好友
阅读权限10
听众
最后登录1970-1-1
|
本帖最后由 Yexiao 于 2011-2-24 20:34 编辑
加壳默认区段名:nsp0和nsp1
这一类的压缩壳,大部分可以用单步跟踪,和ESP定律.
入口一个
0040101B > $- E9 BD510000 jmp ke.004061DD
________________________________________
跳到这里.
004061DD 9C pushfd
004061DE 60 pushad
004061DF E8 00000000 call ke.004061E4 ; 如果用ESP定律,在这个位置的ESP下断.
004061E4 5D pop ebp
004061E5 B8 07000000 mov eax,7
004061EA 2BE8 sub ebp,eax
004061EC 8DB5 77FEFFFF lea esi,dword ptr ss:[ebp-189]
004061F2 8B06 mov eax,dword ptr ds:[esi]
004061F4 83F8 00 cmp eax,0
004061F7 74 11 je short ke.0040620A
004061F9 8DB5 9FFEFFFF lea esi,dword ptr ss:[ebp-161]
004061FF 8B06 mov eax,dword ptr ds:[esi]
00406201 83F8 01 cmp eax,1
00406204 0F84 4B020000 je ke.00406455
0040620A C706 01000000 mov dword ptr ds:[esi],1
00406210 8BD5 mov edx,ebp
00406212 8B85 33FEFFFF mov eax,dword ptr ss:[ebp-1CD]
00406218 2BD0 sub edx,eax
0040621A 8995 33FEFFFF mov dword ptr ss:[ebp-1CD],edx
00406220 0195 63FEFFFF add dword ptr ss:[ebp-19D],edx
00406226 8DB5 A7FEFFFF lea esi,dword ptr ss:[ebp-159]
0040622C 0116 add dword ptr ds:[esi],edx
0040622E 8B36 mov esi,dword ptr ds:[esi]
00406230 8BFD mov edi,ebp
00406232 60 pushad
00406233 6A 40 push 40
00406235 68 00100000 push 1000
0040623A 68 00100000 push 1000
0040623F 6A 00 push 0
00406241 FF95 CBFEFFFF call dword ptr ss:[ebp-135]
00406247 85C0 test eax,eax
00406249 0F84 56030000 je ke.004065A5
0040624F 8985 5BFEFFFF mov dword ptr ss:[ebp-1A5],eax
00406255 E8 00000000 call ke.0040625A
0040625A 5B pop ebx
0040625B B9 54030000 mov ecx,354
00406260 03D9 add ebx,ecx
00406262 50 push eax
00406263 53 push ebx
00406264 E8 9D020000 call ke.00406506
00406269 61 popad
0040626A 03BD 23FEFFFF add edi,dword ptr ss:[ebp-1DD]
00406270 8BDF mov ebx,edi
00406272 833F 00 cmp dword ptr ds:[edi],0
00406275 75 0A jnz short ke.00406281
00406277 83C7 04 add edi,4
0040627A B9 00000000 mov ecx,0
0040627F EB 16 jmp short ke.00406297
00406281 B9 01000000 mov ecx,1
00406286 033B add edi,dword ptr ds:[ebx]
00406288 83C3 04 add ebx,4
0040628B 833B 00 cmp dword ptr ds:[ebx],0
0040628E 74 36 je short ke.004062C6
00406290 0113 add dword ptr ds:[ebx],edx
00406292 8B33 mov esi,dword ptr ds:[ebx]
00406294 037B 04 add edi,dword ptr ds:[ebx+4]
00406297 57 push edi
00406298 51 push ecx
00406299 52 push edx
0040629A 53 push ebx
0040629B FFB5 CFFEFFFF push dword ptr ss:[ebp-131]
004062A1 FFB5 CBFEFFFF push dword ptr ss:[ebp-135]
004062A7 8BD6 mov edx,esi
004062A9 8BCF mov ecx,edi
004062AB 8B85 5BFEFFFF mov eax,dword ptr ss:[ebp-1A5]
004062B1 05 A9050000 add eax,5A9
004062B6 FFD0 call eax
004062B8 5B pop ebx
004062B9 5A pop edx
004062BA 59 pop ecx
004062BB 5F pop edi
004062BC 83F9 00 cmp ecx,0
004062BF 74 05 je short ke.004062C6
004062C1 83C3 08 add ebx,8
004062C4 ^ EB C5 jmp short ke.0040628B
004062C6 68 00800000 push 8000
004062CB 6A 00 push 0
004062CD FFB5 5BFEFFFF push dword ptr ss:[ebp-1A5]
004062D3 FF95 CFFEFFFF call dword ptr ss:[ebp-131]
004062D9 8DB5 63FEFFFF lea esi,dword ptr ss:[ebp-19D]
004062DF 8B4E 08 mov ecx,dword ptr ds:[esi+8]
004062E2 8D56 10 lea edx,dword ptr ds:[esi+10]
004062E5 8B36 mov esi,dword ptr ds:[esi]
004062E7 8BFE mov edi,esi
004062E9 83F9 00 cmp ecx,0
004062EC 74 3F je short ke.0040632D
004062EE 8A07 mov al,byte ptr ds:[edi]
004062F0 47 inc edi
004062F1 2C E8 sub al,0E8
004062F3 3C 01 cmp al,1
004062F5 ^ 77 F7 ja short ke.004062EE ; 向上跳...
