ASPack的OEP的簡易查詢方法,以及實踐 (8千字)
=================================================================
=
= inside Pandora's Box - iPB
= Open Cracking Group -
OCG
=
=
=
DiKeN/iPB
=================================================================
================================================================================
雖然使用了很多花指令,但指令流還是一樣
=========Calc.exe
0101B001 >60
PUSHAD
0101B002 E8
03000000 CALL CALC.0101B00A
0101B007 E9 EB045D45
JMP 465EB4F7
0101B00C 55
PUSH EBP
0101B00D C3
RETN
0101B00E E8 01000000
CALL CALC.0101B014
0101B013 EB 5D
JMP SHORT CALC.0101B072
0101B015 BB EDFFFFFF
MOV EBX,-13
0101B01A 03DD
ADD EBX,EBP
0101B01C 81EB 00B00100 SUB EBX,1B000========>
0101B022 83BD 22040000 00 CMP DWORD PTR SS:[EBP+422],0
0101B029
899D 22040000 MOV DWORD PTR SS:[EBP+422],EBX<=====儲存ImageBase
0101B02F 0F85 65030000 JNZ CALC.0101B39A
0101B035
8D85 2E040000 LEA EAX,DWORD PTR SS:[EBP+42E]
0101B03B
50 PUSH EAX
0101B03C
FF95 4D0F0000 CALL DWORD PTR SS:[EBP+F4D]
0101B042 8985
26040000 MOV DWORD PTR SS:[EBP+426],EAX
0101B048 8BF8
MOV EDI,EAX
0101B04A 8D5D
5E LEA EBX,DWORD PTR SS:[EBP+5E]
0101B04D
53 PUSH EBX
0101B04E
50 PUSH EAX
0101B04F
FF95 490F0000 CALL DWORD PTR SS:[EBP+F49]====>GetProcAddress(VirtualAlloc)
0101B055 8985 4D050000 MOV DWORD PTR SS:[EBP+54D],EAX
0101B05B 8D5D 6B LEA EBX,DWORD PTR
SS:[EBP+6B]
0101B05E 53
PUSH EBX
0101B05F 57
PUSH EDI
0101B060 FF95 490F0000 CALL DWORD
PTR SS:[EBP+F49]====>GetProcAddress(VirtualFree)
0101B066 8985 51050000
MOV DWORD PTR SS:[EBP+551],EAX
0101B06C 8D45 77
LEA EAX,DWORD PTR SS:[EBP+77]
0101B06F FFE0
JMP EAX
......
......
緊接著分配記憶體,進行解碼
...........
...........
...........
0101B389
8946 10 MOV DWORD PTR DS:[ESI+10],EAX
0101B38C
83C6 14 ADD ESI,14
0101B38F 8B95
22040000 MOV EDX,DWORD PTR SS:[EBP+422]
0101B395 E9 EBFEFFFF
JMP CALC.0101B285
0101B39A B8 E0190100
MOV EAX,119E0<==================這兒就是OEP的VA地址
0101B39F 50
PUSH EAX
******************************************************************************************************
=========Notepad
00411001 >60
PUSHAD
00411002 E8 03000000 CALL NOTEPAD.0041100A
00411007 E9 EB045D45 JMP 459E14F7
0041100C
55 PUSH EBP
0041100D
C3 RETN
0041100E
E8 01000000 CALL NOTEPAD.00411014
00411013 EB 5D
JMP SHORT NOTEPAD.00411072
00411015
BB EDFFFFFF MOV EBX,-13
0041101A 03DD
ADD EBX,EBP
0041101C 81EB 00100100
SUB EBX,11000
00411022 83BD 22040000 00 CMP DWORD PTR
SS:[EBP+422],0
00411029 899D 22040000 MOV DWORD PTR SS:[EBP+422],EBX<=====儲存ImageBase
0041102F 0F85 65030000 JNZ NOTEPAD.0041139A
00411035
8D85 2E040000 LEA EAX,DWORD PTR SS:[EBP+42E]===>Kernel32.dll
0041103B 50
PUSH EAX
0041103C FF95 4D0F0000 CALL DWORD PTR SS:[EBP+F4D]
00411042 8985 26040000 MOV DWORD PTR SS:[EBP+426],EAX
00411048 8BF8 MOV EDI,EAX
0041104A 8D5D 5E LEA EBX,DWORD PTR
SS:[EBP+5E]
0041104D 53
PUSH EBX
0041104E 50
PUSH EAX
0041104F FF95 490F0000 CALL DWORD
PTR SS:[EBP+F49]====>GetProcAddress(VirtualAlloc)
00411055 8985 4D050000
MOV DWORD PTR SS:[EBP+54D],EAX
0041105B 8D5D 6B
LEA EBX,DWORD PTR SS:[EBP+6B]
0041105E 53
PUSH EBX
0041105F
57 PUSH EDI
00411060
FF95 490F0000 CALL DWORD PTR SS:[EBP+F49]====>GetProcAddress(VirtualFree)
00411066 8985 51050000 MOV DWORD PTR SS:[EBP+551],EAX
0041106C 8D45 77 LEA EAX,DWORD PTR
SS:[EBP+77]
0041106F FFE0
JMP EAX
......
