能力值:
( LV8,RANK:120 )
|
-
-
4 楼
////////////////////////////////////////////////////////////////////////////////////////////
文件名称:手动脱壳nSPack 2.1 - 2.5
目标程序:在看雪下载的样本程序
操作环境:Windows XP-SP2
使用工具:Ollydbg 1.10版
编写作者:Coderui
编写时间:2008年06月23日
联系方式:coderui@163.com
作者博客:http://hi.baidu.com/coderui
---------------------------------------------------------------------------------------------
介绍:
以前写过几个nSPack压缩壳低版本的手脱方法,周末时看到了“nSPack 2.1 - 2.5 -> North Star/Liu Xing Ping”这个壳,见网上有很多朋友问这个壳怎么脱,但回复的人比较少。可能是因为太简单了吧,所以没人回答。今天我抽点空把这个壳的手脱方法写出来和大家分享下,希望对新手们有帮助。同时,也欢迎高手们提出宝贵的意见或建议,谢谢!
---------------------------------------------------------------------------------------------
OD设置:(OD设置为不忽略任何异常。[F2]:下软断点、[F4]:执行到当前代码处、[F7]:单步步入、[F8]单步步过、[F9]运行。)
请按照注解顺序观看(00)-(01)-(02)…(99),不然很容易混乱。
00419400 > /E9 00000000 JMP 样本.00419405 ; (00) 载入后停在这里,我们[F8]单步向下走.
00419405 \60 PUSHAD
00419406 61 POPAD
00419407 BA 44094100 MOV EDX,样本.00410944
0041940C 52 PUSH EDX
0041940D C3 RETN ; (01) 返回(跳转).
.
.
.
00410944 BA 0E944100 MOV EDX,样本.0041940E ; (02) 跳转到这里,我们[F8]单步向下走.
00410949 52 PUSH EDX
0041094A C3 RETN ; (03) 返回(跳转).
.
.
.
0041940E BA 44094100 MOV EDX,样本.00410944 ; (04) 跳转到这里,我们[F8]单步向下走.
00419413 B8 E9327E00 MOV EAX,7E32E9
00419418 8902 MOV DWORD PTR DS:[EDX],EAX
0041941A 83C2 03 ADD EDX,3
0041941D B8 0000C74E MOV EAX,4EC70000
00419422 8902 MOV DWORD PTR DS:[EDX],EAX
00419424 83C2 FD ADD EDX,-3
00419427 FFE2 JMP EDX ; (05) 跳转.
.
.
.
00410944 - E9 327E0000 JMP 样本.0041877B ; (06) 跳转到这里,按[F8]再跳.
00410949 C7 ??? ; 未知命令
0041094A 4E DEC ESI
0041094B FFC3 INC EBX
0041094D FFFF ??? ; 未知命令
0041094F EB 0A JMP SHORT 样本.0041095B
.
.
.
0041877B 68 13884100 PUSH 样本.00418813 ; (07) 跳转到这里,按[F8]一次.
00418780 E8 84FEFFFF CALL 样本.00418609 ; (08) 到这里后,按[F7]步入.
00418785 41 INC ECX
00418786 A4 MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
00418787 0018 ADD BYTE PTR DS:[EAX],BL
00418789 14 3C ADC AL,3C
0041878B 38041C CMP BYTE PTR SS:[ESP+EBX],AL
0041878E 080C30 OR BYTE PTR DS:[EAX+ESI],CL
00418791 2810 SUB BYTE PTR DS:[EAX],DL
00418793 01A1 5B094100 ADD DWORD PTR DS:[ECX+41095B],ESP
00418799 F4 HLT ; 特权命令
0041879A 2031 AND BYTE PTR DS:[ECX],DH
.
.
.
00418609 56 PUSH ESI ; (09) 步入到这里,我们[F8]单步向下走.
0041860A 51 PUSH ECX
0041860B 57 PUSH EDI
0041860C 53 PUSH EBX
0041860D 50 PUSH EAX
0041860E 9C PUSHFD
0041860F 51 PUSH ECX
00418610 55 PUSH EBP
00418611 52 PUSH EDX
00418612 68 00000000 PUSH 0
00418617 8B7424 2C MOV ESI,DWORD PTR SS:[ESP+2C]
0041861B 89E5 MOV EBP,ESP
0041861D 81EC C0000000 SUB ESP,0C0
00418623 89E7 MOV EDI,ESP
00418625 0375 00 ADD ESI,DWORD PTR SS:[EBP]
00418628 8A06 MOV AL,BYTE PTR DS:[ESI]
0041862A 46 INC ESI
0041862B 0FB6C0 MOVZX EAX,AL
0041862E FF2485 2B814100 JMP DWORD PTR DS:[EAX*4+41812B] ; (10) 这里是一个回跳.按[F8]跳.
