【文章标题】: ASPack 2.12 难道还有变形壳?
【文章作者】: 张大善人
【作者QQ号】: 37232175
【软件名称】: ***电子书反编译**
【软件大小】: 1.47M
【下载地址】: 自己搜索下载
【保护方式】: ASPack 2.12 -> Alexey Solodovnikov
【软件介绍】: 不用介绍了
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
前几天down了一个小软件,关闭时老是弹出网页,很不爽。于是决定拿它练刀,用peid查壳,ASPack 2.12 ->
Alexey Solodovnikov,心中暗喜,小菜啊!于是用工具脱壳,脱壳后发现不能运行,用其他几个脱壳工具脱壳,
也不能运行,很奇怪,于是手工脱壳,如下:
0041B001 > 60 PUSHAD ; ASPack 关键词
0041B002 E8 03000000 CALL hychm.0041B00A ; 变形call,F7过
0041B007 - E9 EB045D45 JMP 459EB4F7
0041B00C 55 PUSH EBP
0041B00D C3 RETN
0041B00E E8 01000000 CALL hychm.0041B014 ; 变形CALL,F7过
0041B013 EB 5D JMP SHORT hychm.0041B072
0041B015 BB EDFFFFFF MOV EBX,-13
0041B01A 03DD ADD EBX,EBP
0041B01C 81EB 00B00100 SUB EBX,1B000
0041B022 83BD 22040000 0>CMP DWORD PTR SS:[EBP+422],0
0041B029 899D 22040000 MOV DWORD PTR SS:[EBP+422],EBX
0041B02F 0F85 65030000 JNZ hychm.0041B39A
0041B035 8D85 2E040000 LEA EAX,DWORD PTR SS:[EBP+42E]
0041B03B 50 PUSH EAX
0041B03C FF95 4D0F0000 CALL DWORD PTR SS:[EBP+F4D]
0041B042 8985 26040000 MOV DWORD PTR SS:[EBP+426],EAX
0041B048 8BF8 MOV EDI,EAX
0041B04A 8D5D 5E LEA EBX,DWORD PTR SS:[EBP+5E]
0041B04D 53 PUSH EBX
0041B04E 50 PUSH EAX
0041B04F FF95 490F0000 CALL DWORD PTR SS:[EBP+F49]
0041B055 8985 4D050000 MOV DWORD PTR SS:[EBP+54D],EAX
0041B05B 8D5D 6B LEA EBX,DWORD PTR SS:[EBP+6B]
0041B05E 53 PUSH EBX
0041B05F 57 PUSH EDI
0041B060 FF95 490F0000 CALL DWORD PTR SS:[EBP+F49]
0041B066 8985 51050000 MOV DWORD PTR SS:[EBP+551],EAX
0041B06C 8D45 77 LEA EAX,DWORD PTR SS:[EBP+77]
0041B06F FFE0 JMP EAX
0041B071 56 PUSH ESI
0041B072 6972 74 75616C4>IMUL ESI,DWORD PTR DS:[EDX+74],416C6175
0041B079 6C INS BYTE PTR ES:[EDI],DX ; I/O 命令
0041B07A 6C INS BYTE PTR ES:[EDI],DX ; I/O 命令
0041B07B 6F OUTS DX,DWORD PTR ES:[EDI] ; I/O 命令
0041B07C 6300 ARPL WORD PTR DS:[EAX],AX
0041B07E 56 PUSH ESI
0041B07F 6972 74 75616C4>IMUL ESI,DWORD PTR DS:[EDX+74],466C6175
0041B086 72 65 JB SHORT hychm.0041B0ED
0041B088 65:008B 9D31050>ADD BYTE PTR GS:[EBX+5319D],CL
0041B08F 000B ADD BYTE PTR DS:[EBX],CL
0041B091 DB ??? ; 未知命令
0041B092 74 0A JE SHORT hychm.0041B09E
0041B094 8B03 MOV EAX,DWORD PTR DS:[EBX]
