WinKawaks 1.45脫殼筆記 (10千字)
WinKawaks 1.45脫殼筆記
最近有朋友問UPX + cryptor的殼怎麼脫,我還真以為是UPX + cryptor的殼呢,結果下載了一看fi2.5顯示為UPX
+ cryptor,但是我要說這次FI錯了,因為我從來沒有遇到UPX + cryptor裡面有int3的.
後來有朋友說是老王的NC?(什麼東東?)加的殼?,我如在雲裡霧裡.不管它,先脫著試試.
0187:00732060 50 PUSH
EAX //載入後停在這裡
0187:00732061 51
PUSH ECX
0187:00732062
52 PUSH EDX
0187:00732063 53 PUSH
EBX
0187:00732064 54 PUSH
ESP
0187:00732065 55
PUSH EBP
0187:00732066 56
PUSH ESI
0187:00732067 57
PUSH EDI
0187:00732068 E800000000
CALL 0073206D //這裡進去,然後就一路F10
0187:0073206D 5D POP
EBP
0187:0073206E 81ED1E1C4000 SUB
EBP,00401C1E
0187:00732074 B97B090000 MOV
ECX,097B
0187:00732079 8DBD661C4000 LEA
EDI,[EBP+00401C66]
0187:0073207F 8BF7
MOV ESI,EDI
0187:00732081 AC
LODSB
......
0187:007320B3 E2CC
LOOP 00732081
//這裡g 007320B5
0187:007320B5 8B6901
MOV EBP,[ECX+01]
0187:007320B8 FFA37D9888F6
JMP NEAR [EBX+F688987D]
0187:007320BE 1BFA
SBB EDI,EDX
0187:007320C0
E195 LOOPE 00732057
0187:007320C2 94 XCHG
EAX,ESP
0187:007320C3 15D494AA74 ADC
EAX,74AA94D4
0187:007320C8 0FB65F0F MOVZX
EBX,BYTE [EDI+0F]
0187:007320CC 18F1
SBB CL,DH
0187:007320CE D20E
ROR BYTE [ESI],CL
0187:007320D0
CDA7 INT A7
0187:007320D2 B0A0 MOV
AL,A0
......
0187:00732113 CC
INT3
//在這裡下斷 bpx 0073277C
0187:00732114 8BEF
MOV EBP,EDI
0187:00732116 33DB
XOR EBX,EBX
0187:00732118 648F03
POP DWORD [FS:EBX]
0187:0073211B 83C404
ADD ESP,BYTE +04
0187:0073211E
3C04 CMP AL,04
0187:00732120 7405 JZ
00732127
0187:00732122 EB01 JMP
SHORT 00732125
0187:00732124 E961C38B85
JMP 85FEE48A
0187:00732129 8F
DB 8F
0187:0073212A 234000
AND EAX,[EAX+00]
0187:0073212D
03403C ADD EAX,[EAX+3C]
0187:00732130 0580000000 ADD EAX,80
0187:00732135 8B08 MOV
ECX,[EAX]
0187:00732137 038D8F234000 ADD
ECX,[EBP+0040238F]
......
0187:0073277C 55
PUSH EBP
//ok,斷下了,再F10吧!
0187:0073277D 8BEC
MOV EBP,ESP
0187:0073277F 57
PUSH EDI
0187:00732780 8B4510
MOV EAX,[EBP+10]
0187:00732783
8BB89C000000 MOV EDI,[EAX+9C]
0187:00732789
FFB717254000 PUSH DWORD [EDI+00402517]
0187:0073278F
8F80B8000000 POP DWORD [EAX+B8]
0187:00732795
89B8B4000000 MOV [EAX+B4],EDI
0187:0073279B
C780B00000000400+MOV DWORD [EAX+B0],04
0187:007327A5
B800000000 MOV EAX,00
0187:007327AA
5F POP EDI
0187:007327AB C9 LEAVE
0187:007327AC C3 RET
//最後到00732114
0187:007327AD 55 PUSH
EBP
......
