手脱PolyCrypt PE
本来不值得来开一个新帖的,但鉴于这是本人脱得第二种壳,是准菜鸟转向菜鸟的重要一步,于是就 新开这一贴要脱得是 ximo 发的 《脱壳练习(难度中下)》中的PolyCrypt PE
OD载入
0040D00D >60pushad
0040D00EE8 EDFFFFFF callunpackme.0040D000
0040D013- EB 80 jmp short unpackme.0040CF95
0040D015F5cmc
0040D0163E:F5 cmc
0040D018A0 50F53891 mov al, byte ptr ds:
看到 pushad ,可能会一点脱壳的都会用ESP定律了 ,可是 ximo 说用那个没意思,所以 我就来一步步跟
0040D00EE8 EDFFFFFF callunpackme.0040D000//F7
0040D00091xchgeax, ecx
0040D0018BF4mov esi, esp
0040D003ADlodsdword ptr ds:
0040D004FEC9dec cl
0040D006803408 93 xor byte ptr ds:, 93
0040D00A^ E2 FA loopd short unpackme.0040D006
0040D00CC3retn //F4F7
0040D013 /EB 13 jmp short unpackme.0040D028//F8
0040D044B9 11000000 mov ecx, 11
0040D04966:8B9D 636E400>mov bx, word ptr ss:
0040D050E8 C0FFFFFF callunpackme.0040D015//F8走到这里F7
0040D01566:AD lodsword ptr ds:
0040D01766:33C3 xor ax, bx
0040D01A66:AB stosword ptr es:
0040D01C02DFadd bl, bh
0040D01E86DFxchgbh, bl
0040D02066:D1CB ror bx, 1
0040D02366:43 inc bx
0040D025^ E2 EE loopd short unpackme.0040D015
0040D027C3retn//F4F7
0040D06B8BFEmov edi, esi ; unpackme.0040D078
0040D06DB9 F7050000 mov ecx, 5F7
0040D072E8 9EFFFFFF callunpackme.0040D015//F8走到这里F7
0040D01566:AD lodsword ptr ds:
0040D01766:33C3 xor ax, bx
0040D01A66:AB stosword ptr es:
0040D01C02DFadd bl, bh
0040D01E86DFxchgbh, bl
0040D02066:D1CB ror bx, 1
0040D02366:43 inc bx
0040D025^ E2 EE loopd short unpackme.0040D015
0040D027C3retn//F4F7
重点!!!
7C92EAF08B1C24mov ebx, dword ptr ss:
7C92EAF351pushecx
7C92EAF453pushebx
7C92EAF5E8 C78C0200 callntdll.7C9577C1
7C92EAFA|.0AC0oral, al
7C92EAFC|.74 0C jeshort ntdll.7C92EB0A
7C92EAFE|.5Bpop ebx;0012FCA4
7C92EAFF|.59pop ecx;0012FCA4
7C92EB00|.6A 00 push0
7C92EB02|.51pushecx
7C92EB03|.E8 11EBFFFF callntdll.ZwContinue
7C92EB08|.EB 0B jmp short ntdll.7C92EB15
7C92EB0A|>5Bpop ebx;0012FCA4
7C92EB0B|.59pop ecx;0012FCA4
7C92EB0C|.6A 00 push0
7C92EB0E|.51pushecx
7C92EB0F|.53pushebx
7C92EB10|.E8 3DF7FFFF callntdll.ZwRaiseException
7C92EB15|>83C4 EC add esp, -14
7C92EB18|.890424mov dword ptr ss:, eax;unpackme.0040D094
7C92EB1B|.C74424 04 010>mov dword ptr ss:, 1
7C92EB23|.895C24 08 mov dword ptr ss:, ebx
7C92EB27|.C74424 10 000>mov dword ptr ss:, 0
7C92EB2F|.54pushesp
7C92EB30|.E8 77000000 callntdll.RtlRaiseException
7C92EB35\.C2 0800 retn8
到了这里不要怕,ALT + F9返回程序领空
接下来 按F8 狂飙!!! 到了系统领空就 ALT + F9
直到:::
0040D2B4 /7C 04 jlshort unpackme.0040D2BA
0040D2B6^|E2 DD loopd short unpackme.0040D295
0040D2B8 |EB 04 jmp short unpackme.0040D2BE
0040D2BA \42inc edx
0040D2BB42inc edx
0040D2BC^ E2 D9 loopd short unpackme.0040D297
0040D2BE6A 0A push0A
0040D2C0FF95 D56B4000 callnear dword ptr ss: ; kernel32.Sleep
0040D2BE6A 0A push0A
光标移到这一行F4
```会有点卡!
0040D2BC^\E2 D9 loopd short unpackme.0040D297
0040D2BE6A 0A push0A
0040D2C0FF95 D56B4000 callnear dword ptr ss: ; kernel32.Sleep
0040D2C65Fpop edi; 0012FFE0
0040D2C75Epop esi; 0012FFE0
0040D2C883C7 0C add edi, 0C
0040D2CB4Edec esi
0040D2CC^ 75 93 jnz short unpackme.0040D261 //这里在往回跳,所以光标移到下一行
0040D2CE8DBD 14644000 lea edi, dword ptr ss://光标移到这一行,F4
``````还是很卡!!!