0041B096 8785 35050000 XCHG DWORD PTR SS:[EBP+535],EAX
0041B09C 8903 MOV DWORD PTR DS:[EBX],EAX
0041B09E 8DB5 69050000 LEA ESI,DWORD PTR SS:[EBP+569]
0041B0A4 833E 00 CMP DWORD PTR DS:[ESI],0
0041B0A7 0F84 21010000 JE hychm.0041B1CE
0041B0AD 6A 04 PUSH 4
0041B0AF 68 00100000 PUSH 1000
0041B0B4 68 00180000 PUSH 1800
0041B0B9 6A 00 PUSH 0
0041B0BB FF95 4D050000 CALL DWORD PTR SS:[EBP+54D]
0041B0C1 8985 56010000 MOV DWORD PTR SS:[EBP+156],EAX
0041B0C7 8B46 04 MOV EAX,DWORD PTR DS:[ESI+4] ; 只能让它回到这里
0041B0CA 05 0E010000 ADD EAX,10E
0041B0CF 6A 04 PUSH 4
0041B0D1 68 00100000 PUSH 1000
0041B0D6 50 PUSH EAX
0041B0D7 6A 00 PUSH 0
0041B0D9 FF95 4D050000 CALL DWORD PTR SS:[EBP+54D]
0041B0DF 8985 52010000 MOV DWORD PTR SS:[EBP+152],EAX
0041B0E5 56 PUSH ESI
0041B0E6 8B1E MOV EBX,DWORD PTR DS:[ESI]
0041B0E8 039D 22040000 ADD EBX,DWORD PTR SS:[EBP+422]
0041B0EE FFB5 56010000 PUSH DWORD PTR SS:[EBP+156]
0041B0F4 FF76 04 PUSH DWORD PTR DS:[ESI+4]
0041B0F7 50 PUSH EAX
0041B0F8 53 PUSH EBX
0041B0F9 E8 6E050000 CALL hychm.0041B66C ; 远Call,F8过
0041B0FE B3 00 MOV BL,0
0041B100 80FB 00 CMP BL,0
0041B103 75 5E JNZ SHORT hychm.0041B163 ; 远跳
0041B105 FE85 EC000000 INC BYTE PTR SS:[EBP+EC]
0041B10B 8B3E MOV EDI,DWORD PTR DS:[ESI]
0041B10D 03BD 22040000 ADD EDI,DWORD PTR SS:[EBP+422]
0041B113 FF37 PUSH DWORD PTR DS:[EDI]
0041B115 C607 C3 MOV BYTE PTR DS:[EDI],0C3
0041B118 FFD7 CALL EDI
0041B11A 8F07 POP DWORD PTR DS:[EDI]
0041B11C 50 PUSH EAX
0041B11D 51 PUSH ECX
0041B11E 56 PUSH ESI
0041B11F 53 PUSH EBX
0041B120 8BC8 MOV ECX,EAX
0041B122 83E9 06 SUB ECX,6
0041B125 8BB5 52010000 MOV ESI,DWORD PTR SS:[EBP+152]
0041B12B 33DB XOR EBX,EBX
0041B12D 0BC9 OR ECX,ECX
0041B12F 74 2E JE SHORT hychm.0041B15F
0041B131 78 2C JS SHORT hychm.0041B15F
0041B133 AC LODS BYTE PTR DS:[ESI]
0041B134 3C E8 CMP AL,0E8
0041B136 74 0A JE SHORT hychm.0041B142
0041B138 EB 00 JMP SHORT hychm.0041B13A
0041B13A 3C E9 CMP AL,0E9
0041B13C 74 04 JE SHORT hychm.0041B142
0041B13E 43 INC EBX
0041B13F 49 DEC ECX
0041B140 ^ EB EB JMP SHORT hychm.0041B12D ; 往回跳
0041B142 8B06 MOV EAX,DWORD PTR DS:[ESI] ; 直接F4到这里
0041B144 EB 00 JMP SHORT hychm.0041B146
0041B146 803E 04 CMP BYTE PTR DS:[ESI],4
