附件:VBExplorer.rar 附件:VBExplorer.rar 我是菜鸟,在手动脱壳时的一点经验,拿出来与大家分享,希望高手不要笑话!本着是交流互进的原则。
工具:Import.Reconstructor.v1.6,Ollydbg.v1.10,PEiD.v0.92.459
1、用PEID0.92查壳---》ASPack 2.12 -> Alexey Solodovnikov
2、用Ollydbg调试,找出OEP!
3、重建Import表
******************************************************************
0054D001 60 pushad ****载入停在这*******
0054D002 E8 03000000 call VBExplor.0054D00A *****用F7进CALL子程序*****
0054D007 - E9 EB045D45 jmp 45B1D4F7 ******返回这里,转到0054D00E ******
0054D00C 55 push ebp
0054D00D C3 retn
0054D00E E8 01000000 call VBExplor.0054D014 *****用F7进CALL子程序*****
*************************0054D00A CALL子程序***********************************
0054D00A 5D pop ebp
0054D00B 45 inc ebp
0054D00C 55 push ebp
0054D00D C3 retn ****返回 0054D008********
*********************0054D014 CALL子程序****************************************
0054D014 5D pop ebp
0054D015 BB EDFFFFFF mov ebx,-13
0054D01A 03DD add ebx,ebp
0054D01C 81EB 00D01400 sub ebx,14D000
0054D022 83BD 22040000 00 cmp dword ptr ss:[ebp+422],0
0054D029 899D 22040000 mov dword ptr ss:[ebp+422],ebx
0054D02F 0F85 65030000 jnz VBExplor.0054D39A
0054D035 8D85 2E040000 lea eax,dword ptr ss:[ebp+42E]
0054D03B 50 push eax
0054D03C FF95 4D0F0000 call dword ptr ss:[ebp+F4D]
0054D042 8985 26040000 mov dword ptr ss:[ebp+426],eax
0054D048 8BF8 mov edi,eax
0054D04A 8D5D 5E lea ebx,dword ptr ss:[ebp+5E]
0054D04D 53 push ebx
0054D04E 50 push eax
0054D04F FF95 490F0000 call dword ptr ss:[ebp+F49]
0054D055 8985 4D050000 mov dword ptr ss:[ebp+54D],eax
0054D05B 8D5D 6B lea ebx,dword ptr ss:[ebp+6B]
0054D05E 53 push ebx
0054D05F 57 push edi
0054D060 FF95 490F0000 call dword ptr ss:[ebp+F49]
0054D066 8985 51050000 mov dword ptr ss:[ebp+551],eax
0054D06C 8D45 77 lea eax,dword ptr ss:[ebp+77]
0054D06F FFE0 jmp eax ****转跳到 0054D08A******
*****************************************************************
0054D08A 8B9D 31050000 mov ebx,dword ptr ss:[ebp+531]
0054D090 0BDB or ebx,ebx
0054D092 74 0A je short VBExplor.0054D09E
0054D094 8B03 mov eax,dword ptr ds:[ebx]
0054D096 8785 35050000 xchg dword ptr ss:[ebp+535],eax
0054D09C 8903 mov dword ptr ds:[ebx],eax
0054D09E 8DB5 69050000 lea esi,dword ptr ss:[ebp+569]
0054D0A4 833E 00 cmp dword ptr ds:[esi],0
0054D0A7 0F84 21010000 je VBExplor.0054D1CE
0054D0AD 6A 04 push 4
0054D0AF 68 00100000 push 1000
0054D0B4 68 00180000 push 1800
0054D0B9 6A 00 push 0
0054D0BB FF95 4D050000 call dword ptr ss:[ebp+54D]
0054D0C1 8985 56010000 mov dword ptr ss:[ebp+156],eax
0054D0C7 8B46 04 mov eax,dword ptr ds:[esi+4]
0054D0CA 05 0E010000 add eax,10E
0054D0CF 6A 04 push 4
0054D0D1 68 00100000 push 1000
0054D0D6 50 push eax
0054D0D7 6A 00 push 0
0054D0D9 FF95 4D050000 call dword ptr ss:[ebp+54D]
0054D0DF 8985 52010000 mov dword ptr ss:[ebp+152],eax
0054D0E5 56 push esi
0054D0E6 8B1E mov ebx,dword ptr ds:[esi]
0054D0E8 039D 22040000 add ebx,dword ptr ss:[ebp+422]
0054D0EE FFB5 56010000 push dword ptr ss:[ebp+156]
0054D0F4 FF76 04 push dword ptr ds:[esi+4]
0054D0F7 50 push eax
0054D0F8 53 push ebx
0054D0F9 E8 6E050000 call VBExplor.0054D66C
0054D0FE B3 01 mov bl,1
0054D100 80FB 00 cmp bl,0
0054D103 75 5E jnz short VBExplor.0054D163
0054D105 FE85 EC000000 inc byte ptr ss:[ebp+EC]
0054D10B 8B3E mov edi,dword ptr ds:[esi]
0054D10D 03BD 22040000 add edi,dword ptr ss:[ebp+422]
