手脱ASPack 2.x (without poly) -> Alexey Solodovnikov
菜鸟贴,仅供娱乐,老鸟飞过。朋友给的一个病毒(样本在附件里,密码virus),让脱壳看看。用PEID查了下,是ASPack 2.12 -> Alexey Solodovnikov 的壳,然后用OD很轻松地ESP搞定了。再用PEID查,发现还有一层壳,深度扫描,报 ASPack 2.x (without poly) -> Alexey Solodovnikov,那就继续脱吧。00425000 >E8 04000000 call youhua.00425009 ; F7进入
00425005 0000 add byte ptr ds:,al
00425007 0000 add byte ptr ds:,al
00425009 58 pop eax
0042500A 8338 00 cmp dword ptr ds:,0
基本遵守近call跟近,远call步过;近跳步过,远跳跟近的原则,后面这样的步过不再写出来了
0044C088 /78 18 js short youhua.0044C0A2
0044C08A |03C7 add eax,edi
0044C08C |0D 9C7BCB0C or eax,0CCB7B9C
0044C091^|E9 DEFFFFFF jmp youhua.0044C074
0044C096 |EB 07 jmp short youhua.0044C09F
0044C098 |BB 54A374A1 mov ebx,A174A354
0044C09D^|74 A7 je short youhua.0044C046
0044C09F |83E8 42 sub eax,42
0044C0A2 \1BC4 sbb eax,esp ; F4打断到这里
我试图F4到0044C098,但是会跑飞掉,于是向上找其他跳转,发现js short youhua.0044C0A2,于是F4到这里
0045E92E /74 3C je short youhua.0045E96C
0045E930 |8B5F 04 mov ebx,dword ptr ds:
0045E933 |8D8430 E0E30500 lea eax,dword ptr ds:
0045E93A |01F3 add ebx,esi
0045E93C |50 push eax
0045E93D |83C7 08 add edi,8
0045E940 |FF96 08E20500 call dword ptr ds:
0045E946 |95 xchg eax,ebp
0045E947 |8A07 mov al,byte ptr ds:
0045E949 |47 inc edi
0045E94A |08C0 or al,al
0045E94C^|74 DC je short youhua.0045E92A
0045E94E |89F9 mov ecx,edi
0045E950 |57 push edi
0045E951 |48 dec eax
0045E952 |F2:AE repne scas byte ptr es:
0045E954 |55 push ebp
0045E955 |FF96 0CE20500 call dword ptr ds:
0045E95B |09C0 or eax,eax
0045E95D |74 07 je short youhua.0045E966
0045E95F |8903 mov dword ptr ds:,eax
0045E961 |83C3 04 add ebx,4
0045E964^|EB E1 jmp short youhua.0045E947
0045E966 |FF96 30E20500 call dword ptr ds:
0045E96C \61 popad ; 打断到这里
这里也是个循环,一开始看到je short youhua.0045E966,以为F4到0045E966这里,但是程序会跑飞。经过几次,我发现
jmp short youhua.0045E947每次都跳向0045E947,然后je short youhua.0045E92A到0045E92A。这时发现je short youhua.0045E96C,
然后F4到0045E96C一切正常。后面有个循环也是这个思路。
004220FD 49 dec ecx
004220FE^ 75 F7 jnz short youhua.004220F7
00422100^ E9 4AFFFFFF jmp youhua.0042204F ; 打断
00422105 8B02 mov eax,dword ptr ds:
00422107 83C2 04 add edx,4
0042210A 8907 mov dword ptr ds:,eax
0042210C 83C7 04 add edi,4
0042210F 83E9 04 sub ecx,4
00422112^ 77 F1 ja short youhua.00422105
00422114 01CF add edi,ecx
00422116^ E9 34FFFFFF jmp youhua.0042204F ; 打断
0042211B 5E pop esi ; youhua.00419000
这里是试着打断,居然没问题
00422159 /74 3C je short youhua.00422197
0042215B |8B5F 04 mov ebx,dword ptr ds:
0042215E |8D8430 00A00000 lea eax,dword ptr ds:
00422165 |01F3 add ebx,esi
00422167 |50 push eax
00422168 |83C7 08 add edi,8
0042216B |FF96 64A00000 call dword ptr ds:
00422171 |95 xchg eax,ebp
00422172 |8A07 mov al,byte ptr ds:
00422174 |47 inc edi
00422175 |08C0 or al,al
00422177^|74 DC je short youhua.00422155
00422179 |89F9 mov ecx,edi
0042217B |57 push edi
0042217C |48 dec eax
0042217D |F2:AE repne scas byte ptr es:
0042217F |55 push ebp
00422180 |FF96 68A00000 call dword ptr ds:
00422186 |09C0 or eax,eax
00422188 |74 07 je short youhua.00422191
0042218A |8903 mov dword ptr ds:,eax
0042218C |83C3 04 add ebx,4
0042218F^|EB E1 jmp short youhua.00422172
00422191 |61 popad
00422192 |31C0 xor eax,eax
00422194 |C2 0C00 retn 0C
00422197 \83C7 04 add edi,4 ; 跳到这里
这里跟前一个大循环一样的思路
004221C0 66:8B07 mov ax,word ptr ds:
004221C3 83C7 02 add edi,2
004221C6^ EB E2 jmp short youhua.004221AA
004221C8 61 popad
004221C9^ E9 D389FFFF jmp youhua.0041ABA1 ; 跳到OEP
这个大跳过去就是OEP,脱壳,dump就OK了 最喜欢就是这样的帖了
顶一下 超级棒的帖子,顶一个 就是喜欢这样的帖子,狂顶 喜欢,这样的帖子一定要顶 很哈。。。。。 好好学习这个帖子
好是不怎么懂 最喜欢就是这样的帖 不错,学习一下 看一下,已做标记
页:
[1]
2