本人一时觉得没事就试着去脱OLLYDG下面是我的脱壳经过,如果本人脱的有错误之处.还请各位前辈指出。
使用工具 OLLYDG1.10
探测工具 OEID
开始先用一个PEID探测下OLLYDG的壳,它是用ASPack 2.12写的。接着打开OLLYDG导入文件.这时提示入口警告点是.一般用F8单步执行,碰到循环就在循环后用F4跳出,遇到离主程序近的CALL用F7远的用F8,还有一种比较麻烦需要下断.脱壳主要是让程序往下走,手动脱壳时,用Olldbg载入程序,脱壳程序里面会有有好多循环。对付循环时,只能让程序往前运行,基本不能让它往回跳,要想法跳出循环圈。进过N次的跳转跳进入OPE入口点。
00539001 > 60 PUSHAD ;第一句PUSHAD与之对应的是POPAD所以入口点应该在POPAD处附近
00539002 E8 03000000 CALL Ollydbg.0053900A ;F7跳过近CALL
00539007 - E9 EB045D45 JMP 45B094F7 ;返回到这,接着跳
0053900C 55 PUSH EBP
0053900D C3 RETN ;这里有返回
0053900E E8 01000000 CALL Ollydbg.00539014 ;近用F7跳过
00539013 EB 5D JMP SHORT Ollydbg.00539072
00539015 BB EDFFFFFF MOV EBX, -13
0053901A 03DD ADD EBX, EBP
0053901C 81EB 00901300 SUB EBX, 139000
00539022 83BD 22040000 0>CMP DWORD PTR SS:[EBP+422], 0
00539029 899D 22040000 MOV DWORD PTR SS:[EBP+422], EBX
0053902F 0F85 65030000 JNZ Ollydbg.0053939A
00539035 8D85 2E040000 LEA EAX, DWORD PTR SS:[EBP+42E]
0053903B 50 PUSH EAX
0053903C FF95 4D0F0000 CALL NEAR DWORD PTR SS:[EBP+F4D]
00539042 8985 26040000 MOV DWORD PTR SS:[EBP+426], EAX
005390E5 56 PUSH ESI
005390E6 8B1E MOV EBX, DWORD PTR DS:[ESI]
005390E8 039D 22040000 ADD EBX, DWORD PTR SS:[EBP+422]
005390EE FFB5 56010000 PUSH DWORD PTR SS:[EBP+156]
005390F4 FF76 04 PUSH DWORD PTR DS:[ESI+4]
005390F7 50 PUSH EAX
005390F8 53 PUSH EBX ; Ollydbg.00401000
0053913E 43 INC EBX
0053913F 49 DEC ECX
00539140 ^ EB EB JMP SHORT Ollydbg.0053912D ; 跳回
00539142 8B06 MOV EAX, DWORD PTR DS:[ESI] ; 在这里用F4跳过
00539144 EB 00 JMP SHORT Ollydbg.00539146
00539146 803E 16 CMP BYTE PTR DS:[ESI], 16
00539149 ^ 75 F3 JNZ SHORT Ollydbg.0053913E ; 又跳回
0053914B 24 00 AND AL, 0 ; 在这里用F4跳过
0053914D C1C0 18 ROL EAX, 18
00539150 2BC3 SUB EAX, EBX
00539152 8906 MOV DWORD PTR DS:[ESI], EAX
00539154 83C3 05 ADD EBX, 5
00539157 83C6 04 ADD ESI, 4
0053915A 83E9 05 SUB ECX, 5
0053915D ^ EB CE JMP SHORT Ollydbg.0053912D ; 跳回
0053915F 5B POP EBX ; 操作同上
00539160 5E POP ESI
00539163 /EB 08 JMP SHORT Ollydbg.0053916D
00539165 |0000 ADD BYTE PTR DS:[EAX], AL
00539167 |95 XCHG EAX, EBP
00539168 |0100 ADD DWORD PTR DS:[EAX], EAX
0053916A |003A ADD BYTE PTR DS:[EDX], BH
0053916C |008B C88B3E03 ADD BYTE PTR DS:[EBX+33E8BC8], CL
00539191 FFB5 52010000 PUSH DWORD PTR SS:[EBP+152]
00539197 FF95 51050000 CALL NEAR DWORD PTR SS:[EBP+551]
0053919D 83C6 08 ADD ESI, 8
005391A0 833E 00 CMP DWORD PTR DS:[ESI], 0
005391A3 ^ 0F85 1EFFFFFF JNZ Ollydbg.005390C7 ; 跳回
005391A9 68 00800000 PUSH 8000 ; 操作同上
005391AE 6A 00 PUSH 0
005391D4 8B85 2D050000 MOV EAX, DWORD PTR SS:[EBP+52D] ; Ollydbg.00400000
005391DA 2BD0 SUB EDX, EAX
005391DC 74 79 JE SHORT Ollydbg.00539257 ;往下跳
