【破文标题】制作ASPack免杀壳
【破文作者】PYG
【作者邮箱】china_pyg@yahoo.cn
【破解声明】只用于研究,请勿用于非法用途!
ESP定律脱之,OD载入,停在:
00434001 PolyC> 60 pushad // F8 hr esp
00434002 E8 03000000 call PolyCryp.0043400A
00434007 - E9 EB045D45 jmp 45A044F7
F9 来到:
004343B0 /75 08 jnz short PolyCryp.004343BA //F8
004343B2 |B8 01000000 mov eax,1
004343B7 |C2 0C00 retn 0C
004343BA \68 0D304300 push PolyCryp.0043300D //F8
004343BF C3 retn //飞向OEP
....
0043300D 60 pushad //Dump it..
0043300E E8 EDFFFFFF call PolyCryp.00433000
第二层:PolyCrypt PE
也可以用ESP定律方法
内存映射, 区段=CODE 下内存断点,F9
004330A4 8B10 mov edx,dword ptr ds:[eax]
004330A6 33C0 xor eax,eax
004330A8 64:8B40 30 mov eax,dword ptr fs:[eax+30]
内存映射, 区段=DATA 下内存断点,F9
77F51292 F2:AE repne scas byte ptr es:[edi]
77F51294 F7D1 not ecx
77F51296 81F9 FFFF0000 cmp ecx,0FFFF
77F5129C 76 05 jbe short ntdll.77F512A3
内存映射, 区段=.idata 下内存断点,F9
00403816 - FF25 C4824000 jmp dword ptr ds:[4082C4] ; F8
0040381C - FF25 CC824000 jmp dword ptr ds:[4082CC] ; comdlg32.GetOpenFileNameA
00403822 - FF25 D4824000 jmp dword ptr ds:[4082D4] ; COMCTL32.InitCommonControls
00403828 0000 add byte ptr ds:[eax],al
0040382A 0000 add byte ptr ds:[eax],al
71F2D38D ulib.> 8BFF mov edi,edi ; ntdll.77F63268
71F2D38F 55 push ebp
71F2D390 8BEC mov ebp,esp
71F2D392 5D pop ebp
71F2D393 - FF25 0411F271 jmp dword ptr ds:[<&KERNEL32.FreeL>; kernel32.FreeLibrary
一直F8,来到
00401018 E8 DF260000 call 3300D.004036FC ; 随便找个地方dump都行,晕...
0040101D 8BF0 mov esi,eax
0040101F 8BFE mov edi,esi
00401021 47 inc edi
00401022 B0 22 mov al,22
00401024 B9 FF000000 mov ecx,0FF
00401029 F2:AE repne scas byte ptr es:[edi]
0040102B F2:AE repne scas byte ptr es:[edi]
0040102D 57 push edi
=====================================================================
ESP定律:
0043300D 3300D> 60 pushad //F8 Hr esp
0043300E E8 EDFFFFFF call 3300D.00433000
00433013 ^ EB F1 jmp short 3300D.00433006
F9来到:
0043342E 68 00104000 push 3300D.00401000 //F8
00433433 C3 retn //F8
00433434 0000 add byte ptr ds:[eax],al
....稍停一下后,来到:
00401000 68 00404000 push 3300D.00404000 ; 在这里dump
00401005 E8 16270000 call 3300D.00403720 ; jmp 到
=================================================================
修复IAT 再PEID! 查毒!OK了!
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!