-
-
[旧帖] [求助]脱UPX壳越脱越小 0.00雪花
-
发表于: 2009-6-30 15:31
-
本人去年学习了一周破解后又中断现在用重新学习。
找了一个教主写的脚本注入软件HDSI3.0来练习。
用PEID查壳是UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo [Overlay]
然后载入OllyICE.分别使用内存镜像法和单步跟中法来到
0041F862 FF96 DCFF0100 call dword ptr [esi+1FFDC] ; kernel32.LoadLibraryA
0041F868 95 xchg eax, ebp
0041F869 8A07 mov al, byte ptr [edi]
0041F86B 47 inc edi
0041F86C 08C0 or al, al
0041F86E ^ 74 DC je short 0041F84C
0041F870 89F9 mov ecx, edi
0041F872 57 push edi
0041F873 48 dec eax
0041F874 F2:AE repne scas byte ptr es:[edi]
0041F876 55 push ebp
0041F877 FF96 E0FF0100 call dword ptr [esi+1FFE0]
0041F87D 09C0 or eax, eax
0041F87F 74 07 je short 0041F888
0041F881 8903 mov dword ptr [ebx], eax
0041F883 83C3 04 add ebx, 4
0041F886 ^ EB E1 jmp short 0041F869
0041F888 FF96 E4FF0100 call dword ptr [esi+1FFE4]
0041F88E 60 pushad
0041F88F - E9 3C39FFFF jmp 004131D0
在JMP跳转到
004131D0 55 push ebp ; USER32.77D10000
然后我脱壳,脱壳下来是Borland Delphi 6.0 - 7.0
然后运行却毫无反应 查看大小才133KB,
而原来的程序都是790KB
找了一个教主写的脚本注入软件HDSI3.0来练习。
用PEID查壳是UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo [Overlay]
然后载入OllyICE.分别使用内存镜像法和单步跟中法来到
0041F862 FF96 DCFF0100 call dword ptr [esi+1FFDC] ; kernel32.LoadLibraryA
0041F868 95 xchg eax, ebp
0041F869 8A07 mov al, byte ptr [edi]
0041F86B 47 inc edi
0041F86C 08C0 or al, al
0041F86E ^ 74 DC je short 0041F84C
0041F870 89F9 mov ecx, edi
0041F872 57 push edi
0041F873 48 dec eax
0041F874 F2:AE repne scas byte ptr es:[edi]
0041F876 55 push ebp
0041F877 FF96 E0FF0100 call dword ptr [esi+1FFE0]
0041F87D 09C0 or eax, eax
0041F87F 74 07 je short 0041F888
0041F881 8903 mov dword ptr [ebx], eax
0041F883 83C3 04 add ebx, 4
0041F886 ^ EB E1 jmp short 0041F869
0041F888 FF96 E4FF0100 call dword ptr [esi+1FFE4]
0041F88E 60 pushad
0041F88F - E9 3C39FFFF jmp 004131D0
在JMP跳转到
004131D0 55 push ebp ; USER32.77D10000
然后我脱壳,脱壳下来是Borland Delphi 6.0 - 7.0
然后运行却毫无反应 查看大小才133KB,
而原来的程序都是790KB
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
 支持ls上的说法 需要处理附加数据
|
|
|
|
