(看贴不回贴断JJ!!!!)
UPACK是国人写的一个压缩壳,压缩率其高!!竟然把PE头也压掉了,竟然还能运行,真服了Dwing
PeiD查壳:Upack 0.3.9 beta2s -> Dwing
OD打开:
0048B954 > 60 pushad //外壳入口
0048B955 E8 09000000 call Project2.0048B963 //变形JMP,F7跟进
0048B95A D2B7 0800E906 sal byte ptr ds:[edi+6E90008],cl
0048B960 0200 add al,byte ptr ds:[eax]
0048B962 0033 add byte ptr ds:[ebx],dh
0048B964 C9 leave
0048B965 5E pop esi
0048B966 870E xchg dword ptr ds:[esi],ecx
0048B968 ^ E3 F4 jecxz short Project2.0048B95E
.........
0048B963 33C9 xor ecx,ecx
0048B965 5E pop esi
0048B966 870E xchg dword ptr ds:[esi],ecx
0048B968 ^ E3 F4 jecxz short Project2.0048B95E
0048B96A 2BF1 sub esi,ecx
0048B96C 8BDE mov ebx,esi
0048B96E AD lods dword ptr ds:[esi]
0048B96F 2BD8 sub ebx,eax
0048B971 AD lods dword ptr ds:[esi]
0048B972 03C3 add eax,ebx
0048B974 50 push eax
0048B975 97 xchg eax,edi
0048B976 AD lods dword ptr ds:[esi]
0048B977 91 xchg eax,ecx
0048B978 F3:A5 rep movs dword ptr es:[edi],dword>
0048B97A 5E pop esi
0048B97B AD lods dword ptr ds:[esi]
0048B97C 56 push esi
0048B97D 91 xchg eax,ecx
0048B97E 011E add dword ptr ds:[esi],ebx
0048B980 AD lods dword ptr ds:[esi]
0048B981 ^\E2 FB loopd short Project2.0048B97E
0048B983 AD lods dword ptr ds:[esi] //F4运行到所选
0048B984 8D6E 10 lea ebp,dword ptr ds:[esi+10]
0048B987 015D 00 add dword ptr ss:[ebp],ebx
0048B98A 8D7D 1C lea edi,dword ptr ss:[ebp+1C]
0048B98D B5 1C mov ch,1C
0048B98F F3:AB rep stos dword ptr es:[edi]
0048B991 5E pop esi
0048B992 AD lods dword ptr ds:[esi]
0048B993 53 push ebx
0048B994 50 push eax
0048B995 51 push ecx
0048B996 97 xchg eax,edi
0048B997 58 pop eax
0048B998 8D5485 5C lea edx,dword ptr ss:[ebp+eax*4+5>
0048B99C FF16 call near dword ptr ds:[esi]
0048B99E /72 57 jb short Project2.0048B9F7 //大跳转按右键跟随
0048B9A0 |2C 03 sub al,3
0048B9A2 |73 02 jnb short Project2.0048B9A6
0048B9A4 |B0 00 mov al,0
0048B9A6 |3C 07 cmp al,7
0048B9A8 |72 02 jb short Project2.0048B9AC
0048B9AA |2C 03 sub al,3
0048B9AC |50 push eax
0048B9AD |0FB65F FF movzx ebx,byte ptr ds:[edi-1]
0048B9B1 |C1E3 03 shl ebx,3
0048B9B4 |B3 00 mov bl,0
0048B9B6 |8D1C5B lea ebx,dword ptr ds:[ebx+ebx*2]
0048B9B9 |8D9C9D 0C100000 lea ebx,dword ptr ss:[ebp+ebx*4+1>
0048B9C0 |B0 01 mov al,1
.....
0048B9F7 B1 30 mov cl,30 //F4到这
0048B9F9 8B5D 0C mov ebx,dword ptr ss:[ebp+C]
0048B9FC 03D1 add edx,ecx
0048B9FE FF16 call near dword ptr ds:[esi]
0048BA00 73 4C jnb short Project2.0048BA4E
0048BA02 03D1 add edx,ecx
0048BA04 FF16 call near dword ptr ds:[esi]
0048BA06 72 19 jb short Project2.0048BA21
0048BA08 03D1 add edx,ecx
0048BA0A FF16 call near dword ptr ds:[esi]
0048BA0C 72 29 jb short Project2.0048BA37
///////////////////////
0048BA4E 3C 07 cmp al,7
0048BA50 B0 07 mov al,7
0048BA52 72 02 jb short Project2.0048BA56
0048BA54 B0 0A mov al,0A
0048BA56 50 push eax
0048BA57 875D 10 xchg dword ptr ss:[ebp+10],ebx
0048BA5A 875D 14 xchg dword ptr ss:[ebp+14],ebx
0048BA5D 895D 18 mov dword ptr ss:[ebp+18],ebx
0048BA60 8BD5 mov edx,ebp
0048BA62 0356 3C add edx,dword ptr ds:[esi+3C]
0048BA65 FF56 0C call near dword ptr ds:[esi+C]
0048BA68 6A 03 push 3
0048BA6A 59 pop ecx
0048BA6B 50 push eax
0048BA6C 48 dec eax
0048BA6D 3BC1 cmp eax,ecx
0048BA6F 72 02 jb short Project2.0048BA73
0048BA71 8BC1 mov eax,ecx
0048BA73 C1E0 06 shl eax,6
0048BA76 B1 40 mov cl,40
0048BA78 8D9C85 7C030000 lea ebx,dword ptr ss:[ebp+eax*4+3>
0048BA7F FF56 04 call near dword ptr ds:[esi+4]
0048BA82 3C 04 cmp al,4
0048BA84 8BD8 mov ebx,eax
0048BA86 72 5F jb short Project2.0048BAE7 //又一个大跳转,跟吧兄弟!