0054D113 FF37 push dword ptr ds:[edi]
0054D115 C607 C3 mov byte ptr ds:[edi],0C3
0054D118 FFD7 call edi
0054D11A 8F07 pop dword ptr ds:[edi]
0054D11C 50 push eax
0054D11D 51 push ecx
0054D11E 56 push esi
0054D11F 53 push ebx
0054D120 8BC8 mov ecx,eax
0054D122 83E9 06 sub ecx,6
0054D125 8BB5 52010000 mov esi,dword ptr ss:[ebp+152]
0054D12B 33DB xor ebx,ebx
0054D12D 0BC9 or ecx,ecx ***回跳到这里***
0054D12F 74 2E je short VBExplor.0054D15F ***强行跳转**
0054D131 78 2C js short VBExplor.0054D15F
0054D133 AC lods byte ptr ds:[esi]
0054D134 3C E8 cmp al,0E8
0054D136 74 0A je short VBExplor.0054D142 ***强行跳转**
0054D138 EB 00 jmp short VBExplor.0054D13A
0054D13A 3C E9 cmp al,0E9
0054D13C 74 04 je short VBExplor.0054D142
0054D13E 43 inc ebx
0054D13F 49 dec ecx
0054D140 ^ EB EB jmp short VBExplor.0054D12D ***回跳***
0054D142 8B06 mov eax,dword ptr ds:[esi]
0054D144 EB 00 jmp short VBExplor.0054D146
0054D146 803E 16 cmp byte ptr ds:[esi],16
0054D149 ^ 75 F3 jnz short VBExplor.0054D13E
0054D14B 24 00 and al,0
0054D14D C1C0 18 rol eax,18
0054D150 2BC3 sub eax,ebx
0054D152 8906 mov dword ptr ds:[esi],eax
0054D154 83C3 05 add ebx,5
0054D157 83C6 04 add esi,4
0054D15A 83E9 05 sub ecx,5
0054D15D ^ EB CE jmp short VBExplor.0054D12D ***回跳***
0054D15F 5B pop ebx
0054D160 5E pop esi
0054D161 59 pop ecx
0054D162 58 pop eax
0054D163 EB 08 jmp short VBExplor.0054D16D
0054D165 0000 add byte ptr ds:[eax],al
0054D167 AC lods byte ptr ds:[esi]
0054D168 0000 add byte ptr ds:[eax],al
0054D16A 003D 008BC88B add byte ptr ds:[8BC88B00],bh
0054D170 3E:03BD 22040000 add edi,dword ptr ds:[ebp+422]
0054D177 8BB5 52010000 mov esi,dword ptr ss:[ebp+152]
0054D17D C1F9 02 sar ecx,2
0054D180 F3:A5 rep movs dword ptr es:[edi],dword>
0054D182 8BC8 mov ecx,eax
0054D184 83E1 03 and ecx,3
0054D187 F3:A4 rep movs byte ptr es:[edi],byte p>
0054D189 5E pop esi
0054D18A 68 00800000 push 8000
0054D18F 6A 00 push 0
0054D191 FFB5 52010000 push dword ptr ss:[ebp+152]
0054D197 FF95 51050000 call dword ptr ss:[ebp+551]
0054D19D 83C6 08 add esi,8
0054D1A0 833E 00 cmp dword ptr ds:[esi],0
0054D1A3 ^ 0F85 1EFFFFFF jnz VBExplor.0054D0C7 ***回跳***
0054D1A9 68 00800000 push 8000 ***F4步入到这里***
0054D1AE 6A 00 push 0
0054D1B0 FFB5 56010000 push dword ptr ss:[ebp+156]
0054D1B6 FF95 51050000 call dword ptr ss:[ebp+551]
0054D1BC 8B9D 31050000 mov ebx,dword ptr ss:[ebp+531]
0054D1C2 0BDB or ebx,ebx
0054D1C4 74 08 je short VBExplor.0054D1CE
0054D1C6 8B03 mov eax,dword ptr ds:[ebx]
0054D1C8 8785 35050000 xchg dword ptr ss:[ebp+535],eax
0054D1CE 8B95 22040000 mov edx,dword ptr ss:[ebp+422]
0054D1D4 8B85 2D050000 mov eax,dword ptr ss:[ebp+52D]
0054D1DA 2BD0 sub edx,eax
0054D1DC 74 79 je short VBExplor.0054D257 ***跳转**
******************************************************************
0054D257 8B95 22040000 mov edx,dword ptr ss:[ebp+422] ***到这里***
0054D25D 8BB5 41050000 mov esi,dword ptr ss:[ebp+541]
0054D263 0BF6 or esi,esi
0054D265 74 11 je short VBExplor.0054D278
0054D267 03F2 add esi,edx
0054D269 AD lods dword ptr ds:[esi]
0054D26A 0BC0 or eax,eax
0054D26C 74 0A je short VBExplor.0054D278
0054D26E 03C2 add eax,edx
0054D270 8BF8 mov edi,eax
0054D272 66:AD lods word ptr ds:[esi]
0054D274 66:AB stos word ptr es:[edi]
0054D276 ^ EB F1 jmp short VBExplor.0054D269