.
.
.
004185DC 80E0 3C AND AL,3C ; (11) 跳到这里后,向下看,找RETN.
004185DF 8B55 00 MOV EDX,DWORD PTR SS:[EBP]
004185E2 83C5 04 ADD EBP,4
004185E5 891407 MOV DWORD PTR DS:[EDI+EAX],EDX
004185E8 E9 3B000000 JMP 样本.00418628
004185ED 8B45 00 MOV EAX,DWORD PTR SS:[EBP]
004185F0 0145 04 ADD DWORD PTR SS:[EBP+4],EAX
004185F3 9C PUSHFD
004185F4 8F45 00 POP DWORD PTR SS:[EBP]
004185F7 E9 2C000000 JMP 样本.00418628
004185FC 89EC MOV ESP,EBP
004185FE 5A POP EDX
004185FF 5A POP EDX
00418600 5D POP EBP
00418601 59 POP ECX
00418602 9D POPFD
00418603 58 POP EAX
00418604 5B POP EBX
00418605 5F POP EDI
00418606 5E POP ESI
00418607 5E POP ESI
00418608 C3 RETN ; (12) 在这里按[F2]下软断点,在按[F9]运行.停在这里后,先取消掉上次下的断点,再按[F8]返回(跳转).
.
.
.
0041094C C3 RETN ; (13) 跳到这里,按[F8]再返回(跳转).
0041094D FFFF ??? ; 未知命令
0041094F EB 0A JMP SHORT 样本.0041095B
00410951 E8 40FFFF94 CALL 95410896
.
.
.
0041883A 68 87874100 PUSH 样本.00418787 ; (14) 跳转到这里,按[F8]一次.
0041883F E8 C5FDFFFF CALL 样本.00418609 ; (15) 到这里后,按[F7]步入.
00418844 8571 1F TEST DWORD PTR DS:[ECX+1F],ESI
00418847 9F LAHF
00418848 6910 14200030 IMUL EDX,DWORD PTR DS:[EAX],30002014
0041884E 1C 34 SBB AL,34
00418850 04 08 ADD AL,8
00418852 182428 SBB BYTE PTR DS:[EAX+EBP],AH
00418855 0C 38 OR AL,38
00418857 1A08 SBB CL,BYTE PTR DS:[EAX]
00418859 53 PUSH EBX
0041885A 3A53 3A CMP DL,BYTE PTR DS:[EBX+3A]
0041885D 692C4D 08733877>IMUL EBP,DWORD PTR DS:[ECX*2+77387308],A>
00418868 3C 0F CMP AL,0F
0041886A 92 XCHG EAX,EDX
0041886B 04 F4 ADD AL,0F4
0041886D 0C 37 OR AL,37
0041886F 24 0C AND AL,0C
00418871 25 3F736FE4 AND EAX,E46F733F
00418876 71 0E JNO SHORT 样本.00418886
.
.
.
00418609 56 PUSH ESI ; (16) 步入到这里,我们[F8]单步向下走.
0041860A 51 PUSH ECX
0041860B 57 PUSH EDI
0041860C 53 PUSH EBX
0041860D 50 PUSH EAX
0041860E 9C PUSHFD
0041860F 51 PUSH ECX
00418610 55 PUSH EBP
00418611 52 PUSH EDX
00418612 68 00000000 PUSH 0
00418617 8B7424 2C MOV ESI,DWORD PTR SS:[ESP+2C]
0041861B 89E5 MOV EBP,ESP
0041861D 81EC C0000000 SUB ESP,0C0
00418623 89E7 MOV EDI,ESP
00418625 0375 00 ADD ESI,DWORD PTR SS:[EBP]
00418628 8A06 MOV AL,BYTE PTR DS:[ESI]
0041862A 46 INC ESI
0041862B 0FB6C0 MOVZX EAX,AL
0041862E FF2485 2B814100 JMP DWORD PTR DS:[EAX*4+41812B] ; (17) 这里是一个回跳.按[F8]跳.
.
.
.