0048BA88 33DB xor ebx,ebx
0048BA8A D1E8 shr eax,1
0048BA8C 13DB adc ebx,ebx
0048BA8E 48 dec eax
0048BA8F 43 inc ebx
0048BA90 91 xchg eax,ecx
0048BA91 43 inc ebx
0048BA92 D3E3 shl ebx,cl
0048BA94 80F9 05 cmp cl,5
.....................
0048BAE7 43 inc ebx
0048BAE8 59 pop ecx
0048BAE9 895D 0C mov dword ptr ss:[ebp+C],ebx
0048BAEC 56 push esi
0048BAED 8BF7 mov esi,edi
0048BAEF 2BF3 sub esi,ebx
0048BAF1 F3:A4 rep movs byte ptr es:[edi],byte p>
0048BAF3 AC lods byte ptr ds:[esi]
0048BAF4 5E pop esi
0048BAF5 B1 80 mov cl,80
0048BAF7 AA stos byte ptr es:[edi]
0048BAF8 3B7E 24 cmp edi,dword ptr ds:[esi+24]
0048BAFB 73 03 jnb short Project2.0048BB00
0048BAFD FF66 20 jmp near dword ptr ds:[esi+20]
0048BB00 58 pop eax //F4到所选
0048BB01 8B4E 40 mov ecx,dword ptr ds:[esi+40]
0048BB04 5F pop edi
0048BB05 5A pop edx
0048BB06 57 push edi
0048BB07 E3 1B jecxz short Project2.0048BB24 //跟!
0048BB09 8A07 mov al,byte ptr ds:[edi]
0048BB0B 47 inc edi
0048BB0C 04 18 add al,18
0048BB0E 3C 02 cmp al,2
0048BB10 ^ 73 F7 jnb short Project2.0048BB09
0048BB12 8B07 mov eax,dword ptr ds:[edi]
0048BB14 3C 14 cmp al,14
0048BB16 ^ 75 F1 jnz short Project2.0048BB09
0048BB18 B0 00 mov al,0
0048BB1A 0FC8 bswap eax
0048BB1C 0346 14 add eax,dword ptr ds:[esi+14]
0048BB1F 2BC7 sub eax,edi
0048BB21 AB stos dword ptr es:[edi]
0048BB22 ^ E2 E5 loopd short Project2.0048BB09
0048BB24 8B5E 28 mov ebx,dword ptr ds:[esi+28]
............
0048BB24 8B5E 28 mov ebx,dword ptr ds:[esi+28]
0048BB27 56 push esi
0048BB28 52 push edx
0048BB29 8B76 2C mov esi,dword ptr ds:[esi+2C]
0048BB2C 46 inc esi
0048BB2D AD lods dword ptr ds:[esi]
0048BB2E 85C0 test eax,eax
0048BB30 5A pop edx
0048BB31 74 22 je short Project2.0048BB55 //跟
0048BB33 03C2 add eax,edx
0048BB35 52 push edx
0048BB36 56 push esi
0048BB37 97 xchg eax,edi
0048BB38 FF53 FC call near dword ptr ds:[ebx-4]
0048BB3B 95 xchg eax,ebp
0048BB3C AC lods byte ptr ds:[esi]
0048BB3D 84C0 test al,al
0048BB3F ^ 75 FB jnz short Project2.0048BB3C
0048BB41 3806 cmp byte ptr ds:[esi],al
0048BB43 ^ 74 E7 je short Project2.0048BB2C
0048BB45 8BC6 mov eax,esi
0048BB47 79 05 jns short Project2.0048BB4E
................
0048BB55 59 pop ecx
0048BB56 5F pop edi
0048BB57 8B49 44 mov ecx,dword ptr ds:[ecx+44]
0048BB5A E3 0D jecxz short Project2.0048BB69 //这个要注意,是跳到出口,跟随
0048BB5C 33C0 xor eax,eax
0048BB5E AC lods byte ptr ds:[esi]
0048BB5F 3C 04 cmp al,4
0048BB61 72 0C jb short Project2.0048BB6F
0048BB63 03F8 add edi,eax
0048BB65 0117 add dword ptr ds:[edi],edx
0048BB67 ^ E2 F3 loopd short Project2.0048BB5C
0048BB69 61 popad //下断,运行到所选
0048BB6A - E9 8D38FCFF jmp Project2.0044F3FC //跳去OEP
0048BB6F 2C 01 sub al,1
...................
0044F3FC 55 push ebp //熟悉的PUSH EBP
0044F3FD 8BEC mov ebp,esp
0044F3FF 83C4 F0 add esp,-10
0044F402 B8 1CF24400 mov eax,Project2.0044F21C
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法