0054D278 BE 30B80E00 mov esi,0EB830
0054D27D 8B95 22040000 mov edx,dword ptr ss:[ebp+422]
0054D283 03F2 add esi,edx
0054D285 8B46 0C mov eax,dword ptr ds:[esi+C]
0054D288 85C0 test eax,eax
0054D28A 0F84 0A010000 je VBExplor.0054D39A
0054D290 03C2 add eax,edx
0054D292 8BD8 mov ebx,eax
0054D294 50 push eax
0054D295 FF95 4D0F0000 call dword ptr ss:[ebp+F4D]
0054D29B 85C0 test eax,eax
0054D29D /75 07 jnz short VBExplor.0054D2A6
0054D29F |53 push ebx
0054D2A0 |FF95 510F0000 call dword ptr ss:[ebp+F51]
0054D2A6 \8985 45050000 mov dword ptr ss:[ebp+545],eax
0054D2AC C785 49050000 00000>mov dword ptr ss:[ebp+549],0
0054D2B6 8B95 22040000 mov edx,dword ptr ss:[ebp+422]
0054D2BC 8B06 mov eax,dword ptr ds:[esi]
0054D2BE 85C0 test eax,eax
0054D2C0 75 03 jnz short VBExplor.0054D2C5
0054D2C2 8B46 10 mov eax,dword ptr ds:[esi+10]
0054D2C5 03C2 add eax,edx
0054D2C7 0385 49050000 add eax,dword ptr ss:[ebp+549]
0054D2CD 8B18 mov ebx,dword ptr ds:[eax]
0054D2CF 8B7E 10 mov edi,dword ptr ds:[esi+10]
0054D2D2 03FA add edi,edx
0054D2D4 03BD 49050000 add edi,dword ptr ss:[ebp+549]
0054D2DA 85DB test ebx,ebx
0054D2DC 0F84 A2000000 je VBExplor.0054D384
0054D2E2 F7C3 00000080 test ebx,80000000
0054D2E8 75 04 jnz short VBExplor.0054D2EE
0054D2EA 03DA add ebx,edx
0054D2EC 43 inc ebx
0054D2ED 43 inc ebx
0054D2EE 53 push ebx
0054D2EF 81E3 FFFFFF7F and ebx,7FFFFFFF
0054D2F5 53 push ebx
0054D2F6 FFB5 45050000 push dword ptr ss:[ebp+545]
0054D2FC FF95 490F0000 call dword ptr ss:[ebp+F49]
0054D302 85C0 test eax,eax
0054D304 5B pop ebx
0054D305 75 6F jnz short VBExplor.0054D376 ***跳转**
******************************************************************
0054D376 8907 mov dword ptr ds:[edi],eax ***到这里***
0054D378 8385 49050000 04 add dword ptr ss:[ebp+549],4
0054D37F ^ E9 32FFFFFF jmp VBExplor.0054D2B6 ***回跳***
0054D384 8906 mov dword ptr ds:[esi],eax ***F4步入到这里***
0054D386 8946 0C mov dword ptr ds:[esi+C],eax
0054D389 8946 10 mov dword ptr ds:[esi+10],eax
0054D38C 83C6 14 add esi,14
0054D38F 8B95 22040000 mov edx,dword ptr ss:[ebp+422]
0054D395 ^ E9 EBFEFFFF jmp VBExplor.0054D285 ***回跳到0054D285***
0054D39A B8 42530200 mov eax,25342 ***强行跳转到这里***
0054D39F 50 push eax
0054D3A0 0385 22040000 add eax,dword ptr ss:[ebp+422]
0054D3A6 59 pop ecx
0054D3A7 0BC9 or ecx,ecx
0054D3A9 8985 A8030000 mov dword ptr ss:[ebp+3A8],eax
0054D3AF 61 popad ****入口就在附近***
0054D3B0 75 08 jnz short VBExplor.0054D3BA ***跳转**
0054D3B2 B8 01000000 mov eax,1
0054D3B7 C2 0C00 retn 0C
0054D3BA 68 00000000 push 0 *******到这里***
0054D3BF C3 retn ****入口地址:00425342,很明显的跨段地址****
***********************************************************************
0054D285 8B46 0C mov eax,dword ptr ds:[esi+C] ***回跳到这里***
0054D288 85C0 test eax,eax
0054D28A 0F84 0A010000 je VBExplor.0054D39A ***强行跳转**
************************************************************************
00425342 55 push ebp ****真正的OEP,直接DUMP****
00425343 8BEC mov ebp,esp
00425345 6A FF push -1
00425347 68 58124D00 push VBExplor.004D1258
0042534C 68 CE544200 push VBExplor.004254CE
00425351 64:A1 00000000 mov eax,dword ptr fs:[0]
00425357 50 push eax
.................................................
****************************************************************
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课