用peid查壳
UPX 0.89.6 - 1.02 / 1.05 - 1.24 (Delphi) stub -> Markus & Laszlo
参考前辈们的文章!脱壳
008ACA30 > 60 PUSHAD //进入以后停在这里;
008ACA31 BE 00307F00 MOV ESI,Ms-snipe.007F3000 //F8以后ESP=0012FFA4,可以运用ESP定律
008ACA36 8DBE 00E0C0FF LEA EDI,DWORD PTR DS:[ESI+FFC0E000]
008ACA3C 57 PUSH EDI
008ACA3D 83CD FF OR EBP,FFFFFFFF
008ACA40 EB 10 JMP SHORT Ms-snipe.008ACA52
根据ESP定律规则,现在在命令栏中下 hr 0012ffa4 命令,回车,F9运行;
008ACB93 - E9 6CDBC2FF JMP Ms-snipe.004DA704 //这里断下这里004DA704所指的就是OEP,F8一下
008ACB98 B0 CB MOV AL,0CB
008ACB9A 8A00 MOV AL,BYTE PTR DS:[EAX]
008ACB9C C0CB 8A ROR BL,8A ; 移位常量超出 1..31 的范围
008ACB9F 0010 ADD BYTE PTR DS:[EAX],DL
008ACBA1 27 DAA
008ACBA2 4F DEC EDI
F8以后到这里
004DA704 55 PUSH EBP //停在这里,这里就是OEP
004DA705 8BEC MOV EBP,ESP
004DA707 83C4 F0 ADD ESP,-10
004DA70A B8 04A44D00 MOV EAX,Ms-snipe.004DA404
004DA70F E8 20C5F2FF CALL Ms-snipe.00406C34
004DA714 A1 B4114F00 MOV EAX,DWORD PTR DS:[4F11B4]
004DA719 8B00 MOV EAX,DWORD PTR DS:[EAX]
004DA71B E8 5CC4F8FF CALL Ms-snipe.00466B7C
004DA720 A1 B4114F00 MOV EAX,DWORD PTR DS:[4F11B4]
在OEP处用lordpe去dump下来,然后运行ImportREC 1.6,选择这个进程,把OEP改为 000DA704 ,点IT AutoSearch,指针全部有效。FixDump!
运行以后出现:“程序自我校验错误,请登陆www.***.cn重新下载官方安全版本”
运行OD载入已经脱壳和修复的文件,出现:“模块'dumped_'入口点超出代码范围(在PE文件头指定)。可能这是一个自解压或自修改文件。请在设置断点时记住这一点!”
接下来问是否继续分析,我选择了否!是不是壳没有脱干净?用peid 094查壳,Borland Delphi 6.0 - 7.0;用FI查,也是delphi
查找文本,没有!下面我不知道该怎么做了,希望能有人帮助我!
下面是脱壳后载入的代码:
004DA704 > 55 PUSH EBP
004DA705 8BEC MOV EBP,ESP
004DA707 83C4 F0 ADD ESP,-10
004DA70A B8 04A44D00 MOV EAX,dumped1.004DA404
004DA70F E8 20C5F2FF CALL dumped1.00406C34
004DA714 A1 B4114F00 MOV EAX,DWORD PTR DS:[4F11B4]
004DA719 8B00 MOV EAX,DWORD PTR DS:[EAX]
004DA71B E8 5CC4F8FF CALL dumped1.00466B7C
004DA720 A1 B4114F00 MOV EAX,DWORD PTR DS:[4F11B4]
004DA725 8B00 MOV EAX,DWORD PTR DS:[EAX]
004DA727 BA E0A74D00 MOV EDX,dumped1.004DA7E0
004DA72C E8 57C0F8FF CALL dumped1.00466788
004DA731 68 F0A74D00 PUSH dumped1.004DA7F0
004DA736 6A 00 PUSH 0
004DA738 6A 00 PUSH 0
004DA73A E8 31C6F2FF CALL dumped1.00406D70
004DA73F E8 FCC6F2FF CALL <JMP.&kernel32.GetLastError>
004DA744 3D B7000000 CMP EAX,0B7
