax
005CA3B0 61 popad
005CA3B1 75 08 jnz short ASPROTEC.005CA3BB
005CA3B3 B8 01000000 mov eax,1
005CA3B8 C2 0C00 retn 0C
005CA3BB 68 94214E00 push ASPROTEC.004E2194
005CA3C0 C3 retn
//直达OEP
.................................................................
004E2194 55 push ebp
//Od的 Dump插件直接脱壳,保存为ASPROTECT2.exe(随便取名)
--------------------------------------------------------------------------------
二、用PEiD测为Borland Delphi 4.0 - 5.0;
用FixResDemo.exe打开ASPROTECT2.exe,点Fix Resource,
提示:"Couldn't find extra space to add a section header in PE header!"
不急;
用LordPELordPE选择重建PE,选择ASPROTECT2.exe,重建完成;
再用FixResDemo.exe打开ASPROTECT2.exe,点Fix Resource,
提示:"Resource was fixed successfully."
成功!
三、用eXeScope打开ASPROTECT2,一目了然!完成啦,哇靠!凌晨一点半,该睡觉啦~~
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课