接下来又是 按F8 狂飙!!! 到了系统领空就 ALT + F9
其实````还可以碰到 int3 指令 就移到它下一行按 F4
直到::::
0040D3BC /75 08 jnz short unpackme.0040D3C6
0040D3BE |8D85 256B4000 lea eax, dword ptr ss:
0040D3C4 |EB 1E jmp short unpackme.0040D3E4
0040D3C6 \3B85 F16B4000 cmp eax, dword ptr ss: ; kernel32.GetModuleFileNameA
0040D3CC75 08 jnz short unpackme.0040D3D6
0040D3CE8D85 566B4000 lea eax, dword ptr ss:
0040D3D4EB 0E jmp short unpackme.0040D3E4
0040D3D63B85 F96B4000 cmp eax, dword ptr ss: ; kernel32.CloseHandle
0040D3DC75 06 jnz short unpackme.0040D3E4
0040D3DE8D85 F26A4000 lea eax, dword ptr ss:
0040D3E48907mov dword ptr ds:, eax
0040D3E68385 3D6D4000 0>add dword ptr ss:, 4
0040D3ED^ E9 3CFFFFFF jmp unpackme.0040D32E
0040D3F2CCint3
0040D3F383C6 14 add esi, 14
0040D3F68B95 516D4000 mov edx, dword ptr ss: ; unpackme.00400000
0040D3FC^ E9 FBFEFFFF jmp unpackme.0040D2FC
0040D4018DBD D7644000 lea edi, dword ptr ss:
0040D40732C0xor al, al
这里有一段很有趣的JNPJMP
0040D3ED^ E9 3CFFFFFF jmp unpackme.0040D32E
0040D3FC^ E9 FBFEFFFF jmp unpackme.0040D2FC
这两行都是往回跳 , 我们干脆
0040D4018DBD D7644000 lea edi, dword ptr ss:
把光标移到这一行,按 F4
再往下十几个 F8 ,就看到
0040D41A8985 2B664000 mov dword ptr ss:, eax
0040D4208B0424mov eax, dword ptr ss:
0040D42364:67:A3 0000 mov dword ptr fs:, eax
0040D42883C4 08 add esp, 8
0040D42B5Dpop ebp; 0012FFF0
0040D42C9Dpopfd
0040D42D61popad
0040D42E68 CC104000 pushunpackme.004010CC
0040D433C3retn
0040D433C3retn
跳到OEP了`````````````````````````over!!!
至于转存问题``呵呵``呵呵``我不会
应该 用什么 LOADPEin什么什么的 弄一下就可以了 野牛啊,膜拜下! OD载入
0040D00D >60pushad
0040D00EE8 EDFFFFFF callunpackme.0040D000
0040D013- EB 80 jmp short unpackme.0040CF95
0040D015F5cmc
0040D0163E:F5 cmc
0040D018A0 50F53891 mov al, byte ptr ds:
看到 pushad ,可能会一点脱壳的都会用ESP定律了 ,可是 ximo 说用那个没意思,所以 我就来一步步跟
0040D00EE8 EDFFFFFF callunpackme.0040D000//F7
0040D00091xchgeax, ecx
0040D0018BF4mov esi, esp
0040D003ADlodsdword ptr ds:
0040D004FEC9dec cl
0040D006803408 93 xor byte ptr ds:, 93
0040D00A^ E2 FA loopd short unpackme.0040D006
0040D00CC3retn //F4F7
0040D013 /EB 13 jmp short unpackme.0040D028//F8
0040D044B9 11000000 mov ecx, 11
0040D04966:8B9D 636E400>mov bx, word ptr ss:
0040D050E8 C0FFFFFF callunpackme.0040D015//F8走到这里F7
0040D01566:AD lodsword ptr ds:
0040D01766:33C3 xor ax, bx
0040D01A66:AB stosword ptr es:
0040D01C02DFadd bl, bh
0040D01E86DFxchgbh, bl
0040D02066:D1CB ror bx, 1
0040D02366:43 inc bx
0040D025^ E2 EE loopd short unpackme.0040D015
0040D027C3retn//F4F7
0040D06B8BFEmov edi, esi ; unpackme.0040D078
0040D06DB9 F7050000 mov ecx, 5F7
0040D072E8 9EFFFFFF callunpackme.0040D015//F8走到这里F7
0040D01566:AD lodsword ptr ds:
0040D01766:33C3 xor ax, bx
0040D01A66:AB stosword ptr es:
0040D01C02DFadd bl, bh
0040D01E86DFxchgbh, bl
0040D02066:D1CB ror bx, 1
0040D02366:43 inc bx
0040D025^ E2 EE loopd short unpackme.0040D015
0040D027C3retn//F4F7
老兄的这几步可以从OD载入后,然后直接一路F8跑着去,都可以省去啦,直接跑到程序领空去就可以啦,然后就接着alt+f9回到程序里去就可以啦 哇,,,,,,,,都好历害哦.................
向大牛们学习....... 向楼主野牛和一楼的蛮牛致敬
膜拜二位
页:
[1]