005391DE 8BC2 MOV EAX, EDX
00539257 8B95 22040000 MOV EDX, DWORD PTR SS:[EBP+422] ; Ollydbg.00400000
0053925D 8BB5 41050000 MOV ESI, DWORD PTR SS:[EBP+541]
00539263 0BF6 OR ESI, ESI
00539265 74 11 JE SHORT Ollydbg.00539278 ;又往下跳
00539267 03F2 ADD ESI, EDX
00539269 AD LODS DWORD PTR DS:[ESI]
0053928A /0F84 0A010000 JE Ollydbg.0053939A ;在这里按回车可以往下跳
00539290 03C2 ADD EAX, EDX
00539292 8BD8 MOV EBX, EAX
00539294 50 PUSH EAX
00539295 FF95 4D0F0000 CALL NEAR DWORD PTR SS:[EBP+F4D]
0053929B 85C0 TEST EAX, EAX
0053929D 75 07 JNZ SHORT Ollydbg.005392A6 ; 跳下
0053929F 53 PUSH EBX
005392A0 FF95 510F0000 CALL NEAR DWORD PTR SS:[EBP+F51]
005392A6 8985 45050000 MOV DWORD PTR SS:[EBP+545], EAX
005392AC C785 49050000 0>MOV DWORD PTR SS:[EBP+549], 0
005392B6 8B95 22040000 MOV EDX, DWORD PTR SS:[EBP+422]
关键点
005392C7 0385 49050000 ADD EAX, DWORD PTR SS:[EBP+549]
005392CD 8B18 MOV EBX, DWORD PTR DS:[EAX]
005392CF 8B7E 10 MOV EDI, DWORD PTR DS:[ESI+10]
005392D2 03FA ADD EDI, EDX
005392D4 03BD 49050000 ADD EDI, DWORD PTR SS:[EBP+549]
005392DA 85DB TEST EBX, EBX
005392DC 0F84 A2000000 JE Ollydbg.00539384 ;到这里按回车
005392E2 F7C3 00000080 TEST EBX, 80000000
005392E8 75 04 JNZ SHORT Ollydbg.005392EE
005392EA 03DA ADD EBX, EDX
00539373 57 PUSH EDI
00539374 EB 4A JMP SHORT Ollydbg.005393C0
00539376 8907 MOV DWORD PTR DS:[EDI], EAX
00539378 8385 49050000 0>ADD DWORD PTR SS:[EBP+549], 4
0053937F ^ E9 32FFFFFF JMP Ollydbg.005392B6
00539384 8906 MOV DWORD PTR DS:[ESI], EAX ;依次按F2+F9+F2使程序运行到这里弹出什么按YES
00539386 8946 0C MOV DWORD PTR DS:[ESI+C], EAX
00539389 8946 10 MOV DWORD PTR DS:[ESI+10], EAX
0053938C 83C6 14 ADD ESI, 14
0053938F 8B95 22040000 MOV EDX, DWORD PTR SS:[EBP+422]
00539395 ^ E9 EBFEFFFF JMP Ollydbg.00539285 ;往前找绝对地址0053928A
0053939A B8 00100000 MOV EAX, 1000
0053939A B8 00100000 MOV EAX, 1000 ;跳到这里依次按F2+F9+F2
0053939F 50 PUSH EAX
005393A0 0385 22040000 ADD EAX, DWORD PTR SS:[EBP+422]
005393A6 59 POP ECX
005393A7 0BC9 OR ECX, ECX
005393A9 8985 A8030000 MOV DWORD PTR SS:[EBP+3A8], EAX
005393AF 61 POPAD ;在这里发现了与之对应的动东入口点就在附近
005393B0 75 08 JNZ SHORT Ollydbg.005393BA
005393B2 B8 01000000 MOV EAX, 1
005393B7 C2 0C00 RETN 0C
005393BA 68 00000000 PUSH 0
005393BF C3 RETN ;跨段进去后可以知道程序发生了很大的变化
005393C0 8B85 26040000 MOV EAX, DWORD PTR SS:[EBP+426]
005393C6 8D8D 3B040000 LEA ECX, DWORD PTR SS:[EBP+43B]
005393CC 51 PUSH ECX
005393CD 50 PUSH EAX
005393CE FF95 490F0000 CALL NEAR DWORD PTR SS:[EBP+F49]
用PEID打开一下可以知道这个软件是用C++编写的脱壳后的文件不能直接开,要用函数表修复后才可以开。我曾经修复过可是还是开不了可能是文件本身有校验脱了之后不能开吧!如果有哪位前辈看到这个贴,如果可以就把IAT的修复说一下。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课