0041B149 ^ 75 F3 JNZ SHORT hychm.0041B13E
0041B14B 24 00 AND AL,0
0041B14D C1C0 18 ROL EAX,18
0041B150 2BC3 SUB EAX,EBX
0041B152 8906 MOV DWORD PTR DS:[ESI],EAX
0041B154 83C3 05 ADD EBX,5
0041B157 83C6 04 ADD ESI,4
0041B15A 83E9 05 SUB ECX,5
0041B15D ^ EB CE JMP SHORT hychm.0041B12D ; 往回跳
0041B15F 5B POP EBX ; 直接F4到这里
0041B160 5E POP ESI
0041B161 59 POP ECX
0041B162 58 POP EAX
0041B163 EB 08 JMP SHORT hychm.0041B16D
0041B165 0000 ADD BYTE PTR DS:[EAX],AL
0041B167 0000 ADD BYTE PTR DS:[EAX],AL
0041B169 0000 ADD BYTE PTR DS:[EAX],AL
0041B16B 0000 ADD BYTE PTR DS:[EAX],AL
0041B16D 8BC8 MOV ECX,EAX
0041B16F 8B3E MOV EDI,DWORD PTR DS:[ESI]
0041B171 03BD 22040000 ADD EDI,DWORD PTR SS:[EBP+422]
0041B177 8BB5 52010000 MOV ESI,DWORD PTR SS:[EBP+152]
0041B17D C1F9 02 SAR ECX,2
0041B180 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
0041B182 8BC8 MOV ECX,EAX
0041B184 83E1 03 AND ECX,3
0041B187 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
0041B189 5E POP ESI
0041B18A 68 00800000 PUSH 8000
0041B18F 6A 00 PUSH 0
0041B191 FFB5 52010000 PUSH DWORD PTR SS:[EBP+152]
0041B197 FF95 51050000 CALL DWORD PTR SS:[EBP+551]
0041B19D 83C6 08 ADD ESI,8
0041B1A0 833E 00 CMP DWORD PTR DS:[ESI],0
0041B1A3 ^ 0F85 1EFFFFFF JNZ hychm.0041B0C7 ; 回跳,只能让它回跳
0041B1A9 68 00800000 PUSH 8000 ; 不能F4到这里,程序跑飞
0041B1AE 6A 00 PUSH 0
.................
0041B0C6 008B 4604050E ADD BYTE PTR DS:[EBX+E050446],CL
0041B0CC 0100 ADD DWORD PTR DS:[EAX],EAX
0041B0CE 006A 04 ADD BYTE PTR DS:[EDX+4],CH
0041B0D1 68 00100000 PUSH 1000
0041B0D6 50 PUSH EAX
0041B0D7 6A 00 PUSH 0
0041B0D9 FF95 4D050000 CALL DWORD PTR SS:[EBP+54D]
0041B0DF 8985 52010000 MOV DWORD PTR SS:[EBP+152],EAX
0041B0E5 56 PUSH ESI
0041B0E6 8B1E MOV EBX,DWORD PTR DS:[ESI]
0041B0E8 039D 22040000 ADD EBX,DWORD PTR SS:[EBP+422]
0041B0EE FFB5 56010000 PUSH DWORD PTR SS:[EBP+156]
0041B0F4 FF76 04 PUSH DWORD PTR DS:[ESI+4]
0041B0F7 50 PUSH EAX
0041B0F8 53 PUSH EBX
0041B0F9 E8 6E050000 CALL hychm.0041B66C ; 远Call,F8过
0041B0FE B3 01 MOV BL,1
0041B100 80FB 00 CMP BL,0
0041B103 75 5E JNZ SHORT hychm.0041B163 ; 远跳
0041B105 FE85 EC000000 INC BYTE PTR SS:[EBP+EC]
.................