004DA749 0F84 84000000 JE dumped1.004DA7D3
004DA74F 8B0D 5C134F00 MOV ECX,DWORD PTR DS:[4F135C] ; dumped1.007EB6F4
004DA755 A1 B4114F00 MOV EAX,DWORD PTR DS:[4F11B4]
004DA75A 8B00 MOV EAX,DWORD PTR DS:[EAX]
004DA75C 8B15 CC704C00 MOV EDX,DWORD PTR DS:[4C70CC] ; dumped1.004C7118
004DA762 E8 2DC4F8FF CALL dumped1.00466B94
004DA767 8B0D BC134F00 MOV ECX,DWORD PTR DS:[4F13BC] ; dumped1.004FCF04
004DA76D A1 B4114F00 MOV EAX,DWORD PTR DS:[4F11B4]
004DA772 8B00 MOV EAX,DWORD PTR DS:[EAX]
004DA774 8B15 F86E4900 MOV EDX,DWORD PTR DS:[496EF8] ; dumped1.00496F44
004DA77A E8 15C4F8FF CALL dumped1.00466B94
004DA77F 8B0D 44104F00 MOV ECX,DWORD PTR DS:[4F1044] ; dumped1.004FCDF0
004DA785 A1 B4114F00 MOV EAX,DWORD PTR DS:[4F11B4]
004DA78A 8B00 MOV EAX,DWORD PTR DS:[EAX]
004DA78C 8B15 60304900 MOV EDX,DWORD PTR DS:[493060] ; dumped1.004930AC
004DA792 E8 FDC3F8FF CALL dumped1.00466B94
004DA797 8B0D DC134F00 MOV ECX,DWORD PTR DS:[4F13DC] ; dumped1.004FCEEC
004DA79D A1 B4114F00 MOV EAX,DWORD PTR DS:[4F11B4]
004DA7A2 8B00 MOV EAX,DWORD PTR DS:[EAX]
004DA7A4 8B15 AC674900 MOV EDX,DWORD PTR DS:[4967AC] ; dumped1.004967F8
004DA7AA E8 E5C3F8FF CALL dumped1.00466B94
004DA7AF 8B0D E4134F00 MOV ECX,DWORD PTR DS:[4F13E4] ; dumped1.007EB6E0
004DA7B5 A1 B4114F00 MOV EAX,DWORD PTR DS:[4F11B4]
004DA7BA 8B00 MOV EAX,DWORD PTR DS:[EAX]
004DA7BC 8B15 E0664C00 MOV EDX,DWORD PTR DS:[4C66E0] ; dumped1.004C672C
004DA7C2 E8 CDC3F8FF CALL dumped1.00466B94
004DA7C7 A1 B4114F00 MOV EAX,DWORD PTR DS:[4F11B4]
004DA7CC 8B00 MOV EAX,DWORD PTR DS:[EAX]
004DA7CE E8 41C4F8FF CALL dumped1.00466C14
004DA7D3 E8 309EF2FF CALL dumped1.00404608
004DA7D8 FFFF ??? ; 未知命令
004DA7DA FFFF ??? ; 未知命令
004DA7DC 0E PUSH CS
004DA7DD 0000 ADD BYTE PTR DS:[EAX],AL
004DA7DF 00C3 ADD BL,AL
004DA7E1 B0 CF MOV AL,0CF
004DA7E3 D5 D7 AAD 0D7
004DA7E5 E8 BBF75F30 CALL 30AD9FA5
004DA7EA 3339 XOR EDI,DWORD PTR DS:[ECX]
004DA7EC B0 E6 MOV AL,0E6
004DA7EE 0000 ADD BYTE PTR DS:[EAX],AL
004DA7F0 C3 RETN
004DA7F1 B0 CF MOV AL,0CF
004DA7F3 D5 D7 AAD 0D7
004DA7F5 E8 BBF75F30 CALL 30AD9FB5
004DA7FA 3339 XOR EDI,DWORD PTR DS:[ECX]
[课程]Android-CTF解题方法汇总!