004062F7 8B07 mov eax,dword ptr ds:[edi] ; F4到这里
004062F9 807A 01 00 cmp byte ptr ds:[edx+1],0
004062FD 74 14 je short ke.00406313
004062FF 8A1A mov bl,byte ptr ds:[edx]
00406301 381F cmp byte ptr ds:[edi],bl
00406303 ^ 75 E9 jnz short ke.004062EE
00406305 8A5F 04 mov bl,byte ptr ds:[edi+4]
00406308 66:C1E8 08 shr ax,8
0040630C C1C0 10 rol eax,10
0040630F 86C4 xchg ah,al
00406311 EB 0A jmp short ke.0040631D
00406313 8A5F 04 mov bl,byte ptr ds:[edi+4]
00406316 86C4 xchg ah,al
00406318 C1C0 10 rol eax,10
0040631B 86C4 xchg ah,al
0040631D 2BC7 sub eax,edi
0040631F 03C6 add eax,esi
00406321 8907 mov dword ptr ds:[edi],eax
00406323 83C7 05 add edi,5
00406326 80EB E8 sub bl,0E8
00406329 8BC3 mov eax,ebx
0040632B ^ E2 C6 loopd short ke.004062F3 ; 向上跳...
0040632D E8 2A010000 call ke.0040645C ; F4到这里
00406332 8D8D 77FEFFFF lea ecx,dword ptr ss:[ebp-189]
00406338 8B41 08 mov eax,dword ptr ds:[ecx+8]
0040633B 83F8 00 cmp eax,0
0040633E 0F84 81000000 je ke.004063C5
00406344 8BF2 mov esi,edx
00406346 2B71 10 sub esi,dword ptr ds:[ecx+10]
00406349 74 7A je short ke.004063C5
0040634B 8971 10 mov dword ptr ds:[ecx+10],esi
0040634E 8DB5 A7FEFFFF lea esi,dword ptr ss:[ebp-159]
00406354 8B36 mov esi,dword ptr ds:[esi]
00406356 8D5E FC lea ebx,dword ptr ds:[esi-4]
00406359 8B01 mov eax,dword ptr ds:[ecx]
0040635B 83F8 01 cmp eax,1
0040635E 74 0A je short ke.0040636A
00406360 8BFA mov edi,edx
00406362 0379 08 add edi,dword ptr ds:[ecx+8]
00406365 8B49 10 mov ecx,dword ptr ds:[ecx+10]
00406368 EB 08 jmp short ke.00406372
0040636A 8BFE mov edi,esi
0040636C 0379 08 add edi,dword ptr ds:[ecx+8]
0040636F 8B49 10 mov ecx,dword ptr ds:[ecx+10]
00406372 33C0 xor eax,eax
00406374 8A07 mov al,byte ptr ds:[edi]
00406376 47 inc edi
00406377 0BC0 or eax,eax
00406379 74 20 je short ke.0040639B
0040637B 3C EF cmp al,0EF
0040637D 77 06 ja short ke.00406385
0040637F 03D8 add ebx,eax
00406381 010B add dword ptr ds:[ebx],ecx
00406383 ^ EB ED jmp short ke.00406372
00406385 24 0F and al,0F
00406387 C1E0 10 shl eax,10
0040638A 66:8B07 mov ax,word ptr ds:[edi]
0040638D 83C7 02 add edi,2
00406390 0BC0 or eax,eax
00406392 ^ 75 EB jnz short ke.0040637F
00406394 8B07 mov eax,dword ptr ds:[edi]
00406396 83C7 04 add edi,4
00406399 ^ EB E4 jmp short ke.0040637F
