大家好~,我昨天脱了一个奇怪的UPX
说一下~
看一下原OPE:
Peid查壳为
UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo004193B0 >
$ 60 PUSHAD
004193B1 . BE 00104100 MOV ESI,mm.00411000
004193B6 . 8DBE 0000FFFF LEA EDI,DWORD PTR DS:[ESI+FFFF0000]
004193BC . 57 PUSH EDI
004193BD . 83CD FF OR EBP,FFFFFFFF
004193C0 . EB 10 JMP SHORT mm.004193D2
004193C2 90 NOP
.....
.....
一直运行到~
JMP mm.00404B90
大跳转明显的压缩壳特征:
004194FF .- E9 8CB6FEFF JMP mm.00404B90
00419504 1C954100 DD mm.0041951C
00419508 24954100 DD mm.00419524
0041950C A8504000 DD mm.004050A8
00419510 00 DB 00
00419511 00 DB 00
00419512 00 DB 00
00419513 00 DB 00
00419514 00 DB 00
00419515 00 DB 00
再F8一下进入程序实OEP:
00404B90 55 PUSH EBP
00404B91 8BEC MOV EBP,ESP
00404B93 B9 05000000 MOV ECX,5
00404B98 6A 00 PUSH 0
00404B9A 6A 00 PUSH 0
00404B9C 49 DEC ECX
00404B9D ^ 75 F9 JNZ SHORT mm.00404B98
00404B9F 51 PUSH ECX
00404BA0 53 PUSH EBX
00404BA1 56 PUSH ESI
......
........
进行DUmp脱壳~,应该说像这种简单壳是很容易脱的~
可以进行~脱壳以后是无法使用的~痛苦~
用PEid 查壳是DelPH 5.0~
而用Pe-scan 查~显示是个加密壳~~
请高手明示~
这是程序的会部动态调试代码~:
00404B90 55 PUSH EBP
00404B91 8BEC MOV EBP,ESP
00404B93 B9 05000000 MOV ECX,5
00404B98 6A 00 PUSH 0
00404B9A 6A 00 PUSH 0
00404B9C 49 DEC ECX
00404B9D ^ 75 F9 JNZ SHORT mm.00404B98
00404B9F 51 PUSH ECX
00404BA0 53 PUSH EBX
00404BA1 56 PUSH ESI
00404BA2 57 PUSH EDI
00404BA3 B8 504B4000 MOV EAX,mm.00404B50
00404BA8 E8 FFF2FFFF CALL mm.00403EAC
00404BAD 33C0 XOR EAX,EAX
00404BAF 55 PUSH EBP
00404BB0 68 A44D4000 PUSH mm.00404DA4
00404BB5 64:FF30 PUSH DWORD PTR FS:[EAX]
00404BB8 64:8920 MOV DWORD PTR FS:[EAX],ESP
00404BBB 43 INC EBX
00404BBC E8 7FF8FFFF CALL mm.00404440
00404BC1 3C 01 CMP AL,1
00404BC3 0F85 C0010000 JNZ mm.00404D89
00404BC9 43 INC EBX
00404BCA 68 00010000 PUSH 100
00404BCF 68 CC664000 PUSH mm.004066CC
00404BD4 E8 EFF3FFFF CALL mm.00403FC8 ; JMP 到 kernel32.GetWindowsDirectoryA
00404BD9 43 INC EBX
00404BDA 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00404BDD BA CC664000 MOV EDX,mm.004066CC
00404BE2 B9 00010000 MOV ECX,100
00404BE7 E8 70ECFFFF CALL mm.0040385C
00404BEC 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
00404BEF B8 CC674000 MOV EAX,mm.004067CC
00404BF4 B9 BC4D4000 MOV ECX,mm.00404DBC ; ASCII "\smss.exe"
00404BF9 E8 C2ECFFFF CALL mm.004038C0
00404BFE 43 INC EBX
00404BFF 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