0041B302 85C0 TEST EAX,EAX
0041B304 5B POP EBX
0041B305 75 6F JNZ SHORT hychm.0041B376 ; 大跳转
0041B307 F7C3 00000080 TEST EBX,80000000
0041B30D 75 19 JNZ SHORT hychm.0041B328
0041B30F 57 PUSH EDI
0041B310 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C]
0041B313 0385 22040000 ADD EAX,DWORD PTR SS:[EBP+422]
0041B319 50 PUSH EAX
0041B31A 53 PUSH EBX
0041B31B 8D85 75040000 LEA EAX,DWORD PTR SS:[EBP+475]
0041B321 50 PUSH EAX
0041B322 57 PUSH EDI
0041B323 E9 98000000 JMP hychm.0041B3C0
0041B328 81E3 FFFFFF7F AND EBX,7FFFFFFF
0041B32E 8B85 26040000 MOV EAX,DWORD PTR SS:[EBP+426]
0041B334 3985 45050000 CMP DWORD PTR SS:[EBP+545],EAX
0041B33A 75 24 JNZ SHORT hychm.0041B360
0041B33C 57 PUSH EDI
0041B33D 8BD3 MOV EDX,EBX
0041B33F 4A DEC EDX
0041B340 C1E2 02 SHL EDX,2
0041B343 8B9D 45050000 MOV EBX,DWORD PTR SS:[EBP+545]
0041B349 8B7B 3C MOV EDI,DWORD PTR DS:[EBX+3C]
0041B34C 8B7C3B 78 MOV EDI,DWORD PTR DS:[EBX+EDI+78]
0041B350 035C3B 1C ADD EBX,DWORD PTR DS:[EBX+EDI+1C]
0041B354 8B0413 MOV EAX,DWORD PTR DS:[EBX+EDX]
0041B357 0385 45050000 ADD EAX,DWORD PTR SS:[EBP+545]
0041B35D 5F POP EDI
0041B35E EB 16 JMP SHORT hychm.0041B376
0041B360 57 PUSH EDI
0041B361 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C]
0041B364 0385 22040000 ADD EAX,DWORD PTR SS:[EBP+422]
0041B36A 50 PUSH EAX
0041B36B 53 PUSH EBX
0041B36C 8D85 C6040000 LEA EAX,DWORD PTR SS:[EBP+4C6]
0041B372 50 PUSH EAX
0041B373 57 PUSH EDI
0041B374 EB 4A JMP SHORT hychm.0041B3C0
0041B376 8907 MOV DWORD PTR DS:[EDI],EAX
0041B378 8385 49050000 0>ADD DWORD PTR SS:[EBP+549],4
0041B37F ^ E9 32FFFFFF JMP hychm.0041B2B6 ; 回跳
0041B384 8906 MOV DWORD PTR DS:[ESI],EAX ; F4到这里
0041B386 8946 0C MOV DWORD PTR DS:[ESI+C],EAX
0041B389 8946 10 MOV DWORD PTR DS:[ESI+10],EAX
0041B38C 83C6 14 ADD ESI,14
0041B38F 8B95 22040000 MOV EDX,DWORD PTR SS:[EBP+422]
0041B395 ^ E9 EBFEFFFF JMP hychm.0041B285 ; 回跳
0041B39A B8 9C100000 MOV EAX,109C ; F4到这里
0041B39F 50 PUSH EAX
0041B3A0 0385 22040000 ADD EAX,DWORD PTR SS:[EBP+422]
0041B3A6 59 POP ECX
0041B3A7 0BC9 OR ECX,ECX
0041B3A9 8985 A8030000 MOV DWORD PTR SS:[EBP+3A8],EAX
0041B3AF 61 POPAD ; 看到这个标志,入口应该不远啦
0041B3B0 75 08 JNZ SHORT hychm.0041B3BA
0041B3B2 B8 01000000 MOV EAX,1
0041B3B7 C2 0C00 RETN 0C
0041B3BA 68 9C104000 PUSH hychm.0040109C ; 压栈入口值?
0041B3BF C3 RETN
...............................
0040109C 68 885B4000 PUSH hychm.00405B88 ;此处DUMP下来的程序不能运行,晕倒!
004010A1 E8 F0FFFFFF CALL hychm.00401096 ; JMP 到 msvbvm50.ThunRTMain
004010A6 0000 ADD BYTE PTR DS:[EAX],AL
004010A8 48 DEC EAX
至此,手工脱壳失败,我是新手,望大虾们能指点一下其中的奥秘!
--------------------------------------------------------------------------------
【经验总结】
总结教训如下:
看来一些经典老壳稍稍变换花样,也能玩出新的效果啊!
特上传附件,希望感兴趣的大虾研究一下,给与指点。
http://www.live-share.com/files/97815/chm_packed.rar.html
或者:http://rapidshare.com/files/4210861/chm_packed.rar.html
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年11月21日 11:50:20
[课程]Android-CTF解题方法汇总!