-
-
[分享]脱壳 eXPressor 1.7.0.1
-
发表于: 2009-9-10 23:53 3930
-
【文章标题】: 脱壳eXPressor 1.7.0.1
【文章作者】: hxqlky
【作者邮箱】: zmunlky@gmail.com
【作者主页】: http://www.x5dj.com/hxqlky
【软件名称】: unpackme
【下载地址】: 自己搜索下载
【加壳方式】: eXPressor 1.7.0.1
【保护方式】: eXPressor 1.7.0.1
【使用工具】: od,UIF,ImportRE
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
目标程序eXPressor 1.7.0.1 主程序
Find IAT / Magic Jump /
E8---- ff15
00508AC3 /. 55 push ebp 载入程序
00508AC4 |. 8BEC mov ebp,esp
00508AC6 |. 833D 1C805000>cmp dword ptr ds:[50801C],0
00508ACD |. 74 07 je short eXPresso.00508AD6
00508ACF |. 5D pop ebp
00508AD0 |. FF25 20805000 jmp dword ptr ds:[508020]
00508AD6 |> 8B45 08 mov eax,[arg.1]
bp VirtualProtectEx f9
7C801A9C > 8BFF mov edi,edi 看这里
7C801A9E 55 push ebp
7C801A9F 8BEC mov ebp,esp
7C801AA1 56 push esi
7C801AA2 8B35 F412807C mov esi,dword ptr ds:[<&ntdll.NtProtectV>;
ntdll.ZwProtectVirtualMemory
7C801AA8 57 push edi
7C801AA9 FF75 18 push dword ptr ss:[ebp+18]
iat jmp
打开内存搜索
1, E8????????83c40485c00f85
2, f38975fceb??ea????????????c9c3
00D82DFA E8 9DEDFFFF call 00D81B9C
00D82DFA E8 9DEDFFFF call 00D81B9C
00D82DFF 83C4 04 add esp,4
00D82E02 85C0 test eax,eax
00D82E04 0F85 87000000 jnz 00D82E91 jmp
bp VirtualProtectEx
E8 9D ED FF FF 83 C4 04 85 C0 0F 85 87 00 00 00
E8 9D ED FF FF 83 C4 04 85 C0 0F 85
f38975fceb??ea????????????c9c3
--------------------------------
iat E8---- ff15 jmp
00D83235 C600 E8 mov byte ptr ds:[eax],0E8
00D83238 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
00D8323B 40 inc eax
00D8323C 8945 D0 mov dword ptr ss:[ebp-30],eax
00D8323F 50 push eax
00D83240 E8 03000000 call 00D83248
C6 00 E8 8B 45 D4 40 89 45 D0 50 E8 03 00 00 00
c600e88b45d4408945d050e8
00E53235 C600 E8 mov byte ptr ds:[eax],0E8
C6 00 E8 8B 45 D4 40 89 45 D0 50 E8 03 00 00 00
0012F6A0 7C80200B /CALL 到 VirtualProtectEx 来自 kernel32.7C802006
0012F6A4 FFFFFFFF |hProcess = FFFFFFFF
0012F6A8 0046D108 |Address = eXPresso.0046D108 跟随数据窗口
0012F6AC 00000004 |Size = 4
0012F6B0 00000040 |NewProtect = PAGE_EXECUTE_READWRITE
0012F6B4 0012FD60 \pOldProtect = 0012FD60
0046D100 00000000 ....