00404C02 BA CC664000 MOV EDX,mm.004066CC
00404C07 B9 00010000 MOV ECX,100
00404C0C E8 4BECFFFF CALL mm.0040385C
00404C11 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18]
00404C14 B8 D0674000 MOV EAX,mm.004067D0
00404C19 B9 D04D4000 MOV ECX,mm.00404DD0 ; ASCII "\regsvr.dll"
00404C1E E8 9DECFFFF CALL mm.004038C0
00404C23 43 INC EBX
00404C24 43 INC EBX
00404C25 85DB TEST EBX,EBX
00404C27 7D 0A JGE SHORT mm.00404C33
00404C29 68 E8030000 PUSH 3E8
00404C2E E8 D5F3FFFF CALL mm.00404008 ; JMP 到 kernel32.Sleep
00404C33 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
00404C36 BA CC664000 MOV EDX,mm.004066CC
00404C3B B9 00010000 MOV ECX,100
00404C40 E8 17ECFFFF CALL mm.0040385C
00404C45 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
00404C48 E8 AFF8FFFF CALL mm.004044FC
00404C4D 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
00404C50 33C0 XOR EAX,EAX
00404C52 E8 8DDAFFFF CALL mm.004026E4
00404C57 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
00404C5A 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
00404C5D E8 36FDFFFF CALL mm.00404998
00404C62 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
00404C65 50 PUSH EAX
00404C66 8D55 D8 LEA EDX,DWORD PTR SS:[EBP-28]
00404C69 A1 CC674000 MOV EAX,DWORD PTR DS:[4067CC]
00404C6E E8 25FDFFFF CALL mm.00404998
00404C73 8B55 D8 MOV EDX,DWORD PTR SS:[EBP-28]
00404C76 58 POP EAX
00404C77 E8 44EDFFFF CALL mm.004039C0
00404C7C 0F84 A5000000 JE mm.00404D27
00404C82 E8 4DFDFFFF CALL mm.004049D4
00404C87 68 E8030000 PUSH 3E8
00404C8C E8 77F3FFFF CALL mm.00404008 ; JMP 到 kernel32.Sleep
00404C91 A1 CC674000 MOV EAX,DWORD PTR DS:[4067CC]
00404C96 E8 D9EDFFFF CALL mm.00403A74
00404C9B 50 PUSH EAX
00404C9C E8 EFF2FFFF CALL mm.00403F90 ; JMP 到 kernel32.DeleteFileA
00404CA1 A1 D4674000 MOV EAX,DWORD PTR DS:[4067D4]
00404CA6 E8 C9EDFFFF CALL mm.00403A74
00404CAB 8BD8 MOV EBX,EAX
00404CAD 53 PUSH EBX
00404CAE E8 DDF2FFFF CALL mm.00403F90 ; JMP 到 kernel32.DeleteFileA
00404CB3 53 PUSH EBX
00404CB4 A1 D0674000 MOV EAX,DWORD PTR DS:[4067D0]
00404CB9 E8 B6EDFFFF CALL mm.00403A74
00404CBE 50 PUSH EAX
00404CBF E8 24F3FFFF CALL mm.00403FE8 ; JMP 到 kernel32.MoveFileA
00404CC4 68 E8030000 PUSH 3E8
00404CC9 E8 3AF3FFFF CALL mm.00404008 ; JMP 到 kernel32.Sleep
00404CCE 53 PUSH EBX
00404CCF E8 BCF2FFFF CALL mm.00403F90 ; JMP 到 kernel32.DeleteFileA
00404CD4 6A 00 PUSH 0
00404CD6 A1 CC674000 MOV EAX,DWORD PTR DS:[4067CC]
00404CDB E8 94EDFFFF CALL mm.00403A74
00404CE0 50 PUSH EAX
00404CE1 8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C]
00404CE4 33C0 XOR EAX,EAX
00404CE6 E8 F9D9FFFF CALL mm.004026E4
00404CEB 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]
00404CEE E8 81EDFFFF CALL mm.00403A74
00404CF3 50 PUSH EAX
00404CF4 E8 87F2FFFF CALL mm.00403F80 ; JMP 到 kernel32.CopyFileA
00404CF9 8B0D D0674000 MOV ECX,DWORD PTR DS:[4067D0]
00404CFF BA E44D4000 MOV EDX,mm.00404DE4 ; ASCII "dlldate"
00404D04 B8 F44D4000 MOV EAX,mm.00404DF4 ; ASCII "dll"
00404D09 E8 96FBFFFF CALL mm.004048A4
00404D0E 6A 00 PUSH 0
00404D10 A1 CC674000 MOV EAX,DWORD PTR DS:[4067CC]
00404D15 E8 5AEDFFFF CALL mm.00403A74
00404D1A 50 PUSH EAX
00404D1B E8 F8F2FFFF CALL mm.00404018 ; JMP 到 kernel32.WinExec
00404D20 6A 00 PUSH 0
00404D22 E8 71F2FFFF CALL mm.00403F98 ; JMP 到 kernel32.ExitProcess
00404D27 6A 06 PUSH 6
00404D29 A1 CC674000 MOV EAX,DWORD PTR DS:[4067CC]
00404D2E E8 41EDFFFF CALL mm.00403A74
00404D33 50 PUSH EAX
00404D34 E8 BFF2FFFF CALL mm.00403FF8 ; JMP 到 kernel32.SetFileAttributesA
00404D39 6A 06 PUSH 6
00404D3B A1 D0674000 MOV EAX,DWORD PTR DS:[4067D0]
00404D40 E8 2FEDFFFF CALL mm.00403A74
00404D45 50 PUSH EAX
00404D46 E8 ADF2FFFF CALL mm.00403FF8 ; JMP 到 kernel32.SetFileAttributesA
00404D4B 68 F84D4000 PUSH mm.00404DF8 ; ASCII "regsvr.dll"
00404D50 E8 7BF2FFFF CALL mm.00403FD0 ; JMP 到 kernel32.LoadLibraryA
00404D55 8BD8 MOV EBX,EAX
00404D57 68 044E4000 PUSH mm.00404E04 ; ASCII "starthook"
00404D5C 53 PUSH EBX
00404D5D E8 5EF2FFFF CALL mm.00403FC0 ; JMP 到 kernel32.GetProcAddress
00404D62 89C6 MOV ESI,EAX
00404D64 68 104E4000 PUSH mm.00404E10 ; ASCII "stophook"
00404D69 53 PUSH EBX
00404D6A E8 51F2FFFF CALL mm.00403FC0 ; JMP 到 kernel32.GetProcAddress
00404D6F 89C7 MOV EDI,EAX
00404D71 FFD6 CALL ESI
00404D73 6A 00 PUSH 0
00404D75 6A 00 PUSH 0
00404D77 6A 00 PUSH 0
00404D79 68 B0664000 PUSH mm.004066B0
00404D7E E8 A5F2FFFF CALL mm.00404028 ; JMP 到 user32.GetMessageA
00404D83 85C0 TEST EAX,EAX
00404D85 ^ 75 EC JNZ SHORT mm.00404D73
00404D87 FFD7 CALL EDI
00404D89 33C0 XOR EAX,EAX
00404D8B 5A POP EDX
00404D8C 59 POP ECX
00404D8D 59 POP ECX
00404D8E 64:8910 MOV DWORD PTR FS:[EAX],EDX
00404D91 68 AB4D4000 PUSH mm.00404DAB