......
緊接著分配記憶體,進行解碼
...........
...........
...........
0041136C 8D85 C6040000 LEA
EAX,DWORD PTR SS:[EBP+4C6]
00411372 50
PUSH EAX
00411373 57
PUSH EDI
00411374 EB 4A
JMP SHORT NOTEPAD.004113C0
00411376 8907
MOV DWORD PTR DS:[EDI],EAX
00411378
8385 49050000 04 ADD DWORD PTR SS:[EBP+549],4
0041137F E9 32FFFFFF
JMP NOTEPAD.004112B6
00411384 8906
MOV DWORD PTR DS:[ESI],EAX
00411386 8946
0C MOV DWORD PTR DS:[ESI+C],EAX
00411389
8946 10 MOV DWORD PTR DS:[ESI+10],EAX
0041138C
83C6 14 ADD ESI,14
0041138F 8B95
22040000 MOV EDX,DWORD PTR SS:[EBP+422]
00411395 E9 EBFEFFFF
JMP NOTEPAD.00411285
0041139A B8 CC100000
MOV EAX,10CC=========================>???偏移多少?
0041139F
50 PUSH EAX
004113A0
0385 22040000 ADD EAX,DWORD PTR SS:[EBP+422]
004113A6
59 POP ECX
004113A7
0BC9 OR ECX,ECX
004113A9
8985 A8030000 MOV DWORD PTR SS:[EBP+3A8],EAX
004113AF
61 POPAD
004113B0
75 08 JNZ SHORT NOTEPAD.004113BA
0101B389 8946 10 MOV DWORD
PTR DS:[ESI+10],EAX
0101B38C 83C6 14
ADD ESI,14
0101B38F 8B95 22040000 MOV EDX,DWORD PTR SS:[EBP+422]
0101B395 E9 EBFEFFFF JMP CALC.0101B285
0101B39A
B8 E0190100 MOV EAX,119E0<==================這兒就是OEP的VA地址
0101B39F 50
PUSH EAX
=========================================================================
最後比較法發現,EP+0x399均為指令MOV EAX,????????
也就是說原始OEP為
ImageBase+[EP+0x39A]
******************************************************************************************************
=========================================================================
下面看看Aspack壓縮LordPE的結果
=========================================================================
00432001 >60 PUSHAD
00432002 E8 03000000 CALL LORDPEP.0043200A
00432007 E9 EB045D45 JMP 45A024F7
0043200C
55 PUSH EBP
0043200D
C3 RETN
/************************
00432001+399=43239A
************************/
00432395
E9 EBFEFFFF JMP LORDPEP.00432285
0043239A B8 103E0000
MOV EAX,3E10
0043239F 50
PUSH EAX
004323A0 0385 22040000 ADD
EAX,DWORD PTR SS:[EBP+422]==========>ImageBase
004323A6 59
POP ECX
004323A7 0BC9
OR ECX,ECX
004323A9 8985
A8030000 MOV DWORD PTR SS:[EBP+3A8],EAX
004323AF 61
POPAD
/************************
OEP=00400000+3E10=403E10
************************/
=========================================================================
******************************************************************************************************
哈哈,搞定,再來看一個大一點的檔案,Flashget如何
00507001 >60
PUSHAD
00507002 E8 03000000
CALL JETCAR.0050700A
00507007 E9 EB045D45 JMP 45AD74F7
0050700C 55
PUSH EBP
0050700D C3
RETN
0050700E E8 01000000 CALL JETCAR.00507014
00507013 EB 5D JMP SHORT JETCAR.00507072
00507015 BB EDFFFFFF MOV EBX,-13
0050701A
03DD ADD EBX,EBP
0050701C
81EB 00701000 SUB EBX,107000
00507022 83BD 22040000 00
