最近在学习样本分析,遇到一个样本,
这个样本是加了幻影壳的,现在想把它脱下来,
于是就看了forgot大牛的这个帖子
幻影之旅――[DBPE 2.x -> Ding Boy & zer0]流程攻略
http://bbs.pediy.com/showthread.php?t=359
然后我就照着这个帖子用OD一直往下跟,跟到这的时候发现就和forgot讲解的不一样了
0041519A 60 pushad
0041519B B8 E54B0D5B mov eax,0x5B0D4BE5
004151A0 3D 134D83D5 cmp eax,0xD5834D13
004151A5 33C0 xor eax,eax
004151A7 55 push ebp
004151A8 5D pop ebp
004151A9 53 push ebx ; 04-灰鸽?00411B9A
004151AA 33ED xor ebp,ebp
004151AC 58 pop eax
004151AD 03EA add ebp,edx ; ntdll.KiFastSystemCallRet
004151AF 33C0 xor eax,eax
004151B1 2D FFFFFFFF sub eax,-0x1
004151B6 B8 D48029BD mov eax,0xBD2980D4
004151BB 0FA2 cpuid
004151BD F7C2 00004000 test edx,0x400000
004151C3 74 10 je short 04-灰鸽?004151D5
004151C5 81ED 9F049C21 sub ebp,0x219C049F
004151CB E9 12020000 jmp 04-灰鸽?004153E2
004151D0 05 A63F6C5A add eax,0x5A6C3FA6
004151D5 57 push edi ; 04-灰鸽?0043DF89
004151D6 0F67E0 packuswb mm4,mm0
004151D9 5D pop ebp
004151DA BD 5AD59AD6 mov ebp,0xD69AD55A
004151DF 0F74D0 pcmpeqb mm2,mm0
004151E2 13E9 adc ebp,ecx
004151E4 0FD8D8 psubusb mm3,mm0
004151E7 0FD9C4 psubusw mm0,mm4
004151EA 35 C97A3949 xor eax,0x49397AC9
004151EF BD E71A8B7F mov ebp,0x7F8B1AE7
004151F4 0F62C0 punpckldq mm0,mm0
004151F7 52 push edx ; ntdll.KiFastSystemCallRet
004151F8 58 pop eax
004151F9 81C5 59E07E30 add ebp,0x307EE059
004151FF E8 06000000 call 04-灰鸽?0041520A
00415204 0D FFFFFFFF or eax,-0x1
00415209 40 inc eax
0041520A 5F pop edi ; 04-灰鸽?0043DF89
0041520B 0FDBFA pand mm7,mm2
0041520E 98 cwde
0041520F 0F62D9 punpckldq mm3,mm1
00415212 0F6FC1 movq mm0,mm1
00415215 B8 3AF2C94F mov eax,0x4FC9F23A
0041521A 81CD 9A06732A or ebp,0x2A73069A
00415220 0F6FCB movq mm1,mm3
00415223 B9 E3A50000 mov ecx,0xA5E3
00415228 33ED xor ebp,ebp
0041522A 9F lahf
0041522B B8 E1A64686 mov eax,0x8646A6E1
00415230 81F5 59D51AB4 xor ebp,0xB41AD559
00415236 81F5 6E3A139D xor ebp,0x9D133A6E
0041523C 50 push eax
0041523D 5D pop ebp
0041523E 1D 97992395 sbb eax,0x95239997
00415243 BA D15556F3 mov edx,0xF35655D1
00415248 0F6BCF packssdw mm1,mm7
0041524B 8DB417 C6AFA90C lea esi,dword ptr ds:[edi+edx+0xCA9AFC6]
00415252 E8 05000000 call 04-灰鸽?0041525C
00415257 E9 02000000 jmp 04-灰鸽?0041525E
0041525C C3 retn
0041525D 48 dec eax
0041525E 40 inc eax
0041525F 0BEB or ebp,ebx ; 04-灰鸽?00411B9A
00415261 53 push ebx ; 04-灰鸽?00411B9A
00415262 40 inc eax
00415263 58 pop eax
00415264 B8 1E9662AC mov eax,0xAC62961E
00415269 E8 0A000000 call 04-灰鸽?00415278
0041526E 0D AA840FF3 or eax,0xF30F84AA
00415273 E9 04000000 jmp 04-灰鸽?0041527C
00415278 0FD2FB psrld mm7,mm3
0041527B C3 retn
0041527C 33E9 xor ebp,ecx
0041527E BD 1CAE7413 mov ebp,0x1374AE1C
在forgot的原贴里 这应该是part3的部分
但是我发现这里用去除花指令的插件也去不掉
我也不知道着算不算花指令
但是 call jmp ret 三个指令 来回跳 而且用的很多
其他代码看起来也不想是正常代码
我想问问 这样的问题怎么解决呢?
求各位大牛指点指点,谢谢了
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