004185DC 80E0 3C AND AL,3C
004185DF 8B55 00 MOV EDX,DWORD PTR SS:[EBP]
004185E2 83C5 04 ADD EBP,4
004185E5 891407 MOV DWORD PTR DS:[EDI+EAX],EDX
004185E8 E9 3B000000 JMP 样本.00418628
004185ED 8B45 00 MOV EAX,DWORD PTR SS:[EBP]
004185F0 0145 04 ADD DWORD PTR SS:[EBP+4],EAX
004185F3 9C PUSHFD
004185F4 8F45 00 POP DWORD PTR SS:[EBP]
004185F7 E9 2C000000 JMP 样本.00418628
004185FC 89EC MOV ESP,EBP
004185FE 5A POP EDX
004185FF 5A POP EDX
00418600 5D POP EBP
00418601 59 POP ECX
00418602 9D POPFD
00418603 58 POP EAX
00418604 5B POP EBX
00418605 5F POP EDI
00418606 5E POP ESI
00418607 5E POP ESI
00418608 C3 RETN ; (18) 在这里按[F2]下软断点,在按[F9]运行.停在这里后,先取消掉上次下的断点,再按[F8]返回(跳转).
.
.
.
0041095B /E9 5B010000 JMP 样本.00410ABB ; (19) 跳到这里,按[F8]再跳.
00410960 |8DB5 BCFDFFFF LEA ESI,DWORD PTR SS:[EBP-244]
00410966 |8B06 MOV EAX,DWORD PTR DS:[ESI]
00410968 |83F8 01 CMP EAX,1
0041096B |0F84 4B020000 JE 样本.00410BBC
.
.
.
00410ABB 90 NOP ; (20) 跳转到这里后,按[F8]一直向下走.
00410ABC 90 NOP
00410ABD 90 NOP
00410ABE 90 NOP
00410ABF 90 NOP
00410AC0 90 NOP
00410AC1 90 NOP
00410AC2 90 NOP
00410AC3 90 NOP
00410AC4 90 NOP
00410AC5 90 NOP
00410AC6 90 NOP
00410AC7 90 NOP
00410AC8 90 NOP
00410AC9 90 NOP
00410ACA 90 NOP
00410ACB 90 NOP
00410ACC 90 NOP
00410ACD 90 NOP
00410ACE 90 NOP
00410ACF 90 NOP
00410AD0 90 NOP
00410AD1 90 NOP
00410AD2 90 NOP
00410AD3 90 NOP
00410AD4 90 NOP
00410AD5 90 NOP
00410AD6 90 NOP
00410AD7 90 NOP
00410AD8 90 NOP
00410AD9 90 NOP
00410ADA 90 NOP
00410ADB 90 NOP
00410ADC 90 NOP
00410ADD 90 NOP
00410ADE 90 NOP
00410ADF 90 NOP
00410AE0 90 NOP
00410AE1 90 NOP
00410AE2 90 NOP
00410AE3 90 NOP
00410AE4 90 NOP
00410AE5 90 NOP
00410AE6 90 NOP
00410AE7 90 NOP
00410AE8 90 NOP
00410AE9 90 NOP
00410AEA 90 NOP
00410AEB 90 NOP
00410AEC 90 NOP
00410AED 90 NOP
00410AEE 90 NOP
00410AEF 90 NOP
00410AF0 90 NOP
00410AF1 90 NOP
00410AF2 90 NOP
00410AF3 90 NOP
00410AF4 90 NOP
00410AF5 90 NOP
00410AF6 90 NOP
00410AF7 90 NOP
00410AF8 90 NOP
00410AF9 90 NOP
00410AFA 90 NOP
00410AFB 90 NOP
00410AFC 90 NOP
00410AFD 90 NOP
00410AFE 90 NOP
00410AFF 90 NOP
00410B00 90 NOP
00410B01 90 NOP
00410B02 90 NOP
00410B03 90 NOP
00410B04 90 NOP
00410B05 90 NOP
00410B06 90 NOP
00410B07 90 NOP
00410B08 90 NOP
00410B09 90 NOP
00410B0A 90 NOP
00410B0B 90 NOP
00410B0C 90 NOP
00410B0D 90 NOP
00410B0E 90 NOP
00410B0F 90 NOP
00410B10 90 NOP
00410B11 90 NOP
00410B12 90 NOP
00410B13 90 NOP
00410B14 90 NOP
00410B15 90 NOP
00410B16 90 NOP
00410B17 90 NOP
00410B18 90 NOP
00410B19 9C PUSHFD
00410B1A 60 PUSHAD
00410B1B E8 00000000 CALL 样本.00410B20 ; (21) 这里使用[F8]步过.
