大家好我是HSLYAO和大家分享下这个脱壳的过程!
首先PEID查下!PECompact 2.x -> Jeremy Collake
然后OD载入
00401000 > $ B8 2C815200 mov eax, 0052812C 程序载入停在这里我们F8向下
00401005 . 50 push eax
00401006 . 64:FF35 00000>push dword ptr fs:[0]
0040100D . 64:8925 00000>mov dword ptr fs:[0], esp
00401014 . 33C0 xor eax, eax
00401016 . 8908 mov dword ptr [eax], ecx
00401018 . 50 push eax 这里会跳转,如果F4则OD假死!所以任由他跳转
00401019 . 45 inc ebp
0040101A . 43 inc ebx
0040101B . 6F outs dx, dword ptr es:[edi]
0040101C . 6D ins dword ptr es:[edi], dx
0040101D . 70 61 jo short 00401080
0040101F . 637432 00 arpl word ptr [edx+esi], si
00401023 . 8E13 mov ss, word ptr [ebx]
00401025 . FC cld
00401026 C6 db C6
00401027 1E db 1E
00401028 62 db 62 ; CHAR 'b'
00401029 9A db 9A
0040102A A2 db A2
0040102B 13 db 13
0040102C 5F db 5F ; CHAR '_'
0040102D AC db AC
------------------------------------------------------------------------------------------------------
7C92E460 8B1C24 mov ebx, dword ptr [esp] 这里从00401016跳转过来F8向下
7C92E463 51 push ecx
7C92E464 53 push ebx
7C92E465 E8 E6C40100 call 7C94A950 关健CALL F7进入
7C92E46A 0AC0 or al, al
7C92E46C 74 0C je short 7C92E47A
7C92E46E 5B pop ebx
7C92E46F 59 pop ecx
7C92E470 6A 00 push 0
7C92E472 51 push ecx
7C92E473 E8 C8EBFFFF call ZwContinue 我一直F8跳这里就走不动了以谈不上以下的代码了
7C92E478 EB 0B jmp short 7C92E485
7C92E47A 5B pop ebx
7C92E47B 59 pop ecx
7C92E47C 6A 00 push 0
7C92E47E 51 push ecx
7C92E47F 53 push ebx
7C92E480 E8 0BF5FFFF call ZwRaiseException
7C92E485 83C4 EC add esp, -14
7C92E488 890424 mov dword ptr [esp], eax
7C92E48B C74424 04 01000>mov dword ptr [esp+4], 1
7C92E493 895C24 08 mov dword ptr [esp+8], ebx
7C92E497 C74424 10 00000>mov dword ptr [esp+10], 0
7C92E49F 54 push esp
7C92E4A0 E8 63000000 call RtlRaiseException
7C92E4A5 C2 0800 retn 8
7C92E4A8 > 55 push ebp
7C92E4A9 8BEC mov ebp, esp
-------------------------------------------------------------------------------------
7C94A950 8BFF mov edi, edi 这里由7C92E465跳转过来
7C94A952 55 push ebp
7C94A953 8BEC mov ebp, esp
7C94A955 83EC 64 sub esp, 64
7C94A958 56 push esi
7C94A959 FF75 0C push dword ptr [ebp+C]
7C94A95C 8B75 08 mov esi, dword ptr [ebp+8]
7C94A95F 56 push esi
7C94A960 C645 FF 00 mov byte ptr [ebp-1], 0
7C94A964 E8 ABFFFFFF call 7C94A914 F7进如继续F8则回到7C92E473
7C94A969 84C0 test al, al
7C94A96B 0F85 69390200 jnz 7C96E2DA
7C94A971 53 push ebx
7C94A972 8D45 F4 lea eax, dword ptr [ebp-C]
7C94A975 50 push eax
7C94A976 8D45 F8 lea eax, dword ptr [ebp-8]
7C94A979 50 push eax
7C94A97A E8 5D8AFDFF call 7C9233DC
7C94A97F E8 748AFDFF call 7C9233F8
7C94A984 8365 08 00 and dword ptr [ebp+8], 0
7C94A988 8BD8 mov ebx, eax
7C94A98A 83FB FF cmp ebx, -1
7C94A98D 0F84 8F000000 je 7C94AA22
---------------------------------------------------------------------------------------------------
77C94A950 8BFF mov edi, edi CALL过来这里F8 一直向下
7C94A952 55 push ebp
7C94A953 8BEC mov ebp, esp
7C94A955 83EC 64 sub esp, 64
7C94A958 56 push esi