0187:00732112 FFCC
DEC ESP
0187:00732114 8BEF
MOV EBP,EDI
//停在這裡(簡單的辦法,載入後輸入i3here on;g,就可以直接停在這裡)
0187:00732116
33DB XOR EBX,EBX
0187:00732118 648F03 POP
DWORD [FS:EBX]
0187:0073211B 83C404 ADD
ESP,BYTE +04
0187:0073211E 3C04
CMP AL,04
0187:00732120 7405
JZ 00732127
0187:00732122
EB01 JMP SHORT 00732125
0187:00732124 E961C38B85 JMP 85FEE48A
0187:00732129 8F DB
8F
0187:0073212A 234000 AND
EAX,[EAX+00]
0187:0073212D 03403C
ADD EAX,[EAX+3C]
0187:00732130 0580000000
ADD EAX,80
0187:00732135 8B08
MOV ECX,[EAX]
0187:00732137
038D8F234000 ADD ECX,[EBP+0040238F]
......
0187:0073261A 0F85B4FEFFFF JNZ NEAR 007324D4
(JUMP) //g 00732620
0187:00732620 33C0 XOR
EAX,EAX
0187:00732622 40
INC EAX
0187:00732623 83F801
CMP EAX,BYTE +01
0187:00732626 7402
JZ 0073262A
0187:00732628
61 POPA
0187:00732629
C3 RET
0187:0073262A
F785972340000200+TEST DWORD [EBP+00402397],02
0187:00732634
7418 JZ 0073264E
0187:00732636 8BBD8F234000 MOV EDI,[EBP+0040238F]
0187:0073263C 037F3C ADD
EDI,[EDI+3C]
0187:0073263F 8B4F54 MOV
ECX,[EDI+54]
0187:00732642 8BB58F234000 MOV
ESI,[EBP+0040238F]
......
0187:00732676 8DBD42224000
LEA EDI,[EBP+00402242]
0187:0073267C 8BF7
MOV ESI,EDI
0187:0073267E
B9DF000000 MOV ECX,DF
0187:00732683
33DB XOR EBX,EBX
0187:00732685 AC LODSB
0187:00732686 3479 XOR
AL,79
0187:00732688 2AC3
SUB AL,BL
0187:0073268A C0C002
ROL AL,02
0187:0073268D AA
STOSB
0187:0073268E 43
INC EBX
0187:0073268F E2F4
LOOP 00732685
//g 00732691
0187:00732691 8D1B
LEA EBX,[EBX]
0187:00732693 8C
DB 8C
0187:00732694 356D7C637F
XOR EAX,7F637C6D
0187:00732699 0C6C
OR AL,6C
......
0187:00732752 AA STOSB
0187:00732753 E2FD LOOP
00732752 //g 00732755
0187:00732755
8DBD21234000 LEA EDI,[EBP+00402321]
0187:0073275B
B9C0020000 MOV ECX,02C0
0187:00732760
AA STOSB
0187:00732761
E2FD LOOP 00732760
//g 00732763
0187:00732763 61
POPA
0187:00732764 50
PUSH EAX
0187:00732765
33C0 XOR EAX,EAX
0187:00732767 64FF30 PUSH
DWORD [FS:EAX]
0187:0073276A 648920 MOV
[FS:EAX],ESP
......
0187:0072FAC0 7507
JNZ 0072FAC9
0187:0072FAC2 8B1E
MOV EBX,[ESI]
0187:0072FAC4
83EEFC SUB ESI,BYTE -04
0187:0072FAC7 11DB ADC
EBX,EBX
0187:0072FAC9 72ED
JC 0072FAB8 (JUMP)
//g 0072FACB
0187:0072FACB B801000000 MOV
EAX,01
0187:0072FAD0 01DB
ADD EBX,EBX
0187:0072FAD2 7507
JNZ 0072FADB
0187:0072FAD4 8B1E
MOV EBX,[ESI]
0187:0072FAD6
83EEFC SUB ESI,BYTE -04
0187:0072FAD9 11DB ADC
EBX,EBX
0187:0072FADB 11C0
ADC EAX,EAX
0187:0072FADD 01DB
ADD EBX,EBX
0187:0072FADF 730B
JNC 0072FAEC
0187:0072FAE1
7519 JNZ 0072FAFC
......
