-
-
[求助]高手帮忙!关于UPX壳的!
-
发表于: 2006-10-1 01:11
-
用PE查壳是UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo的!
接下来用OD载入
004D7470 > 60 PUSHAD
004D7471 BE 00E04600 MOV ESI,121.0046E000
004D7476 8DBE 0030F9FF LEA EDI,DWORD PTR DS:[ESI+FFF93000]
004D747C 57 PUSH EDI
004D747D 83CD FF OR EBP,FFFFFFFF
004D7480 EB 10 JMP SHORT 121.004D7492
004D7482 90 NOP
004D7483 90 NOP
004D7484 90 NOP
004D7485 90 NOP
004D7486 90 NOP
004D7487 90 NOP
004D7488 8A06 MOV AL,BYTE PTR DS:[ESI]
.......................................
然后CTRL+F 查找popad
004D7616 61 POPAD F8继续
004D7617 8D4424 80 LEA EAX,DWORD PTR SS:[ESP-80]
004D761B 6A 00 PUSH 0
004D761D 39C4 CMP ESP,EAX
004D761F ^ 75 FA JNZ SHORT 121.004D761B
004D7621 83EC 80 SUB ESP,-80 断点
004D7624 - E9 0134F6FF JMP Damuzhi1.0043AA2A F8继续
004D7629 0000 ADD BYTE PTR DS:[EAX],AL
.......................................
然后到
0043AA2A E8 89B70000 CALL Damuzhi1.004461B8 这里脱壳
0043AA2F ^ E9 16FEFFFF JMP Damuzhi1.0043A84A
0043AA34 55 PUSH EBP
0043AA35 8BEC MOV EBP,ESP
0043AA37 51 PUSH ECX
0043AA38 53 PUSH EBX
0043AA39 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
0043AA3C 83C0 0C ADD EAX,0C
0043AA3F 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
但是没想到这样的做下来居然还是没有用!还是一样!UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
还有单步也跳了!还是一样没有什么效果!高手帮忙
接下来用OD载入
004D7470 > 60 PUSHAD
004D7471 BE 00E04600 MOV ESI,121.0046E000
004D7476 8DBE 0030F9FF LEA EDI,DWORD PTR DS:[ESI+FFF93000]
004D747C 57 PUSH EDI
004D747D 83CD FF OR EBP,FFFFFFFF
004D7480 EB 10 JMP SHORT 121.004D7492
004D7482 90 NOP
004D7483 90 NOP
004D7484 90 NOP
004D7485 90 NOP
004D7486 90 NOP
004D7487 90 NOP
004D7488 8A06 MOV AL,BYTE PTR DS:[ESI]
.......................................
然后CTRL+F 查找popad
004D7616 61 POPAD F8继续
004D7617 8D4424 80 LEA EAX,DWORD PTR SS:[ESP-80]
004D761B 6A 00 PUSH 0
004D761D 39C4 CMP ESP,EAX
004D761F ^ 75 FA JNZ SHORT 121.004D761B
004D7621 83EC 80 SUB ESP,-80 断点
004D7624 - E9 0134F6FF JMP Damuzhi1.0043AA2A F8继续
004D7629 0000 ADD BYTE PTR DS:[EAX],AL
.......................................
然后到
0043AA2A E8 89B70000 CALL Damuzhi1.004461B8 这里脱壳
0043AA2F ^ E9 16FEFFFF JMP Damuzhi1.0043A84A
0043AA34 55 PUSH EBP
0043AA35 8BEC MOV EBP,ESP
0043AA37 51 PUSH ECX
0043AA38 53 PUSH EBX
0043AA39 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
0043AA3C 83C0 0C ADD EAX,0C
0043AA3F 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
但是没想到这样的做下来居然还是没有用!还是一样!UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
还有单步也跳了!还是一样没有什么效果!高手帮忙