00410B20 5D POP EBP
00410B21 81ED DC010000 SUB EBP,1DC
00410B27 ^ E9 34FEFFFF JMP 样本.00410960 ; (22) 这里是一个回跳(其实是一个CALL),我们不需要跳,直接[F4]运行到下一行.
00410B2C 8DB5 50FDFFFF LEA ESI,DWORD PTR SS:[EBP-2B0] ; (23) 按[F4]运行到这里.
00410B32 8B16 MOV EDX,DWORD PTR DS:[ESI]
00410B34 8DB5 ACFDFFFF LEA ESI,DWORD PTR SS:[EBP-254]
00410B3A 8B06 MOV EAX,DWORD PTR DS:[ESI]
00410B3C 83F8 01 CMP EAX,1
00410B3F 75 42 JNZ SHORT 样本.00410B83 ; (24) 按[F8]向下跳.
.
.
.
00410B83 8BDD MOV EBX,EBP ; (25) 跳到这里,按[F8]向下走.
00410B85 81EB 08000000 SUB EBX,8
00410B8B 33C9 XOR ECX,ECX
00410B8D 8A0B MOV CL,BYTE PTR DS:[EBX]
00410B8F 90 NOP
00410B90 F9 STC
00410B91 007428 43 ADD BYTE PTR DS:[EAX+EBP+43],DH
00410B95 8DB5 50FDFFFF LEA ESI,DWORD PTR SS:[EBP-2B0]
00410B9B 8B16 MOV EDX,DWORD PTR DS:[ESI]
00410B9D 56 PUSH ESI
00410B9E 51 PUSH ECX
00410B9F 53 PUSH EBX
00410BA0 52 PUSH EDX
00410BA1 56 PUSH ESI
00410BA2 FF33 PUSH DWORD PTR DS:[EBX]
00410BA4 FF73 04 PUSH DWORD PTR DS:[EBX+4]
00410BA7 8B43 08 MOV EAX,DWORD PTR DS:[EBX+8]
00410BAA 03C2 ADD EAX,EDX
00410BAC 50 PUSH EAX
00410BAD FF95 F4FDFFFF CALL DWORD PTR SS:[EBP-20C] ; kernel32.VirtualProtect
00410BB3 5A POP EDX
00410BB4 5B POP EBX
00410BB5 59 POP ECX
00410BB6 5E POP ESI
00410BB7 83C3 0C ADD EBX,0C
00410BBA ^ E2 E1 LOOPD SHORT 样本.00410B9D ; (26) 这里是一个循环回跳,我们不需要跳,直接[F4]运行到下一行.
00410BBC B8 00000000 MOV EAX,0 ; (27) 按[F4]运行到这里.
00410BC1 EB 01 JMP SHORT 样本.00410BC4 ; (28) 跳到00410BC4,按[F8]跳.
00410BC3 C3 RETN
00410BC4 EB 01 JMP SHORT 样本.00410BC7 ; (29) 跳到00410BC7,按[F8]跳.
00410BC6 C3 RETN
00410BC7 EB 01 JMP SHORT 样本.00410BCA ; (30) 跳到00410BCA,按[F8]跳.
00410BC9 C3 RETN
00410BCA ^ EB AF JMP SHORT 样本.00410B7B ; (31) 回跳,跳到00410B7B,按[F8]跳.
.
.
.
00410B7B 61 POPAD ; (32) 跳到这里,按[F8]向下单步走.
00410B7C 9D POPFD
00410B7D EB 4E JMP SHORT 样本.00410BCD ; (33) 向下跳,按[F8]跳.
.
.
.
00410BCD - E9 EE16FFFF JMP 样本.004022C0 ; (34) 跳到这里后,按[F8]再跳,这里是光明的飞跃.
00410BD2 8BB5 48FDFFFF MOV ESI,DWORD PTR SS:[EBP-2B8]
00410BD8 0BF6 OR ESI,ESI
.
.
.
004022C0 . E8 970B0000 CALL 样本.00402E5C ; [InitCommonControls (这里就是程序脱完壳后的OEP了,在这里DUMP出来后,再修复一下程序的输入表就OK了).
