1.UPX 0.89.6 - 1.02 / 1.05 - 1.24 (Delphi) stub -> Markus & Laszlo
对Delphi程序加的UPX0.89的壳
手脱基本是向上跳的不能让它向上跳,按F4下去,最后有个大回跳(一般是JMP),就到OEP了
0046AD4B 83C3 04 add ebx,4
0046AD4E ^ EB E1 jmp short UPX_0_89.0046AD31
0046AD50 FF96 64AA0600 call dword ptr ds:[esi+6AA64]
0046AD56 61 popad
0046AD57 ^ E9 98CBFEFF jmp UPX_0_89.004578F4 //过了此句就到OEP了
返回后来到这里是第一句
004578F4 > /55 push ebp
004578F5 . |8BEC mov ebp,esp
004578F7 . |83C4 F4 add esp,-0C
004578FA . |B8 AC774500 mov eax,UPX_0_89.004577AC
看入口语言特征,判断为Delphi语言代码.
当然用ESP定律更快到OEP (在ESP和EIP同时为红色时->在数据窗口跟随->断点->设置硬件访问断点->Word,F9运行到JMP)
2.JDPack 1.x / JDProtect 0.9 -> TLZJ18 Software
手脱同上,基本是不能向上走,走到popad后下面有个retn,返回后就到OEP
返回后来到这里是第一句
004035C9 6A 00 push 0
004035CB E8 A20A0000 call JDPack_1.00404072 ; jmp 到
004035D0 A3 5B704000 mov dword ptr ds:[40705B],eax
004035D5 68 80000000 push 80
看入口语言特征,判断为汇编语言代码.
当然用ESP定律更快到OEP(设置 内存访问异常和同时忽略以下指定的异常或者异常范围 为不打勾)
0040E3F8 894424 1C mov dword ptr ss:[esp+1C],eax
0040E3FC 61 popad
0040E3FD 50 push eax ; JDPack_1.004035C9 //断下后停在这里,返回后就到OEP
0040E3FE C3 retn
3.EZIP 1.0 -> Jonathan Clark [Overlay]
手脱基本是向上跳的不能让它向上跳,按F4下去,此壳基本上没什么跳转的,
00410684 5B pop ebx
00410685 8BE5 mov esp,ebp
00410687 5D pop ebp
00410688 - FFE0 jmp eax ; EZIP_1_0.004010CC //这里就到OEP了,不能用F4过,认得路的可以直接在此下断
0041068A 5F pop edi
看入口语言特征,判断为Visual C++语言代码.
004010CC 55 push ebp
004010CD 8BEC mov ebp,esp
004010CF 83EC 44 sub esp,44
004010D2 56 push esi
004010D3 FF15 E4634000 call dword ptr ds:[4063E4] ; kernel32.GetCommandLineA
当然用ESP定律更快到OEP(设置同上)
4.DxPack V0.86 -> Dxd *
手脱基本是向上跳的不能让它向上跳,单步F8来到这里
0040D0E7 /74 6E je short DxPack_V.0040D157 //这里和下面0040D151 FFA5 BA114000 jmp dword ptr ss:[ebp+4011BA]构成循环,如果单步下去,
0040D0E9 |03C7 add eax,edi //到了下面的(0040D151)JMP就过不去,所以在这里修改(寄存器窗口)跳转标志Z=1 ,到下面
0040D0EB |50 push eax
0040D0EC |FF95 34124000 call dword ptr ss:[ebp+401234]
0040D0F2 |0BC0 or eax,eax
0040D0F4 |74 43 je short DxPack_V.0040D139
................................................................//中间省略了
0040D148 |51 push ecx
0040D149 |6A 00 push 0
0040D14B |FF95 BE114000 call dword ptr ss:[ebp+4011BE]
0040D151 |FFA5 BA114000 jmp dword ptr ss:[ebp+4011BA]
0040D157 \8B85 9C124000 mov eax,dword ptr ss:[ebp+40129C] //经过修改后就来到这里,看到下面的JMP了吗?呵呵,过了后面就是OEP了
0040D15D 03C7 add eax,edi //再说一句,用这种方法在修复IAT时会遇到很多无法修复的无效指针,
0040D15F 894424 1C mov dword ptr ss:[esp+1C],eax //这时可以用打开原来加壳的程序,再修复IAT(因为被跳过了)
0040D163 61 popad
0040D164 FFE0 jmp eax //过了此句
004010CC 55 push ebp //来到这里
004010CD 8BEC mov ebp,esp
004010CF 83EC 44 sub esp,44
看入口语言特征,判断为Visual C++语言代码.
