ASPack的OEP的簡易查詢方法，以及實踐 (8千字)

=================================================================
=
= inside Pandora's Box - iPB
= Open Cracking Group - OCG
=
=
= DiKeN/iPB
=================================================================
================================================================================

雖然使用了很多花指令,但指令流還是一樣

=========Calc.exe
0101B001 >60 PUSHAD
0101B002 E8 03000000 CALL CALC.0101B00A
0101B007 E9 EB045D45 JMP 465EB4F7
0101B00C 55 PUSH EBP
0101B00D C3 RETN
0101B00E E8 01000000 CALL CALC.0101B014
0101B013 EB 5D JMP SHORT CALC.0101B072
0101B015 BB EDFFFFFF MOV EBX,-13
0101B01A 03DD ADD EBX,EBP
0101B01C 81EB 00B00100 SUB EBX,1B000========>
0101B022 83BD 22040000 00 CMP DWORD PTR SS:[EBP+422],0
0101B029 899D 22040000 MOV DWORD PTR SS:[EBP+422],EBX<=====儲存ImageBase
0101B02F 0F85 65030000 JNZ CALC.0101B39A

0101B035 8D85 2E040000 LEA EAX,DWORD PTR SS:[EBP+42E]
0101B03B 50 PUSH EAX
0101B03C FF95 4D0F0000 CALL DWORD PTR SS:[EBP+F4D]
0101B042 8985 26040000 MOV DWORD PTR SS:[EBP+426],EAX
0101B048 8BF8 MOV EDI,EAX
0101B04A 8D5D 5E LEA EBX,DWORD PTR SS:[EBP+5E]
0101B04D 53 PUSH EBX
0101B04E 50 PUSH EAX
0101B04F FF95 490F0000 CALL DWORD PTR SS:[EBP+F49]====>GetProcAddress(VirtualAlloc)
0101B055 8985 4D050000 MOV DWORD PTR SS:[EBP+54D],EAX
0101B05B 8D5D 6B LEA EBX,DWORD PTR SS:[EBP+6B]
0101B05E 53 PUSH EBX
0101B05F 57 PUSH EDI
0101B060 FF95 490F0000 CALL DWORD PTR SS:[EBP+F49]====>GetProcAddress(VirtualFree)
0101B066 8985 51050000 MOV DWORD PTR SS:[EBP+551],EAX
0101B06C 8D45 77 LEA EAX,DWORD PTR SS:[EBP+77]
0101B06F FFE0 JMP EAX
......
......
緊接著分配記憶體,進行解碼
...........
...........
...........

0101B389 8946 10 MOV DWORD PTR DS:[ESI+10],EAX
0101B38C 83C6 14 ADD ESI,14
0101B38F 8B95 22040000 MOV EDX,DWORD PTR SS:[EBP+422]
0101B395 E9 EBFEFFFF JMP CALC.0101B285
0101B39A B8 E0190100 MOV EAX,119E0<==================這兒就是OEP的VA地址
0101B39F 50 PUSH EAX

******************************************************************************************************
=========Notepad
00411001 >60 PUSHAD
00411002 E8 03000000 CALL NOTEPAD.0041100A
00411007 E9 EB045D45 JMP 459E14F7
0041100C 55 PUSH EBP
0041100D C3 RETN
0041100E E8 01000000 CALL NOTEPAD.00411014
00411013 EB 5D JMP SHORT NOTEPAD.00411072
00411015 BB EDFFFFFF MOV EBX,-13
0041101A 03DD ADD EBX,EBP
0041101C 81EB 00100100 SUB EBX,11000
00411022 83BD 22040000 00 CMP DWORD PTR SS:[EBP+422],0
00411029 899D 22040000 MOV DWORD PTR SS:[EBP+422],EBX<=====儲存ImageBase
0041102F 0F85 65030000 JNZ NOTEPAD.0041139A
00411035 8D85 2E040000 LEA EAX,DWORD PTR SS:[EBP+42E]===>Kernel32.dll

0041103B 50 PUSH EAX
0041103C FF95 4D0F0000 CALL DWORD PTR SS:[EBP+F4D]
00411042 8985 26040000 MOV DWORD PTR SS:[EBP+426],EAX
00411048 8BF8 MOV EDI,EAX
0041104A 8D5D 5E LEA EBX,DWORD PTR SS:[EBP+5E]
0041104D 53 PUSH EBX
0041104E 50 PUSH EAX
0041104F FF95 490F0000 CALL DWORD PTR SS:[EBP+F49]====>GetProcAddress(VirtualAlloc)
00411055 8985 4D050000 MOV DWORD PTR SS:[EBP+54D],EAX
0041105B 8D5D 6B LEA EBX,DWORD PTR SS:[EBP+6B]
0041105E 53 PUSH EBX
0041105F 57 PUSH EDI
00411060 FF95 490F0000 CALL DWORD PTR SS:[EBP+F49]====>GetProcAddress(VirtualFree)
00411066 8985 51050000 MOV DWORD PTR SS:[EBP+551],EAX
0041106C 8D45 77 LEA EAX,DWORD PTR SS:[EBP+77]
0041106F FFE0 JMP EAX
......
......
緊接著分配記憶體,進行解碼
...........
...........
...........
0041136C 8D85 C6040000 LEA EAX,DWORD PTR SS:[EBP+4C6]
00411372 50 PUSH EAX
00411373 57 PUSH EDI
00411374 EB 4A JMP SHORT NOTEPAD.004113C0
00411376 8907 MOV DWORD PTR DS:[EDI],EAX
00411378 8385 49050000 04 ADD DWORD PTR SS:[EBP+549],4
0041137F E9 32FFFFFF JMP NOTEPAD.004112B6
00411384 8906 MOV DWORD PTR DS:[ESI],EAX
00411386 8946 0C MOV DWORD PTR DS:[ESI+C],EAX
00411389 8946 10 MOV DWORD PTR DS:[ESI+10],EAX
0041138C 83C6 14 ADD ESI,14
0041138F 8B95 22040000 MOV EDX,DWORD PTR SS:[EBP+422]
00411395 E9 EBFEFFFF JMP NOTEPAD.00411285