CMP DWORD PTR SS:[EBP+422],0
00507029 899D 22040000 MOV
DWORD PTR SS:[EBP+422],EBX
計算Mov指令地址
507001+399=50739A
到指令50739A看看
0050738F 8B95 22040000 MOV EDX,DWORD
PTR SS:[EBP+422]
00507395 E9 EBFEFFFF JMP JETCAR.00507285
0050739A B8 056D0700 MOV EAX,76D05<==================這兒就是OEP的VA地址
0050739F 50
PUSH EAX
005073A0 0385 22040000 ADD EAX,DWORD PTR SS:[EBP+422]==========>ImageBase
005073A6 59
POP ECX
005073A7 0BC9
OR ECX,ECX
005073A9 8985 A8030000 MOV DWORD PTR SS:[EBP+3A8],EAX
005073AF 61
POPAD
計算OEP
OEP=ImageBase+[EP+39A]
=400000+[507001+39A]
=400000+76D05
=476D05
=========================================================================
******************************************************************************************************
正確.再來使用TRW2000脫一個看看如何,使用Aspack壓縮UltraEdit
004D3001 >60
PUSHAD
004D3002 E8 03000000
CALL UEDIT32.004D300A
004D3007 E9 EB045D45
JMP 45AA34F7
004D300C 55
PUSH EBP
004D339A B8 D0850400
MOV EAX,485D0
004D339F 50
PUSH EAX
:u 4d339A
:bpx 4485d0
:g
:bc *
:pedump c:\mm.exe
ok,mm.exe脫殼完成
=========================================================================
ASPack的殼,不是自身,採用了SEH等技術,不能用此方法脫殼
=================================================================
=
= inside Pandora's
Box - iPB
= Open Cracking
Group - OCG
=
=
=
DiKeN/iPB
=================================================================
相關文章
- PECompact的OEP的簡易查詢方法,以及實踐,dumper本準備寫的,但水平不夠
(3千字)2015-11-15
- 實現 MyBatis 流式查詢的方法2021-02-14MyBatis
- 高效查詢ECS可用資源的實踐2018-02-23
- 簡單的查詢2020-11-08
- 脫ASPack2.12加殼的DLL檔案簡便方法2004-12-18
- [原]查詢透明表的實用方法2016-02-05
- Oracle 查詢重複記錄,以及簡單的sql應用。2011-02-28OracleSQL
- MapInfo地圖查詢的簡單實現2011-12-13API地圖
- 基於Redis、Storm的實時資料查詢實踐2016-08-11RedisORM
- BST查詢結構與折半查詢方法的實現與實驗比較2023-01-05
- 簡單ELK配置實現生產級別的日誌採集和查詢實踐2022-06-28
- 簡單的mysql查詢2016-04-13MySql
- Mysql 慢查詢優化實踐2019-01-29MySql優化
- CoreData實踐(四)——查詢資料2015-09-17
- Java 程式的破解方法 (8千字)2002-08-15Java
- Mongodb 常用的查詢方法2016-08-18MongoDB
- 查詢Authorization Object的方法2008-11-04Object
- 查詢資料庫授權以及授權到期的處理方法2021-10-22資料庫
- Solr入門和實踐以及我對Solr的8點理解2015-11-24Solr
- MySQL 查詢結果取交集的實現方法2021-09-09MySql
- 簡單的查詢語法2020-12-11
- ElasticSearch中的簡單查詢2016-11-22Elasticsearch
- Access查詢實現Mysql的 limit 查詢2016-08-23MySqlMIT
- 一種通用查詢語言的定義與實踐2014-08-20
- 實踐006-elasticsearch查詢之1-URI Search查詢2022-05-05Elasticsearch
- mysql子查詢的缺陷以及5.6的優化2015-02-05MySql優化
- FFmpeg應用實踐之命令查詢2021-05-19
- PostgreSQL十億級模糊查詢最佳實踐2017-04-26SQL
- 編寫簡易的JS輸入框模糊查詢匹配(附有原始碼和demo)2013-11-21JS原始碼
- pandas 的幾個查詢方法2019-07-16
- 表膨脹的查詢方法2022-01-04
- 統計資訊的查詢方法2015-01-20
- 各個scn的查詢方法2014-05-02
- Oracle提高查詢效率的方法2010-10-19Oracle
- SQL查詢優化的方法2010-09-01SQL優化
- r!sc some about The new aspack 2.1
(1千字)2000-10-25
- 解析MSSQL跨資料庫查詢的實現方法2021-09-09SQL資料庫
- JVM系列(四):java方法的查詢過程實現2021-02-21JVMJava