0046D104 7C822311 #倈 kernel32.SetEvent
0046D108 7C837A5F _z億 kernel32.SuspendThread iat 出现
f9 继续
00E53235 C600 E8 mov byte ptr ds:[eax],0E8 f9 来到这里
00E53238 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
00E5323B 40 inc eax
00E5323C 8945 D0 mov dword ptr ss:[ebp-30],eax
00E5323F 50 push eax
00E53240 E8 03000000 call 00E53248
00E53245 01EB add ebx,ebp
0046CFFC 00000000 .... iat 0
0046D000 77F470F9 鵳魒 advapi32.RegOpenKeyA
0046D004 77F4E0AE 魒 advapi32.RegOpenKeyExA
0046D008 77F3D96E n袤w advapi32.RegDeleteValueA
00401D0E 40 inc eax 看这里
00401D0F FA cli
00401D10 6A 6C push 6C
00401D12 ^ E0 C7 loopdne short eXPresso.00401CDB
00401D14 0FB75424 1E movzx edx,word ptr ss:[esp+1E]
00401D19 52 push edx
00401D1A E8 2FE40400 call eXPresso.0045014E
00401D1F 83C4 04 add esp,4
EAX 00401D0E eXPresso.00401D0E 看这里
ECX 00401D0E eXPresso.00401D0E
EDX 00000001
EBX 7FFD9000
ESP 0012F688
EBP-28 > 00484D94 ASCII "kernel32.dll"
EBP-24 > 7C800000 kernel32.7C800000
EBP-20 > 00E5AEF2
EBP-1C > 00CF0000
EBP-18 > 7C832609 kernel32.GetLocalTime 看这里
脚本修复E8---- ff15
var iatadd
var iattx
var begin
mov begin,eip
start:
mov iatadd,[ebp-18]
mov iattx,eax
esto
cmp eip,begin
jne end
mov [iattx],15ff
find 0046CFFC,iatadd
mov iatadd, $RESULT
add iattx,2
mov [iattx],iatadd
jmp start
end:
msg "hxqlky"
00454573 6A 60 push 60 oep
00454575 68 C0324800 push eXPresso.004832C0
0045457A E8 B5060000 call eXPresso.00454C34
0045457F 8365 FC 00 and dword ptr ss:[ebp-4],0
00454583 8D45 90 lea eax,dword ptr ss:[ebp-70]
00454586 50 push eax
00454587 FF15 D0D24600 call dword ptr ds:[46D2D0] ; kernel32.GetStartupInfoA
0045458D C745 FC FEFFFFF>mov dword ptr ss:[ebp-4],-2
00454594 BF 94000000 mov edi,94
00454599 57 push edi
0045459A 6A 00 push 0
0045459C 8B1D D8D14600 mov ebx,dword ptr ds:[46D1D8] ; kernel32.GetProcessHeap
004545A2 FFD3 call ebx
004545A4 50 push eax
004545A5 FF15 9CD14600 call dword ptr ds:[46D19C] ; ntdll.RtlAllocateHeap
004545AB 8BF0 mov esi,eax
004545AD 85F6 test esi,esi
004545AF 75 0D jnz short eXPresso.004545BE
004545B1 6A 12 push 12
004545B3 E8 56FFFFFF call eXPresso.0045450E
004545B8 59 pop ecx
004545B9 E9 8A010000 jmp eXPresso.00454748
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2009年09月10日 23:47:53
【文章作者】: hxqlky
【作者邮箱】: zmunlky@gmail.com
【作者主页】: http://www.x5dj.com/hxqlky
【软件名称】: unpackme
【下载地址】: 自己搜索下载
【加壳方式】: eXPressor 1.7.0.1
【保护方式】: eXPressor 1.7.0.1
【使用工具】: od,UIF,ImportRE
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
目标程序eXPressor 1.7.0.1 主程序
Find IAT / Magic Jump /
E8---- ff15
00508AC3 /. 55 push ebp 载入程序
00508AC4 |. 8BEC mov ebp,esp
00508AC6 |. 833D 1C805000>cmp dword ptr ds:[50801C],0
00508ACD |. 74 07 je short eXPresso.00508AD6
00508ACF |. 5D pop ebp
00508AD0 |. FF25 20805000 jmp dword ptr ds:[508020]
00508AD6 |> 8B45 08 mov eax,[arg.1]
bp VirtualProtectEx f9
7C801A9C > 8BFF mov edi,edi 看这里
7C801A9E 55 push ebp
7C801A9F 8BEC mov ebp,esp
7C801AA1 56 push esi
7C801AA2 8B35 F412807C mov esi,dword ptr ds:[<&ntdll.NtProtectV>;
ntdll.ZwProtectVirtualMemory
7C801AA8 57 push edi
7C801AA9 FF75 18 push dword ptr ss:[ebp+18]
iat jmp
打开内存搜索
1, E8????????83c40485c00f85
2, f38975fceb??ea????????????c9c3
00D82DFA E8 9DEDFFFF call 00D81B9C
00D82DFA E8 9DEDFFFF call 00D81B9C
00D82DFF 83C4 04 add esp,4
00D82E02 85C0 test eax,eax
00D82E04 0F85 87000000 jnz 00D82E91 jmp
bp VirtualProtectEx
E8 9D ED FF FF 83 C4 04 85 C0 0F 85 87 00 00 00
E8 9D ED FF FF 83 C4 04 85 C0 0F 85
f38975fceb??ea????????????c9c3
--------------------------------
iat E8---- ff15 jmp
00D83235 C600 E8 mov byte ptr ds:[eax],0E8
00D83238 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
00D8323B 40 inc eax
00D8323C 8945 D0 mov dword ptr ss:[ebp-30],eax
00D8323F 50 push eax
00D83240 E8 03000000 call 00D83248
C6 00 E8 8B 45 D4 40 89 45 D0 50 E8 03 00 00 00
c600e88b45d4408945d050e8
00E53235 C600 E8 mov byte ptr ds:[eax],0E8
C6 00 E8 8B 45 D4 40 89 45 D0 50 E8 03 00 00 00
0012F6A0 7C80200B /CALL 到 VirtualProtectEx 来自 kernel32.7C802006
0012F6A4 FFFFFFFF |hProcess = FFFFFFFF
0012F6A8 0046D108 |Address = eXPresso.0046D108 跟随数据窗口
0012F6AC 00000004 |Size = 4
0012F6B0 00000040 |NewProtect = PAGE_EXECUTE_READWRITE
0012F6B4 0012FD60 \pOldProtect = 0012FD60
0046D100 00000000 ....
