本人是在黑基看到“超级巡警暴力文件删除器”拿它练习脱壳
脱壳开始PEID查
UPX V2.00-V2.90 -> Markus Oberhumer & Laszlo Molnar & John Reiser *
没尝试过
OD载入后关键代码如下
00581200 > 60 pushad ; 停在这里
00581201 BE 00105500 mov esi, 00551000
00581206 8DBE 0000EBFF lea edi, [esi+FFEB0000]
0058120C 57 push edi
0058120D 89E5 mov ebp, esp
0058120F 8D9C24 80C1FFFF lea ebx, [esp-3E80]
00581216 31C0 xor eax, eax
00581218 50 push eax
00581219 39DC cmp esp, ebx
0058121B ^ 75 FB jnz short 00581218 向上跳转这里下行代码F4
----------------------------------------------------------------------------------------------
005812E8 66:C700 0004 mov word ptr [eax], 400
005812ED 83C0 02 add eax, 2
005812F0 ^ E2 F6 loopd short 005812E8 向上跳转这里下行代码F4
005812F2 8B9C24 94000000 mov ebx, [esp+94]
-----------------------------------------------------------------------------------------
00581312 3B5C24 4C cmp ebx, [esp+4C]
00581316 0F84 7C090000 je 00581C98
0058131C 0FB603 movzx eax, byte ptr [ebx]
0058131F C1E7 08 shl edi, 8
00581322 42 inc edx
00581323 43 inc ebx
00581324 09C7 or edi, eax
00581326 83FA 04 cmp edx, 4
00581329 ^ 7E E7 jle short 00581312 向上跳转这里下行代码F4
0058132B 8B8C24 A4000000 mov ecx, [esp+A4]
----------------------------------------------------------------------------------------------
00581522 66:894D 00 mov [ebp], cx
00581526 ^ EB 87 jmp short 005814AF 向上跳转这里下行代码F4
00581528 8B5424 74 mov edx, [esp+74]
--------------------------------------------------------------------------------
00581526 ^\EB 87 jmp short 005814AF 向上跳转这里下行代码F4
00581528 8B5424 74 mov edx, [esp+74]
----------------------------------------------------------------------------------------
00581C7B ^\0F82 BBF6FFFF jb 0058133C 向上跳转这里下行代码F4
00581C81 817C24 48 FFFFF>cmp dword ptr [esp+48], 0FFFFFF
----------------------------------------------------------------------------------
还有很多都是这么做的
关键的来了。这个代码
00581D58 8903 mov [ebx], eax
00581D5A 83C3 04 add ebx, 4
00581D5D ^ EB D8 jmp short 00581D37 向上跳转这里下行代码F4
00581D5F FF96 A4CB1800 call [esi+18CBA4] 如果这里F4程序跑飞
00581D65 8BAE 98CB1800 mov ebp, [esi+18CB98] F4到这里以后都是F8
00581D6B 8DBE 00F0FFFF lea edi, [esi-1000]
00581D71 BB 00100000 mov ebx, 1000
00581D76 50 push eax
00581D77 54 push esp
00581D78 6A 04 push 4
00581D7A 53 push ebx
00581D7B 57 push edi
00581D7C FFD5 call ebp
00581D7E 8D87 07020000 lea eax, [edi+207]
00581D84 8020 7F and byte ptr [eax], 7F
00581D87 8060 28 7F and byte ptr [eax+28], 7F
00581D8B 58 pop eax
00581D8C 50 push eax
00581D8D 54 push esp
00581D8E 50 push eax
00581D8F 53 push ebx
00581D90 57 push edi
00581D91 FFD5 call ebp
00581D93 58 pop eax
00581D94 61 popad
00581D95 8D4424 80 lea eax, [esp-80]
00581D99 6A 00 push 0
00581D9B 39C4 cmp esp, eax
00581D9D ^ 75 FA jnz short 00581D99
00581D9F 83EC 80 sub esp, -80
00581DA2 - E9 9533EBFF jmp 0043513C OEP
用OD脱壳保存
0043513C
PDID 查壳
VC8 -> Microsoft Corporation
脱壳完毕
不知有无错误之初,请指点
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
脱完后PEID的深度扫描 UPX V2.00-V3.00 -> Markus Oberhumer & Laszlo Molnar & John Reiser * Sign.By.fly *
