[求助]DBPE 2.33壳的问题-加壳脱壳-看雪-安全社区|安全招聘|kanxue.com

[求助]DBPE 2.33壳的问题

发表于: 2014-3-22 12:23 4230

[求助]DBPE 2.33壳的问题

恶毛毛L

2014-3-22 12:23

4230

最近在学习样本分析，遇到一个样本，
这个样本是加了幻影壳的，现在想把它脱下来，
于是就看了forgot大牛的这个帖子

幻影之旅――[DBPE 2.x -> Ding Boy & zer0]流程攻略

http://bbs.pediy.com/showthread.php?t=359

然后我就照着这个帖子用OD一直往下跟，跟到这的时候发现就和forgot讲解的不一样了

0041519A    60              pushad
0041519B    B8 E54B0D5B     mov eax,0x5B0D4BE5
004151A0    3D 134D83D5     cmp eax,0xD5834D13
004151A5    33C0            xor eax,eax
004151A7    55              push ebp
004151A8    5D              pop ebp
004151A9    53              push ebx                                 ; 04-灰鸽?00411B9A
004151AA    33ED            xor ebp,ebp
004151AC    58              pop eax
004151AD    03EA            add ebp,edx                              ; ntdll.KiFastSystemCallRet
004151AF    33C0            xor eax,eax
004151B1    2D FFFFFFFF     sub eax,-0x1
004151B6    B8 D48029BD     mov eax,0xBD2980D4
004151BB    0FA2            cpuid
004151BD    F7C2 00004000   test edx,0x400000
004151C3    74 10           je short 04-灰鸽?004151D5
004151C5    81ED 9F049C21   sub ebp,0x219C049F
004151CB    E9 12020000     jmp 04-灰鸽?004153E2
004151D0    05 A63F6C5A     add eax,0x5A6C3FA6
004151D5    57              push edi                                 ; 04-灰鸽?0043DF89
004151D6    0F67E0          packuswb mm4,mm0
004151D9    5D              pop ebp
004151DA    BD 5AD59AD6     mov ebp,0xD69AD55A
004151DF    0F74D0          pcmpeqb mm2,mm0
004151E2    13E9            adc ebp,ecx
004151E4    0FD8D8          psubusb mm3,mm0
004151E7    0FD9C4          psubusw mm0,mm4
004151EA    35 C97A3949     xor eax,0x49397AC9
004151EF    BD E71A8B7F     mov ebp,0x7F8B1AE7
004151F4    0F62C0          punpckldq mm0,mm0
004151F7    52              push edx                                 ; ntdll.KiFastSystemCallRet
004151F8    58              pop eax
004151F9    81C5 59E07E30   add ebp,0x307EE059
004151FF    E8 06000000     call 04-灰鸽?0041520A
00415204    0D FFFFFFFF     or eax,-0x1
00415209    40              inc eax
0041520A    5F              pop edi                                  ; 04-灰鸽?0043DF89
0041520B    0FDBFA          pand mm7,mm2
0041520E    98              cwde
0041520F    0F62D9          punpckldq mm3,mm1
00415212    0F6FC1          movq mm0,mm1
00415215    B8 3AF2C94F     mov eax,0x4FC9F23A
0041521A    81CD 9A06732A   or ebp,0x2A73069A
00415220    0F6FCB          movq mm1,mm3
00415223    B9 E3A50000     mov ecx,0xA5E3
00415228    33ED            xor ebp,ebp
0041522A    9F              lahf
0041522B    B8 E1A64686     mov eax,0x8646A6E1
00415230    81F5 59D51AB4   xor ebp,0xB41AD559
00415236    81F5 6E3A139D   xor ebp,0x9D133A6E
0041523C    50              push eax
0041523D    5D              pop ebp
0041523E    1D 97992395     sbb eax,0x95239997
00415243    BA D15556F3     mov edx,0xF35655D1
00415248    0F6BCF          packssdw mm1,mm7
0041524B    8DB417 C6AFA90C lea esi,dword ptr ds:[edi+edx+0xCA9AFC6]
00415252    E8 05000000     call 04-灰鸽?0041525C
00415257    E9 02000000     jmp 04-灰鸽?0041525E
0041525C    C3              retn
0041525D    48              dec eax
0041525E    40              inc eax
0041525F    0BEB            or ebp,ebx                               ; 04-灰鸽?00411B9A
00415261    53              push ebx                                 ; 04-灰鸽?00411B9A
00415262    40              inc eax
00415263    58              pop eax
00415264    B8 1E9662AC     mov eax,0xAC62961E
00415269    E8 0A000000     call 04-灰鸽?00415278
0041526E    0D AA840FF3     or eax,0xF30F84AA
00415273    E9 04000000     jmp 04-灰鸽?0041527C
00415278    0FD2FB          psrld mm7,mm3
0041527B    C3              retn
0041527C    33E9            xor ebp,ecx
0041527E    BD 1CAE7413     mov ebp,0x1374AE1C