004022C5 . E8 C60A0000 CALL 样本.00402D90 ; [GetCommandLineA
004022CA . 8BF0 MOV ESI,EAX
004022CC . 6A 00 PUSH 0 ; /Arg3 = 00000000
004022CE . 68 B3534000 PUSH 样本.004053B3 ; |Arg2 = 004053B3 ASCII "silent"
004022D3 . 56 PUSH ESI ; |Arg1
004022D4 . E8 570D0000 CALL 样本.00403030 ; \样本.00403030
004022D9 . A2 F7594000 MOV BYTE PTR DS:[4059F7],AL
004022DE . 6A 00 PUSH 0 ; /Arg3 = 00000000
004022E0 . 68 BA534000 PUSH 样本.004053BA ; |Arg2 = 004053BA ASCII "backup"
004022E5 . 56 PUSH ESI ; |Arg1
004022E6 . E8 450D0000 CALL 样本.00403030 ; \样本.00403030
004022EB . A2 F8594000 MOV BYTE PTR DS:[4059F8],AL
004022F0 . 6A 00 PUSH 0 ; /Arg3 = 00000000
004022F2 . 68 C1534000 PUSH 样本.004053C1 ; |Arg2 = 004053C1 ASCII "overwrite"
004022F7 . 56 PUSH ESI ; |Arg1
004022F8 . E8 330D0000 CALL 样本.00403030 ; \样本.00403030
004022FD . A2 F9594000 MOV BYTE PTR DS:[4059F9],AL
00402302 . 68 39554000 PUSH 样本.00405539 ; /Arg3 = 00405539
00402307 . 68 CB534000 PUSH 样本.004053CB ; |Arg2 = 004053CB ASCII "startupworkdir"
0040230C . 56 PUSH ESI ; |Arg1
0040230D . E8 1E0D0000 CALL 样本.00403030 ; \样本.00403030
00402312 . 3C 01 CMP AL,1
00402314 . 75 19 JNZ SHORT 样本.0040232F
00402316 . BE FA594000 MOV ESI,样本.004059FA
0040231B . 68 00020000 PUSH 200 ; /DestSizeMax = 200 (512.)
00402320 . 56 PUSH ESI ; |DestString => ""
00402321 . 68 39554000 PUSH 样本.00405539 ; |SrcString = ""
00402326 . E8 530A0000 CALL 样本.00402D7E ; \ExpandEnvironmentStringsA
0040232B . 8BC6 MOV EAX,ESI
0040232D . EB 02 JMP SHORT 样本.00402331
0040232F > 33C0 XOR EAX,EAX
00402331 > 50 PUSH EAX ; /Arg1
00402332 . E8 690D0000 CALL 样本.004030A0 ; \样本.004030A0
00402337 . 6A 00 PUSH 0 ; /pModule = NULL
00402339 . E8 640A0000 CALL 样本.00402DA2 ; \GetModuleHandleA
0040233E . A3 D0544000 MOV DWORD PTR DS:[4054D0],EAX
00402343 . 803D F7594000>CMP BYTE PTR DS:[4059F7],0
0040234A . 75 18 JNZ SHORT 样本.00402364
0040234C . 6A 00 PUSH 0 ; /lParam = NULL
0040234E . 68 D0194000 PUSH 样本.004019D0 ; |DlgProc = 样本.004019D0
00402353 . 6A 00 PUSH 0 ; |hOwner = NULL
00402355 . 6A 01 PUSH 1 ; |pTemplate = 1
00402357 . FF35 D0544000 PUSH DWORD PTR DS:[4054D0] ; |hInst = NULL
0040235D . E8 3E090000 CALL 样本.00402CA0 ; \DialogBoxParamA
00402362 . EB 05 JMP SHORT 样本.00402369
00402364 > E8 07000000 CALL 样本.00402370
00402369 > 6A 00 PUSH 0 ; /ExitCode = 0
0040236B . E8 080A0000 CALL 样本.00402D78 ; \ExitProcess
---------------------------------------------------------------------------------------------
修复输入表:
用工具软件"ImportREC"载入运行着的目标进程"样本.exe",设置OEP为:000022C0,RVA为:00001000,大小为:0000F000.然后获取一下输入表,最后使用[修复转储文件]保存出来程序文件就OK了.程序可以正常运行并且功能无错.
---------------------------------------------------------------------------------------------
总结:
根据观察脱壳后的代码结构,感觉上该程序是用汇编写的,但PEID查不出来是什么编译器,呵呵!
---------------------------------------------------------------------------------------------
|