最好的处理这段的过程是在0040D0E7时按Enter(回车),光标来到0040D157,在这里F2下断,然后按F9运行(处理IAT),再几下单步就到JMP了.
此时可以用ImportRec自动修复IAT,不用再打开加壳程序.
当然用ESP定律更快到OEP(设置同上)
5.ASPack 2.11 -> Alexey Solodovnikov
用ESP定律吧,
0040D001 > 60 pushad //过了这句,(下设置硬件访问断点->Word,F9运行)
0040D002 E9 3D040000 jmp ASPack_2.0040D444
0040D007 45 inc ebp
0040D3AA 61 popad
0040D3AB 75 08 jnz short ASPack_2.0040D3B5 //来到这里,单步F8走,跳转
0040D3AD B8 01000000 mov eax,1
0040D3B2 C2 0C00 retn 0C
0040D3B5 68 CC104000 push ASPack_2.004010CC //到这里,retn后就是OEP了
0040D3BA C3 retn
004010CC 55 push ebp //到这里,看入口语言特征,判断为Visual C++语言代码.
004010CD 8BEC mov ebp,esp
004010CF 83EC 44 sub esp,44
004010D2 56 push esi
004010D3 FF15 E4634000 call dword ptr ds:[4063E4] ; kernel32.GetCommandLineA
下面手脱吧
单步走(走啊走啊走)
0040D444 81DD 719D2555 sbb ebp,55259D71
0040D44A E8 14000000 call ASPack_2.0040D463 //到这里用F7过,不具体指出的都用F8过
0040D44F 47 inc edi
0040D52D 66:8BD5 mov dx,bp
0040D530 81D9 4192AA90 sbb ecx,90AA9241
0040D536 ^ E9 00FFFFFF jmp ASPack_2.0040D43B //大大的回跳,不能在下面用F4过,过不去的,F8走
0040D53B A9 55C3500F test eax,0F50C355
0040D43B ^\E9 C7FBFFFF jmp ASPack_2.0040D007 //到这里,又是一个JMP,F8走
0040D007 E8 24040000 call ASPack_2.0040D430 //到这里,F8走,保守点的可以见CALL就F7
0040D00C EB 00 jmp short ASPack_2.0040D00E //到这里,F8走
0040D00E BB 30394400 mov ebx,443930
0040D028 /0F85 66030000 jnz ASPack_2.0040D394 //这里大跳转但是没跳,(很可疑)在此句上按Enter
0040D02E |C785 33394400 0>mov dword ptr ss:[ebp+443933],0
................................................................ //中间省略了
0040D389 |8B95 FC494400 mov edx,dword ptr ss:[ebp+4449FC]
0040D38F ^|E9 EBFEFFFF jmp ASPack_2.0040D27F
0040D394 \8B85 AD394400 mov eax,dword ptr ss:[ebp+4439AD] //来到这里,下F2断点,然后F9停在这里,单步走
0040D39A 50 push eax
0040D39B 0385 FC494400 add eax,dword ptr ss:[ebp+4449FC]
0040D3A1 59 pop ecx
0040D3A2 0BC9 or ecx,ecx
0040D3A4 8985 E63C4400 mov dword ptr ss:[ebp+443CE6],eax
0040D3AA 61 popad //见到熟悉的了吧,堆栈平衡
0040D3AB 75 08 jnz short ASPack_2.0040D3B5
0040D3AD B8 01000000 mov eax,1
0040D3B2 C2 0C00 retn 0C
0040D3B5 68 00000000 push 0
0040D3BA C3 retn //返回就是OEP了
6.Dxpack 0.86
查壳->什么都没找到,核心扫描为ARJ Archive [Overlay] *
手脱吧
但步走
0040E019 83EE 03 sub esi,3
0040E01C ^ 75 F7 jnz short Dxpack_0.0040E015 //来到这里,下面
0040E01E 90 nop
0040E01F 90 nop