0187:0072FB68 75F7 JNZ
0072FB61 (JUMP) //g
0072FB6A
0187:0072FB6A E94FFFFFFF JMP
0072FABE
0187:0072FB6F 90
NOP
0187:0072FB70 8B02
MOV EAX,[EDX]
......
0187:0072FAC9 72ED
JC 0072FAB8
(JUMP) //g 0072FACB
0187:0072FACB
B801000000 MOV EAX,01
0187:0072FAD0
01DB ADD EBX,EBX
0187:0072FAD2 7507 JNZ
0072FADB
0187:0072FAD4 8B1E
MOV EBX,[ESI]
0187:0072FAD6 83EEFC
SUB ESI,BYTE -04
0187:0072FAD9 11DB
ADC EBX,EBX
0187:0072FADB
11C0 ADC EAX,EAX
0187:0072FADD 01DB ADD
EBX,EBX
......
0187:0072FB81 E938FFFFFF JMP
0072FABE //g 0072FB86
0187:0072FB86 5E POP
ESI
0187:0072FB87 89F7 MOV
EDI,ESI
0187:0072FB89 B939200000 MOV
ECX,2039
0187:0072FB8E 8A07
MOV AL,[EDI]
0187:0072FB90 47
INC EDI
0187:0072FB91 2CE8
SUB AL,E8
0187:0072FB93
3C01 CMP AL,01
0187:0072FB95 77F7 JA
0072FB8E
......
0187:0072FB97 803F15
CMP BYTE [EDI],15
0187:0072FB9A 75F2
JNZ 0072FB8E
//g 0072FB9C
0187:0072FB9C 8B07
MOV EAX,[EDI]
0187:0072FB9E 8A5F04
MOV BL,[EDI+04]
0187:0072FBA1 66C1E808
SHR AX,08
0187:0072FBA5 C1C010
ROL EAX,10
0187:0072FBA8
86C4 XCHG AL,AH
0187:0072FBAA
29F8 SUB EAX,EDI
0187:0072FBAC 80EBE8 SUB
BL,E8
......
0187:0072FBB8 E2D9
LOOP 0072FB93 //g 0072FBBA
0187:0072FBBA 8DBE00D03200 LEA EDI,[ESI+0032D000]
0187:0072FBC0 8B07 MOV
EAX,[EDI]
0187:0072FBC2 09C0
OR EAX,EAX
0187:0072FBC4 7445
JZ 0072FC0B
0187:0072FBC6 8B5F04
MOV EBX,[EDI+04]
0187:0072FBC9
8D84308C0A3300 LEA EAX,[EAX+ESI+00330A8C]
0187:0072FBD0
01F3 ADD EBX,ESI
0187:0072FBD2 50 PUSH
EAX
0187:0072FBD3 83C708 ADD
EDI,BYTE +08
0187:0072FBD6 FF967C0B3300 CALL
NEAR [ESI+00330B7C]
......
0187:0072FBEF 57
PUSH EDI
0187:0072FBF0 48 DEC
EAX
0187:0072FBF1 F2AE
REPNE SCASB
0187:0072FBF3 55
PUSH EBP
0187:0072FBF4 FF96800B3300 CALL
NEAR [ESI+00330B80]
0187:0072FBFA 09C0
OR EAX,EAX
0187:0072FBFC 7407
JZ 0072FC05
0187:0072FBFE
8903 MOV [EBX],EAX
0187:0072FC00 83C304 ADD
EBX,BYTE +04
0187:0072FC03 EBD8
JMP SHORT 0072FBDD
0187:0072FC05 FF96840B3300
CALL NEAR [ESI+00330B84]
0187:0072FC0B 61
POPA
//看上去還真象是UPX加殼的.