7C94A959 FF75 0C push dword ptr [ebp+C]
7C94A95C 8B75 08 mov esi, dword ptr [ebp+8]
7C94A95F 56 push esi
7C94A960 C645 FF 00 mov byte ptr [ebp-1], 0
7C94A964 E8 ABFFFFFF call 7C94A914
7C94A969 84C0 test al, al
7C94A96B 0F85 69390200 jnz 7C96E2DA
7C94A971 53 push ebx
7C94A972 8D45 F4 lea eax, dword ptr [ebp-C]
7C94A975 50 push eax
7C94A976 8D45 F8 lea eax, dword ptr [ebp-8]
7C94A979 50 push eax
7C94A97A E8 5D8AFDFF call 7C9233DC
7C94A97F E8 748AFDFF call 7C9233F8
7C94A984 8365 08 00 and dword ptr [ebp+8], 0
7C94A988 8BD8 mov ebx, eax
7C94A98A 83FB FF cmp ebx, -1
7C94A98D 0F84 8F000000 je 7C94AA22
7C94A993 57 push edi
7C94A994 3B5D F8 cmp ebx, dword ptr [ebp-8]
7C94A997 ^ 0F82 79F9FFFF jb 7C94A316
7C94A99D 8D43 08 lea eax, dword ptr [ebx+8]
7C94A9A0 3B45 F4 cmp eax, dword ptr [ebp-C]
7C94A9A3 ^ 0F87 6DF9FFFF ja 7C94A316
7C94A9A9 F6C3 03 test bl, 3
7C94A9AC ^ 0F85 64F9FFFF jnz 7C94A316
7C94A9B2 8B43 04 mov eax, dword ptr [ebx+4]
7C94A9B5 3B45 F8 cmp eax, dword ptr [ebp-8]
7C94A9B8 72 09 jb short 7C94A9C3
7C94A9BA 3B45 F4 cmp eax, dword ptr [ebp-C]
7C94A9BD ^ 0F82 53F9FFFF jb 7C94A316
7C94A9C3 50 push eax
7C94A9C4 E8 67000000 call 7C94AA30
7C94A9C9 84C0 test al, al
7C94A9CB ^ 0F84 45F9FFFF je 7C94A316
7C94A9D1 F605 FAB3997C 8>test byte ptr [7C99B3FA], 80
7C94A9D8 0F85 05390200 jnz 7C96E2E3
7C94A9DE FF73 04 push dword ptr [ebx+4]
7C94A9E1 8D45 EC lea eax, dword ptr [ebp-14]
7C94A9E4 50 push eax
7C94A9E5 FF75 0C push dword ptr [ebp+C]
7C94A9E8 53 push ebx
7C94A9E9 56 push esi
7C94A9EA E8 5888FDFF call 7C923247
7C94A9EF F605 FAB3997C 8>test byte ptr [7C99B3FA], 80
7C94A9F6 8BF8 mov edi, eax
7C94A9F8 0F85 FB380200 jnz 7C96E2F9
7C94A9FE 395D 08 cmp dword ptr [ebp+8], ebx
7C94AA01 0F84 00390200 je 7C96E307
7C94AA07 8BC7 mov eax, edi
7C94AA09 33C9 xor ecx, ecx
7C94AA0B 2BC1 sub eax, ecx
7C94AA0D ^ 0F85 E2F8FFFF jnz 7C94A2F5
7C94AA13 F646 04 01 test byte ptr [esi+4], 1
7C94AA17 0F85 34390200 jnz 7C96E351
7C94AA1D C645 FF 01 mov byte ptr [ebp-1], 1
7C94AA21 5F pop edi
7C94AA22 5B pop ebx
7C94AA23 8A45 FF mov al, byte ptr [ebp-1]
7C94AA26 5E pop esi
7C94AA27 C9 leave
7C94AA28 C2 0800 retn 8 这里跳转7c92e46a
----------------------------------------------------------------------------------------------------
7C92E46A 0AC0 or al, al 跳转过来
7C92E46C 74 0C je short 7C92E47A
7C92E46E 5B pop ebx
7C92E46F 59 pop ecx
7C92E470 6A 00 push 0
7C92E472 51 push ecx
7C92E473 E8 C8EBFFFF call ZwContinue 这里依然F7进入
7C92E478 EB 0B jmp short 7C92E485
---------------------------------------------------------------------
7C92D040 > B8 20000000 mov eax, 20 进入这里
7C92D045 BA 0003FE7F mov edx, 7FFE0300
7C92D04A FF12 call dword ptr [edx] F7进入
-------------------------------------------------------------------------------------
7C92E4F0 > 8BD4 mov edx, esp
7C92E4F2 0F34 sysenter
7C92E4F4 > C3 retn 返回
---------------------------------------------------------------------------------------