0040E020 1C DC sbb al,0DC //在这里F4
0040E020 E8 7D010000 call Dxpack_0.0040E1A2 //变成这样了,保险可以F7进,F8也可以过,就F8过吧
0040E025 0000 add byte ptr ds:[eax],al
0040E027 0000 add byte ptr ds:[eax],al
0040E029 0040 00 add byte ptr ds:[eax],al
0040D000 60 pushad //一直单步到这里,继续F8,过了这句可以用ESP定律,到JMP后就是OEP了
0040D001 E8 00000000 call Dxpack_0.0040D006 //我们还是单步吧,F7过
0040D006 5D pop ebp
0040D007 8BFD mov edi,ebp
0040D009 81ED 06104000 sub ebp,Dxpack_0.00401006
0040D00F 2BBD 94124000 sub edi,dword ptr ss:[ebp+401294]
0040D015 81EF 06000000 sub edi,6
0040D01B 83BD 14134000 0>cmp dword ptr ss:[ebp+401314],1
0040D022 0F84 2F010000 je Dxpack_0.0040D157 //大跳转,没实现,很可疑,按Enter,下断,F9继续
0040D028 C785 14134000 0>mov dword ptr ss:[ebp+401314],1
0040D157 8B85 9C124000 mov eax,dword ptr ss:[ebp+40129C] //到这里,先到下面的JMP EAX了吗,很可能马上到OEP了:)眼前一片光明
0040D15D 03C7 add eax,edi
0040D15F 894424 1C mov dword ptr ss:[esp+1C],eax
0040D163 61 popad
0040D164 FFE0 jmp eax //就是这里拉,
0040D166 4B dec ebx
004010CC 55 push ebp //入口语言特征VC++
004010CD 8BEC mov ebp,esp
004010CF 83EC 44 sub esp,44
是不是想快速脱壳(没办法了)
打开菜单 选项->调试设置(Alt+O),选SFX项,选 字节方式跟踪真正入口(很慢) ,按Ctrl+F2,一会就到OEP,呵呵,快吧,懒方法,推荐手脱(基础中的基础)
7.FSG 1.33 -> dulek/xt
004103E3 > BE A4014000 mov esi,fsg_1_33.004001A4 //OD载入后来到这里
004103E8 AD lods dword ptr ds:[esi]
004103E9 93 xchg eax,ebx
004103EA AD lods dword ptr ds:[esi]
004103EB 97 xchg eax,edi
004103EC AD lods dword ptr ds:[esi]
004103ED 56 push esi
004103EE 96 xchg eax,esi
004103EF B2 80 mov dl,80
004103F1 A4 movs byte ptr es:[edi],byte ptr ds:[es>
004103F2 B6 80 mov dh,80
004103F4 FF13 call dword ptr ds:[ebx]
004103F6 ^ 73 F9 jnb short fsg_1_33.004103F1
004103F8 33C9 xor ecx,ecx
004103FA FF13 call dword ptr ds:[ebx]
004103FC 73 16 jnb short fsg_1_33.00410414
004103FE 33C0 xor eax,eax
00410400 FF13 call dword ptr ds:[ebx]
00410402 73 1F jnb short fsg_1_33.00410423
00410404 B6 80 mov dh,80
00410406 41 inc ecx
00410407 B0 10 mov al,10
00410409 FF13 call dword ptr ds:[ebx]
0041040B 12C0 adc al,al
0041040D ^ 73 FA jnb short fsg_1_33.00410409
0041040F 75 3C jnz short fsg_1_33.0041044D
00410411 AA stos byte ptr es:[edi]
00410412 ^ EB E0 jmp short fsg_1_33.004103F4
00410414 FF53 08 call dword ptr ds:[ebx+8]
00410417 02F6 add dh,dh