0187:0072FC0C E903F6DBFF
JMP 004EF214 //看到這裡嗎,跳oep了哦!
0187:0072FC11 0000 ADD
[EAX],AL
0187:0072FC13 0000
ADD [EAX],AL
後記:我所有寫的脫殼文章裡,這次是我U得最多的,以往幾次就搞定了,這次卻用了20餘次,這個殼裡面太複雜,稍不小心就不知道跳到什麼地方去了,所以寫的詳細一點.應該可以節約不少時間.
聽說是加的2層殼,我不知道加的是哪2層,沒有仔細分析過,估計是在73xxxx是一層,然後跳72xxxx又是一層(這一層應該是UPX).
flyfancy
http://flyfancy.126.com
相關文章
- The Bat! 1.39脫殼筆記 (1千字)2000-03-12BAT筆記
- ArtCursors 3.03 ASPR殼軟體脫殼後修整記 (10千字)2015-11-15
- Lock98主程式脫殼筆記 (1千字)2015-11-15筆記
- C32Asm外殼脫殼分析筆記2015-11-15ASM筆記
- 脫Flashfxp 1.3 build 780的殼 (10千字)2001-08-15UI
- 脫殼----對用pecompact加殼的程式進行手動脫殼
(1千字)2000-07-30
- EZIP1.0脫殼手記 ――娃娃/[CCG] (3千字)2001-11-16
- FTPrint的脫殼(asprotect) (2千字)2001-02-05FTP
- telock脫殼總結 (12千字)2001-09-27
- 天草脫殼視訊學習筆記(逆向 OD)2013-05-30筆記
- 幻影v1.5b3脫殼分析筆記2000-09-15筆記
- 以殼解殼--SourceRescuer脫殼手記破解分析2004-11-16
- UltraEdit-32
10.20版脫殼記2004-04-29
- 先分析,再脫殼(二) (13千字)2003-09-04
- 脫Crunch/PE -> BitArts的殼。 (3千字)2002-05-03
- jdpack的脫殼及破解 (5千字)2002-06-25
- HTMLZip 1.0 beta 的脫殼 (3千字)2001-02-03HTML
- 一點脫殼經驗。(7千字)2001-04-20
- PicturesToExe3.51的脫殼 (2千字)2001-04-22REST
- ASPROtect 1.22加殼的ahaview2.0脫殼 (5千字)2002-03-24View
- 脫PicturesToExe v3.60的殼 (1千字)2001-09-15REST
- 脫殼----對用Petite2.2加殼的程式進行手動脫殼的一點分析
(5千字)2000-07-27
- 幻影v1.5b3脫殼分析筆記之二2000-09-15筆記
- 脫Advanced Email Extractor PRO的殼 (19千字)2001-08-19AI
- 股市風暴4.0的外殼分析與脫殼方法(一) (7千字)2001-06-10
- aspr脫殼總結(部分適用於其他殼保護) (3千字)2001-09-14
- 手動脫殼的教程(由petite v2.2加殼) (4千字)2001-11-26
- 對PECompact加殼的DLL脫殼的一點分析 (7千字)2000-08-17
- 殼的工作原理脫殼2013-04-10
- 不脫殼破解極光多能鬧鐘
(16千字)2003-04-14
- 對Asprotect脫殼的一點總結
(20千字)2000-08-12
- Asprotect 1.2x 加殼的 Advanced Direct
Remailer 2.17 脫殼 (3千字)2002-06-20REMAI
- Armadillo 2.52加殼原理分析和改進的脫殼方法
(12千字)2015-11-15
- 壹次脫殼法――Armadillo 雙程式標準殼 快速脫殼2015-11-15
- VBExplorer.exe脫殼教程
附脫殼指令碼2015-11-15指令碼
- 用OD對Aspr加殼程式的手動脫殼及修復 (7千字)2015-11-15
- 轉載:Petite 脫殼“標準”解決方法 (1千字)2001-02-06
- 脫Remote Administrator v2.0的殼 (8千字)2001-06-24REM