00404D96 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
00404D99 BA 07000000 MOV EDX,7
00404D9E E8 E9E9FFFF CALL mm.0040378C
00404DA3 C3 RETN
00404DA4 ^ E9 5BE4FFFF JMP mm.00403204
00404DA9 ^ EB EB JMP SHORT mm.00404D96
00404DAB 5F POP EDI
00404DAC 5E POP ESI
00404DAD 5B POP EBX
00404DAE E8 C5E8FFFF CALL mm.00403678
00404DB3 00FF ADD BH,BH
00404DB5 FFFF ??? ; 未知命令
00404DB7 FF09 DEC DWORD PTR DS:[ECX]
00404DB9 0000 ADD BYTE PTR DS:[EAX],AL
00404DBB 005C73 6D ADD BYTE PTR DS:[EBX+ESI*2+6D],BL
00404DBF 73 73 JNB SHORT mm.00404E34
00404DC1 2E: PREFIX CS: ; 多余的前缀
00404DC2 65:78 65 JS SHORT mm.00404E2A ; 多余的前缀
00404DC5 0000 ADD BYTE PTR DS:[EAX],AL
00404DC7 00FF ADD BH,BH
00404DC9 FFFF ??? ; 未知命令
00404DCB FF0B DEC DWORD PTR DS:[EBX]
00404DCD 0000 ADD BYTE PTR DS:[EAX],AL
00404DCF 005C72 65 ADD BYTE PTR DS:[EDX+ESI*2+65],BL
00404DD3 67:73 76 JNB SHORT mm.00404E4C ; 多余的前缀
00404DD6 72 2E JB SHORT mm.00404E06
00404DD8 64:6C INS BYTE PTR ES:[EDI],DX ; I/O 命令
00404DDA 6C INS BYTE PTR ES:[EDI],DX ; I/O 命令
00404DDB 00FF ADD BH,BH
00404DDD FFFF ??? ; 未知命令
00404DDF FF07 INC DWORD PTR DS:[EDI]
00404DE1 0000 ADD BYTE PTR DS:[EAX],AL
00404DE3 00646C 6C ADD BYTE PTR SS:[ESP+EBP*2+6C],AH
00404DE7 64:61 POPAD ; 多余的前缀
00404DE9 74 65 JE SHORT mm.00404E50
00404DEB 00FF ADD BH,BH
00404DED FFFF ??? ; 未知命令
00404DEF FF03 INC DWORD PTR DS:[EBX]
00404DF1 0000 ADD BYTE PTR DS:[EAX],AL
00404DF3 00646C 6C ADD BYTE PTR SS:[ESP+EBP*2+6C],AH
00404DF7 0072 65 ADD BYTE PTR DS:[EDX+65],DH
00404DFA 67:73 76 JNB SHORT mm.00404E73 ; 多余的前缀
00404DFD 72 2E JB SHORT mm.00404E2D
00404DFF 64:6C INS BYTE PTR ES:[EDI],DX ; I/O 命令
00404E01 6C INS BYTE PTR ES:[EDI],DX ; I/O 命令
00404E02 0000 ADD BYTE PTR DS:[EAX],AL
00404E04 73 74 JNB SHORT mm.00404E7A
00404E06 61 POPAD
00404E07 72 74 JB SHORT mm.00404E7D
00404E09 68 6F6F6B00 PUSH 6B6F6F
00404E0E 0000 ADD BYTE PTR DS:[EAX],AL
00404E10 73 74 JNB SHORT mm.00404E86
00404E12 6F OUTS DX,DWORD PTR ES:[EDI] ; I/O 命令
00404E13 70 68 JO SHORT mm.00404E7D
00404E15 6F OUTS DX,DWORD PTR ES:[EDI] ; I/O 命令
00404E16 6F OUTS DX,DWORD PTR ES:[EDI] ; I/O 命令
00404E17 6B00 00 IMUL EAX,DWORD PTR DS:[EAX],0
能不能高人给个提示~~
郁闷中~
小弟跪谢了~
qq:723747753
MSN:chinatme@163.com
我把那个东西给打包了~,如果哪位仁兄~有兴趣可以自己调试一下~
我想得到它的,脱壳原文件~,想用来看看是什么东西~
希望大家能够帮忙~
本人时刻注视着~~
那个东西
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课