0046D104 7C822311 #倈 kernel32.SetEvent
0046D108 7C837A5F _z億 kernel32.SuspendThread iat 出现
f9 继续
00E53235 C600 E8 mov byte ptr ds:[eax],0E8 f9 来到这里
00E53238 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
00E5323B 40 inc eax
00E5323C 8945 D0 mov dword ptr ss:[ebp-30],eax
00E5323F 50 push eax
00E53240 E8 03000000 call 00E53248
00E53245 01EB add ebx,ebp
0046CFFC 00000000 .... iat 0
0046D000 77F470F9 鵳魒 advapi32.RegOpenKeyA
0046D004 77F4E0AE 魒 advapi32.RegOpenKeyExA
0046D008 77F3D96E n袤w advapi32.RegDeleteValueA
00401D0E 40 inc eax 看这里
00401D0F FA cli
00401D10 6A 6C push 6C
00401D12 ^ E0 C7 loopdne short eXPresso.00401CDB
00401D14 0FB75424 1E movzx edx,word ptr ss:[esp+1E]
00401D19 52 push edx
00401D1A E8 2FE40400 call eXPresso.0045014E
00401D1F 83C4 04 add esp,4
EAX 00401D0E eXPresso.00401D0E 看这里
ECX 00401D0E eXPresso.00401D0E
EDX 00000001
EBX 7FFD9000
ESP 0012F688
EBP-28 > 00484D94 ASCII "kernel32.dll"
EBP-24 > 7C800000 kernel32.7C800000
EBP-20 > 00E5AEF2
EBP-1C > 00CF0000
EBP-18 > 7C832609 kernel32.GetLocalTime 看这里
脚本修复E8---- ff15
var iatadd
var iattx
var begin
mov begin,eip
start:
mov iatadd,[ebp-18]
mov iattx,eax
esto
cmp eip,begin
jne end
mov [iattx],15ff
find 0046CFFC,iatadd
mov iatadd, $RESULT
add iattx,2
mov [iattx],iatadd
jmp start
end:
msg "hxqlky"
00454573 6A 60 push 60 oep
00454575 68 C0324800 push eXPresso.004832C0
0045457A E8 B5060000 call eXPresso.00454C34
0045457F 8365 FC 00 and dword ptr ss:[ebp-4],0
00454583 8D45 90 lea eax,dword ptr ss:[ebp-70]
00454586 50 push eax
00454587 FF15 D0D24600 call dword ptr ds:[46D2D0] ; kernel32.GetStartupInfoA
0045458D C745 FC FEFFFFF>mov dword ptr ss:[ebp-4],-2
00454594 BF 94000000 mov edi,94
00454599 57 push edi
0045459A 6A 00 push 0
0045459C 8B1D D8D14600 mov ebx,dword ptr ds:[46D1D8] ; kernel32.GetProcessHeap
004545A2 FFD3 call ebx
004545A4 50 push eax
004545A5 FF15 9CD14600 call dword ptr ds:[46D19C] ; ntdll.RtlAllocateHeap
004545AB 8BF0 mov esi,eax
004545AD 85F6 test esi,esi
004545AF 75 0D jnz short eXPresso.004545BE
004545B1 6A 12 push 12
004545B3 E8 56FFFFFF call eXPresso.0045450E
004545B8 59 pop ecx
004545B9 E9 8A010000 jmp eXPresso.00454748
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2009年09月10日 23:47:53
赞赏
他的文章
看原图
赞赏
雪币:
留言: