-
-
[旧帖]
[求助]关于脱UPX壳,请教个问题
0.00雪花
-
-
[旧帖] [求助]关于脱UPX壳,请教个问题
0.00雪花
我看了"PYG论坛3周年庆典官方大礼包 礼物一"里的教程--第五课,泰来文件切割合并工具被加了UPX壳,我无法脱掉.
经PEID检测,结果为:UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
本想用Quick Unpack脱的,我输入OEP:004016AC,结果弹出对话框提示:An invalid argument was encountered.
09:23:17 - Opened 泰来文件切割合并工具.exe
Quick self analyze.... unknown
PESniffer EP Scan: UPX v0.89.6 - v1.02 / v1.05 - v1.22
PEiD scanning... UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
09:23:24 - Unpacked file hasn`t been created
09:23:24 - Done
后来用第四课教的手动脱壳的方法,还是不行,我无法修复.
00417FF0 泰> $ 60 pushad :壳头
00417FF1 . BE 00104100 mov esi,泰来文件切割合并工具.00411000
00417FF6 . 8DBE 0000FFFF lea edi,dword ptr ds:[esi+FFFF000>
00417FFC . 57 push edi
00417FFD . 83CD FF or ebp,FFFFFFFF
00418000 . EB 10 jmp short 泰来文件切割合并工具.00418012
00418002 90 nop
00418003 90 nop
00418004 90 nop
00418005 90 nop
00418006 90 nop
00418007 90 nop
00418008 > 8A06 mov al,byte ptr ds:[esi]
0041800A . 46 inc esi
0041800B . 8807 mov byte ptr ds:[edi],al
0041800D . 47 inc edi
0041800E > 01DB add ebx,ebx
00418010 . 75 07 jnz short 泰来文件切割合并工具.00418019
00418012 > 8B1E mov ebx,dword ptr ds:[esi]
00418014 . 83EE FC sub esi,-4
00418017 . 11DB adc ebx,ebx
00418019 >^ 72 ED jb short 泰来文件切割合并工具.00418008
0041801B . B8 01000000 mov eax,1
00418020 > 01DB add ebx,ebx
00418022 . 75 07 jnz short 泰来文件切割合并工具.0041802B
00418024 . 8B1E mov ebx,dword ptr ds:[esi]
00418026 . 83EE FC sub esi,-4
00418029 . 11DB adc ebx,ebx
0041802B > 11C0 adc eax,eax
0041802D . 01DB add ebx,ebx
0041802F .^ 73 EF jnb short 泰来文件切割合并工具.00418020 ; 跳了往下点按F4
00418031 . 75 09 jnz short 泰来文件切割合并工具.0041803C
00418033 . 8B1E mov ebx,dword ptr ds:[esi]
00418035 . 83EE FC sub esi,-4
00418038 . 11DB adc ebx,ebx
0041803A .^ 73 E4 jnb short 泰来文件切割合并工具.00418020
0041803C > 31C9 xor ecx,ecx
0041803E . 83E8 03 sub eax,3
00418041 . 72 0D jb short 泰来文件切割合并工具.00418050
00418043 . C1E0 08 shl eax,8
00418046 . 8A06 mov al,byte ptr ds:[esi]
00418048 . 46 inc esi
00418049 . 83F0 FF xor eax,FFFFFFFF
0041804C . 74 74 je short 泰来文件切割合并工具.004180C2
0041804E . 89C5 mov ebp,eax
00418050 > 01DB add ebx,ebx
00418052 . 75 07 jnz short 泰来文件切割合并工具.0041805B
00418054 . 8B1E mov ebx,dword ptr ds:[esi]
00418056 . 83EE FC sub esi,-4
00418059 . 11DB adc ebx,ebx
0041805B > 11C9 adc ecx,ecx
0041805D . 01DB add ebx,ebx
0041805F . 75 07 jnz short 泰来文件切割合并工具.00418068
00418061 . 8B1E mov ebx,dword ptr ds:[esi]
00418063 . 83EE FC sub esi,-4
00418066 . 11DB adc ebx,ebx
00418068 > 11C9 adc ecx,ecx
0041806A . 75 20 jnz short 泰来文件切割合并工具.0041808C
0041806C . 41 inc ecx
0041806D > 01DB add ebx,ebx
0041806F . 75 07 jnz short 泰来文件切割合并工具.00418078
00418071 . 8B1E mov ebx,dword ptr ds:[esi]
00418073 . 83EE FC sub esi,-4
00418076 . 11DB adc ebx,ebx
00418078 > 11C9 adc ecx,ecx
0041807A . 01DB add ebx,ebx
0041807C .^ 73 EF jnb short 泰来文件切割合并工具.0041806D ; 跳了往下点按F4
0041807E . 75 09 jnz short 泰来文件切割合并工具.00418089
00418080 . 8B1E mov ebx,dword ptr ds:[esi]
00418082 . 83EE FC sub esi,-4
00418085 . 11DB adc ebx,ebx
00418087 .^ 73 E4 jnb short 泰来文件切割合并工具.0041806D
00418089 > 83C1 02 add ecx,2
0041808C > 81FD 00F3FFFF cmp ebp,-0D00
00418092 . 83D1 01 adc ecx,1
00418095 . 8D142F lea edx,dword ptr ds:[edi+ebp]
00418098 . 83FD FC cmp ebp,-4
0041809B . 76 0F jbe short 泰来文件切割合并工具.004180AC
0041809D > 8A02 mov al,byte ptr ds:[edx]
0041809F . 42 inc edx
004180A0 . 8807 mov byte ptr ds:[edi],al
004180A2 . 47 inc edi
004180A3 . 49 dec ecx
004180A4 .^ 75 F7 jnz short 泰来文件切割合并工具.0041809D ; 跳了往下点
004180A6 .^ E9 63FFFFFF jmp 泰来文件切割合并工具.0041800E ; 跳了往下点
004180AB 90 nop ; 空往下点按F4
004180AC > 8B02 mov eax,dword ptr ds:[edx]
004180AE . 83C2 04 add edx,4
004180B1 . 8907 mov dword ptr ds:[edi],eax
004180B3 . 83C7 04 add edi,4
004180B6 . 83E9 04 sub ecx,4
004180B9 .^ 77 F1 ja short 泰来文件切割合并工具.004180AC ; 跳了往下点按F4
004180BB . 01CF add edi,ecx
004180BD <> .^ E9 4CFFFFFF jmp 泰来文件切割合并工具.0041800E ; 跳了往下点按F4
004180C2 > 5E pop esi
004180C3 . 89F7 mov edi,esi
004180C5 . B9 4C000000 mov ecx,4C
004180CA > 8A07 mov al,byte ptr ds:[edi]
004180CC . 47 inc edi
004180CD . 2C E8 sub al,0E8
004180CF > 3C 01 cmp al,1
004180D1 .^ 77 F7 ja short 泰来文件切割合并工具.004180CA ; 跳了往下点按F4
004180D3 . 803F 02 cmp byte ptr ds:[edi],2
004180D6 .^ 75 F2 jnz short 泰来文件切割合并工具.004180CA ; 跳了往下点按F4
004180D8 . 8B07 mov eax,dword ptr ds:[edi]
004180DA . 8A5F 04 mov bl,byte ptr ds:[edi+4]
004180DD . 66:C1E8 08 shr ax,8
004180E1 . C1C0 10 rol eax,10
004180E4 . 86C4 xchg ah,al
004180E6 . 29F8 sub eax,edi
004180E8 . 80EB E8 sub bl,0E8
004180EB . 01F0 add eax,esi
004180ED . 8907 mov dword ptr ds:[edi],eax
004180EF . 83C7 05 add edi,5
004180F2 . 89D8 mov eax,ebx
004180F4 .^ E2 D9 loopd short 泰来文件切割合并工具.004180CF ; 跳了往下点按F4
004180F6 . 8DBE 00500100 lea edi,dword ptr ds:[esi+15000]
004180FC > 8B07 mov eax,dword ptr ds:[edi]
004180FE . 09C0 or eax,eax
00418100 . 74 45 je short 泰来文件切割合并工具.00418147
00418102 . 8B5F 04 mov ebx,dword ptr ds:[edi+4]
00418105 . 8D8430 44910100 lea eax,dword ptr ds:[eax+esi+191>
0041810C . 01F3 add ebx,esi
0041810E . 50 push eax
0041810F . 83C7 08 add edi,8
00418112 . FF96 80910100 call dword ptr ds:[esi+19180]
00418118 . 95 xchg eax,ebp
00418119 > 8A07 mov al,byte ptr ds:[edi]
0041811B . 47 inc edi
0041811C . 08C0 or al,al
0041811E .^ 74 DC je short 泰来文件切割合并工具.004180FC ; 跳了往下点按F4
00418120 . 89F9 mov ecx,edi
00418122 . 79 07 jns short 泰来文件切割合并工具.0041812B
00418124 . 0FB707 movzx eax,word ptr ds:[edi]
00418127 . 47 inc edi
00418128 . 50 push eax
00418129 . 47 inc edi
0041812A B9 db B9
0041812B . 57 push edi
0041812C . 48 dec eax
0041812D . F2:AE repne scas byte ptr es:[edi]
0041812F . 55 push ebp
00418130 . FF96 84910100 call dword ptr ds:[esi+19184]
00418136 . 09C0 or eax,eax
00418138 . 74 07 je short 泰来文件切割合并工具.00418141
0041813A . 8903 mov dword ptr ds:[ebx],eax
0041813C . 83C3 04 add ebx,4
0041813F .^ EB D8 jmp short 泰来文件切割合并工具.00418119 ; 不理会
00418141 > FF96 88910100 call dword ptr ds:[esi+19188]
00418147 > 61 popad ; 壳尾..下断后按F9运行断在这里
00418148 .- E9 5F95FEFF jmp 泰来文件切割合并工具.004016AC ;OEP
再按F8两次就是JMP 跳,来到这里
004016AC 68 C08D4000 push 泰来文件切割合并工具.00408DC0 ; OEP
004016B1 E8 F0FFFFFF call 泰来文件切割合并工具.004016A6 ; jmp to MSVBVM60.ThunRTMain
然后我用lordPE,进行DUMP,不能运行.接着用ImportREC修复.OEP输入000016AC,点IAT AutoSearch,确定,然后,size输入00001000,点Get Imports,结果上面的框子,显示N多-------valid:NO.
请问,我该如何修复啊?
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!