peid ASPack 2.12 -> Alexey Solodovnikov 再区段中有UPX的段名
用ASP的脱壳机脱后为 UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo 用UPX脱壳机 或手工脱 都不能成功 有谁碰到过这样的说说怎么脱 UPX好像是伪装的
Alexey Solodovnikov 入口
00422001 > 60 PUSHAD
00422002 E8 03000000 CALL WEIbind.0042200A
00422007 - E9 EB045D45 JMP 459F24F7
0042200C 55 PUSH EBP
0042200D C3 RETN
0042200E E8 01000000 CALL WEIbind.00422014
00422013 EB 5D JMP SHORT WEIbind.00422072
00422015 BB EDFFFFFF MOV EBX,-13
0042201A 03DD ADD EBX,EBP
0042201C 81EB 00200200 SUB EBX,22000
00422022 83BD 22040000 0>CMP DWORD PTR SS:[EBP+422],0
00422029 899D 22040000 MOV DWORD PTR SS:[EBP+422],EBX
0042202F 0F85 65030000 JNZ WEIbind.0042239A
00422035 8D85 2E040000 LEA EAX,DWORD PTR SS:[EBP+42E]
0042203B 50 PUSH EAX
0042203C FF95 4D0F0000 CALL DWORD PTR SS:[EBP+F4D]
00422042 8985 26040000 MOV DWORD PTR SS:[EBP+426],EAX
00422048 8BF8 MOV EDI,EAX
0042204A 8D5D 5E LEA EBX,DWORD PTR SS:[EBP+5E]
0042204D 53 PUSH EBX
0042204E 50 PUSH EAX
0042204F FF95 490F0000 CALL DWORD PTR SS:[EBP+F49]
00422055 8985 4D050000 MOV DWORD PTR SS:[EBP+54D],EAX
0042205B 8D5D 6B LEA EBX,DWORD PTR SS:[EBP+6B]
0042205E 53 PUSH EBX
0042205F 57 PUSH EDI
00422060 FF95 490F0000 CALL DWORD PTR SS:[EBP+F49]
00422066 8985 51050000 MOV DWORD PTR SS:[EBP+551],EAX
upx 入口
0041F660 > $ 60 PUSHAD
0041F661 . BE 00D04100 MOV ESI,_UnPacke.0041D000
0041F666 . 8DBE 0040FEFF LEA EDI,DWORD PTR DS:[ESI+FFFE4000]
0041F66C . 57 PUSH EDI
0041F66D . 83CD FF OR EBP,FFFFFFFF
0041F670 . EB 10 JMP SHORT _UnPacke.0041F682
0041F672 90 NOP
0041F673 90 NOP
0041F674 90 NOP
0041F675 90 NOP
0041F676 90 NOP
0041F677 90 NOP
0041F678 > 8A06 MOV AL,BYTE PTR DS:[ESI]
0041F67A . 46 INC ESI
0041F67B . 8807 MOV BYTE PTR DS:[EDI],AL
0041F67D . 47 INC EDI
0041F67E > 01DB ADD EBX,EBX
0041F680 . 75 07 JNZ SHORT _UnPacke.0041F689
0041F682 > 8B1E MOV EBX,DWORD PTR DS:[ESI]
0041F684 . 83EE FC SUB ESI,-4
0041F687 . 11DB ADC EBX,EBX
0041F689 >^ 72 ED JB SHORT _UnPacke.0041F678
0041F68B . B8 01000000 MOV EAX,1
0041F690 > 01DB ADD EBX,EBX
0041F692 . 75 07 JNZ SHORT _UnPacke.0041F69B
0041F694 . 8B1E MOV EBX,DWORD PTR DS:[ESI]
0041F696 . 83EE FC SUB ESI,-4
0041F699 . 11DB ADC EBX,EBX
0041F69B > 11C0 ADC EAX,EAX
[课程]Linux pwn 探索篇!