00410419 83D9 01 sbb ecx,1
0041041C 75 0E jnz short fsg_1_33.0041042C
0041041E FF53 04 call dword ptr ds:[ebx+4]
00410421 EB 26 jmp short fsg_1_33.00410449
00410423 AC lods byte ptr ds:[esi]
00410424 D1E8 shr eax,1
00410426 74 2F je short fsg_1_33.00410457
00410428 13C9 adc ecx,ecx
0041042A EB 1A jmp short fsg_1_33.00410446
0041042C 91 xchg eax,ecx
0041042D 48 dec eax
0041042E C1E0 08 shl eax,8
00410431 AC lods byte ptr ds:[esi]
00410432 FF53 04 call dword ptr ds:[ebx+4]
00410435 3D 007D0000 cmp eax,7D00
0041043A 73 0A jnb short fsg_1_33.00410446
0041043C 80FC 05 cmp ah,5
0041043F 73 06 jnb short fsg_1_33.00410447
00410441 83F8 7F cmp eax,7F
00410444 77 02 ja short fsg_1_33.00410448
00410446 41 inc ecx
00410447 41 inc ecx
00410448 95 xchg eax,ebp
00410449 8BC5 mov eax,ebp
0041044B B6 00 mov dh,0
0041044D 56 push esi
0041044E 8BF7 mov esi,edi
00410450 2BF0 sub esi,eax
00410452 F3:A4 rep movs byte ptr es:[edi],byte ptr ds>
00410454 5E pop esi
00410455 ^ EB 9D jmp short fsg_1_33.004103F4
00410457 8BD6 mov edx,esi
00410459 5E pop esi
0041045A AD lods dword ptr ds:[esi]
0041045B 48 dec eax
0041045C 74 0A je short fsg_1_33.00410468
0041045E 79 02 jns short fsg_1_33.00410462
00410460 AD lods dword ptr ds:[esi]
00410461 50 push eax
00410462 56 push esi
00410463 8BF2 mov esi,edx
00410465 97 xchg eax,edi
00410466 ^ EB 87 jmp short fsg_1_33.004103EF
00410468 AD lods dword ptr ds:[esi]
00410469 93 xchg eax,ebx
0041046A 5E pop esi
0041046B 46 inc esi
0041046C AD lods dword ptr ds:[esi]
0041046D 97 xchg eax,edi
0041046E 56 push esi
0041046F FF13 call dword ptr ds:[ebx]
00410471 95 xchg eax,ebp
00410472 AC lods byte ptr ds:[esi]
00410473 84C0 test al,al
00410475 ^ 75 FB jnz short fsg_1_33.00410472
00410477 FE0E dec byte ptr ds:[esi]
00410479 ^ 74 F0 je short fsg_1_33.0041046B
0041047B 79 05 jns short fsg_1_33.00410482
0041047D 46 inc esi
0041047E AD lods dword ptr ds:[esi]
0041047F 50 push eax
00410480 EB 09 jmp short fsg_1_33.0041048B
00410482 FE0E dec byte ptr ds:[esi]
00410484 - 0F84 420CFFFF je fsg_1_33.004010CC //看到吧,因为是记事本的10CC特别熟悉,但是这句跳转没有实现,怎么办?
//在这里按Enter,来到OEP了吧(看特征码是VC++),按F2下断,再F9运行,接着脱壳+修复
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课