0041139A B8 CC100000 MOV EAX,10CC=========================>???偏移多少?
0041139F 50 PUSH EAX
004113A0 0385 22040000 ADD EAX,DWORD PTR SS:[EBP+422]
004113A6 59 POP ECX
004113A7 0BC9 OR ECX,ECX
004113A9 8985 A8030000 MOV DWORD PTR SS:[EBP+3A8],EAX
004113AF 61 POPAD
004113B0 75 08 JNZ SHORT NOTEPAD.004113BA

0101B389 8946 10 MOV DWORD PTR DS:[ESI+10],EAX
0101B38C 83C6 14 ADD ESI,14
0101B38F 8B95 22040000 MOV EDX,DWORD PTR SS:[EBP+422]
0101B395 E9 EBFEFFFF JMP CALC.0101B285
0101B39A B8 E0190100 MOV EAX,119E0<==================這兒就是OEP的VA地址
0101B39F 50 PUSH EAX

=========================================================================
最後比較法發現,EP+0x399均為指令MOV EAX,????????
也就是說原始OEP為
ImageBase+[EP+0x39A]

******************************************************************************************************
=========================================================================
下面看看Aspack壓縮LordPE的結果
=========================================================================
00432001 >60 PUSHAD
00432002 E8 03000000 CALL LORDPEP.0043200A
00432007 E9 EB045D45 JMP 45A024F7
0043200C 55 PUSH EBP
0043200D C3 RETN
/************************
00432001+399=43239A
************************/
00432395 E9 EBFEFFFF JMP LORDPEP.00432285
0043239A B8 103E0000 MOV EAX,3E10
0043239F 50 PUSH EAX
004323A0 0385 22040000 ADD EAX,DWORD PTR SS:[EBP+422]==========>ImageBase
004323A6 59 POP ECX
004323A7 0BC9 OR ECX,ECX
004323A9 8985 A8030000 MOV DWORD PTR SS:[EBP+3A8],EAX
004323AF 61 POPAD
/************************
OEP=00400000+3E10=403E10
************************/
=========================================================================

******************************************************************************************************
哈哈,搞定,再來看一個大一點的檔案,Flashget如何
00507001 >60 PUSHAD
00507002 E8 03000000 CALL JETCAR.0050700A
00507007 E9 EB045D45 JMP 45AD74F7
0050700C 55 PUSH EBP
0050700D C3 RETN
0050700E E8 01000000 CALL JETCAR.00507014
00507013 EB 5D JMP SHORT JETCAR.00507072
00507015 BB EDFFFFFF MOV EBX,-13
0050701A 03DD ADD EBX,EBP
0050701C 81EB 00701000 SUB EBX,107000
00507022 83BD 22040000 00 CMP DWORD PTR SS:[EBP+422],0
00507029 899D 22040000 MOV DWORD PTR SS:[EBP+422],EBX

計算Mov指令地址
507001+399=50739A

到指令50739A看看
0050738F 8B95 22040000 MOV EDX,DWORD PTR SS:[EBP+422]
00507395 E9 EBFEFFFF JMP JETCAR.00507285
0050739A B8 056D0700 MOV EAX,76D05<==================這兒就是OEP的VA地址
0050739F 50 PUSH EAX
005073A0 0385 22040000 ADD EAX,DWORD PTR SS:[EBP+422]==========>ImageBase
005073A6 59 POP ECX
005073A7 0BC9 OR ECX,ECX
005073A9 8985 A8030000 MOV DWORD PTR SS:[EBP+3A8],EAX
005073AF 61 POPAD
計算OEP
OEP=ImageBase+[EP+39A]
=400000+[507001+39A]
=400000+76D05
=476D05
=========================================================================

******************************************************************************************************
正確.再來使用TRW2000脫一個看看如何,使用Aspack壓縮UltraEdit
004D3001 >60 PUSHAD
004D3002 E8 03000000 CALL UEDIT32.004D300A
004D3007 E9 EB045D45 JMP 45AA34F7
004D300C 55 PUSH EBP

004D339A B8 D0850400 MOV EAX,485D0
004D339F 50 PUSH EAX

:u 4d339A
:bpx 4485d0
:g
:bc *
:pedump c:\mm.exe

ok,mm.exe脫殼完成
=========================================================================
ASPack的殼,不是自身,採用了SEH等技術,不能用此方法脫殼
=================================================================
=
= inside Pandora's Box - iPB
= Open Cracking Group - OCG
=
=
= DiKeN/iPB
=================================================================

ASPack的OEP的簡易查詢方法，以及實踐 (8千字)

相關文章