用PE检查是 什么都没找到 *
首先用OD载入程序
00663A48 > 9C pushfd
00663A49 60 pushad
00663A4A E8 00000000 call 螺丝石器.00663A4F //像是北斗的壳,用ESP定律
00663A4F 5D pop ebp
00663A50 B8 07000000 mov eax,7
00663A55 2BE8 sub ebp,eax
00663A57 8DB5 78FCFFFF lea esi,dword ptr ss:[ebp-388]
00663A5D 8A06 mov al,byte ptr ds:[esi]
00663A5F 3C 00 cmp al,0
00663A61 74 12 je short 螺丝石器.00663A75
初步判定是北斗的壳,然后根据ESP定律跳
00663CCC 9D popfd //跳到这里,F8一下
00663CCD - E9 3E27FFFF jmp 螺丝石器.00656410 //走到这里按道理说应该直接就是OPE了,F8一下
00663CD2 8BB5 2CFCFFFF mov esi,dword ptr ss:[ebp-3D4]
00663CD8 0BF6 or esi,esi
00663CDA 0F84 97000000 je 螺丝石器.00663D77
00656410 60 pushad //直接跳到这里,直接脱壳!
00656411 BE 00E05300 mov esi,螺丝石器.0053E000
00656416 8DBE 0030ECFF lea edi,dword ptr ds:[esi+FFEC3000]
0065641C 57 push edi
0065641D 83CD FF or ebp,FFFFFFFF
00656420 EB 10 jmp short 螺丝石器.00656432
用OD脱壳完后,程序可以运行,用PE检测,发现是UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
快速验证还是压缩的
只用继续用OD载入这个脱壳的程序
00656410 > 60 pushad //F8向下
00656411 BE 00E05300 mov esi,123.0053E000 //到这里,仍然用ESP定律,F9运行
00656416 8DBE 0030ECFF lea edi,dword ptr ds:[esi+FFEC3000]
0065641C 57 push edi
0065641D 83CD FF or ebp,FFFFFFFF
00656420 EB 10 jmp short 123.00656432
结果就运行到这里来了
00656584 8D4424 80 lea eax,dword ptr ss:[esp-80] //跳到这里,然后就不知道怎么办了
00656588 6A 00 push 0
0065658A 39C4 cmp esp,eax
0065658C ^ 75 FA jnz short 123.00656588 //直接返回到 00656588
0065658E 83EC 80 sub esp,-80
00656591 ^ E9 488ADEFF jmp 123.0043EFDE //直接返回到0043EFDE
00656596 0000 add byte ptr ds:[eax],al
00656598 0000 add byte ptr ds:[eax],al
0065659A 0000 add byte ptr ds:[eax],al
0065659C 0000 add byte ptr ds:[eax],al
0065659E 0000 add byte ptr ds:[eax],al
0043EFDE 6A 60 push 60 //最后就是到这里
0043EFE0 68 38A04C00 push 123.004CA038
0043EFE5 E8 260F0000 call 123.0043FF10
0043EFEA BF 94000000 mov edi,94
0043EFEF 8BC7 mov eax,edi
实在不知道该怎么脱了!求教该怎么处理
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