0052814F B8 B16E52F0 mov eax, F0526EB1 返回到这里F8一直向下
00528154 64:8F05 0000000>pop dword ptr fs:[0]
0052815B 83C4 04 add esp, 4
0052815E 55 push ebp
0052815F 53 push ebx
00528160 51 push ecx
00528161 57 push edi
00528162 56 push esi
00528163 52 push edx
00528164 8D98 57120010 lea ebx, dword ptr [eax+10001257]
0052816A 8B53 18 mov edx, dword ptr [ebx+18]
0052816D 52 push edx
0052816E 8BE8 mov ebp, eax
00528170 6A 40 push 40
00528172 68 00100000 push 1000
00528177 FF73 04 push dword ptr [ebx+4]
0052817A 6A 00 push 0
0052817C 8B4B 10 mov ecx, dword ptr [ebx+10]
0052817F 03CA add ecx, edx
00528181 8B01 mov eax, dword ptr [ecx]
00528183 FFD0 call eax
00528185 5A pop edx
00528186 8BF8 mov edi, eax
00528188 50 push eax
00528189 52 push edx
0052818A 8B33 mov esi, dword ptr [ebx]
0052818C 8B43 20 mov eax, dword ptr [ebx+20]
0052818F 03C2 add eax, edx
00528191 8B08 mov ecx, dword ptr [eax]
00528193 894B 20 mov dword ptr [ebx+20], ecx
00528196 8B43 1C mov eax, dword ptr [ebx+1C]
00528199 03C2 add eax, edx
0052819B 8B08 mov ecx, dword ptr [eax]
0052819D 894B 1C mov dword ptr [ebx+1C], ecx
005281A0 03F2 add esi, edx
005281A2 8B4B 0C mov ecx, dword ptr [ebx+C]
005281A5 03CA add ecx, edx
005281A7 8D43 1C lea eax, dword ptr [ebx+1C]
005281AA 50 push eax
005281AB 57 push edi
005281AC 56 push esi
005281AD FFD1 call ecx
005281AF 5A pop edx
005281B0 58 pop eax
005281B1 0343 08 add eax, dword ptr [ebx+8]
005281B4 8BF8 mov edi, eax
005281B6 52 push edx
005281B7 8BF0 mov esi, eax
005281B9 8B46 FC mov eax, dword ptr [esi-4]
005281BC 83C0 04 add eax, 4
005281BF 2BF0 sub esi, eax
005281C1 8956 08 mov dword ptr [esi+8], edx
005281C4 8B4B 0C mov ecx, dword ptr [ebx+C]
005281C7 894E 14 mov dword ptr [esi+14], ecx
005281CA FFD7 call edi
005281CC 8985 3F130010 mov dword ptr [ebp+1000133F], eax
005281D2 8BF0 mov esi, eax
005281D4 8B4B 14 mov ecx, dword ptr [ebx+14]
005281D7 5A pop edx
005281D8 EB 0C jmp short 005281E6 向下跳
005281DA 03CA add ecx, edx
005281DC 68 00800000 push 8000
005281E1 6A 00 push 0
005281E3 57 push edi
005281E4 FF11 call dword ptr [ecx]
005281E6 8BC6 mov eax, esi
005281E8 5A pop edx
005281E9 5E pop esi
005281EA 5F pop edi
005281EB 59 pop ecx
005281EC 5B pop ebx
005281ED 5D pop ebp
005281EE FFE0 jmp eax 直接JMP OPE
-------------------------------------------------------------------------------------------------------
00475110 55 db 55 ; CHAR 'U' OEP
00475111 8B db 8B
00475112 EC db EC
00475113 83 db 83
00475114 C4 db C4
00475115 F0 db F0
00475116 B8 db B8
00475117 F0 db F0
00475118 4E db 4E ; CHAR 'N'
00475119 47 db 47 ; CHAR 'G'
0047511A 00 db 00
-----------------------------------------------------------------------------------------------------
有点乱,我自已也乱,完全是一步一步跟下来的,在网上找个教程,用F2断点。结里OD出错,不会了,没办法,只有自已尝试着一点点作了!
这里有一个问题请教大家一下
7C92E473 E8 C8EBFFFF call ZwContinue
7C92E478 EB 0B jmp short 7C92E485
这个代码的意思是什么!为什么不能F4跳过去!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