0040639B 33DB xor ebx,ebx
0040639D 87FE xchg esi,edi
0040639F 8B06 mov eax,dword ptr ds:[esi]
004063A1 83F8 00 cmp eax,0
004063A4 74 1F je short ke.004063C5
004063A6 AD lods dword ptr ds:[esi]
004063A7 0BC0 or eax,eax
004063A9 74 08 je short ke.004063B3
004063AB 03D8 add ebx,eax
004063AD 66:010C1F add word ptr ds:[edi+ebx],cx
004063B1 ^ EB F3 jmp short ke.004063A6
004063B3 33DB xor ebx,ebx
004063B5 C1E9 10 shr ecx,10
004063B8 AD lods dword ptr ds:[esi]
004063B9 0BC0 or eax,eax
004063BB 74 08 je short ke.004063C5
004063BD 03D8 add ebx,eax
004063BF 66:010C1F add word ptr ds:[edi+ebx],cx
004063C3 ^ EB F3 jmp short ke.004063B8
004063C5 8DB5 33FEFFFF lea esi,dword ptr ss:[ebp-1CD]
004063CB 8B16 mov edx,dword ptr ds:[esi]
004063CD 8DB5 8FFEFFFF lea esi,dword ptr ss:[ebp-171]
004063D3 8B06 mov eax,dword ptr ds:[esi]
004063D5 83F8 01 cmp eax,1
004063D8 75 42 jnz short ke.0040641C
004063DA 0356 04 add edx,dword ptr ds:[esi+4]
004063DD 56 push esi
004063DE 52 push edx
004063DF 56 push esi
004063E0 6A 04 push 4
004063E2 68 00010000 push 100
004063E7 52 push edx
004063E8 FF95 C7FEFFFF call dword ptr ss:[ebp-139]
004063EE 5F pop edi
004063EF 5E pop esi
004063F0 83F8 01 cmp eax,1
004063F3 0F85 AC010000 jnz ke.004065A5
004063F9 83C6 08 add esi,8
004063FC B9 08000000 mov ecx,8
00406401 F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[>
00406403 83EE 10 sub esi,10
00406406 83EF 08 sub edi,8
00406409 83C6 04 add esi,4
0040640C 56 push esi
0040640D FF76 FC push dword ptr ds:[esi-4]
00406410 68 00010000 push 100
00406415 57 push edi
00406416 FF95 C7FEFFFF call dword ptr ss:[ebp-139]
0040641C 8BDD mov ebx,ebp
0040641E 81EB 21000000 sub ebx,21
00406424 33C9 xor ecx,ecx
00406426 8A0B mov cl,byte ptr ds:[ebx]
00406428 83F9 00 cmp ecx,0
0040642B 74 28 je short ke.00406455
0040642D 43 inc ebx
0040642E 8DB5 33FEFFFF lea esi,dword ptr ss:[ebp-1CD]
00406434 8B16 mov edx,dword ptr ds:[esi]
00406436 56 push esi
00406437 51 push ecx
00406438 53 push ebx
00406439 52 push edx
0040643A 56 push esi
0040643B FF33 push dword ptr ds:[ebx]
0040643D FF73 04 push dword ptr ds:[ebx+4]
00406440 8B43 08 mov eax,dword ptr ds:[ebx+8]
00406443 03C2 add eax,edx
00406445 50 push eax
00406446 FF95 C7FEFFFF call dword ptr ss:[ebp-139]
0040644C 5A pop edx
0040644D 5B pop ebx
0040644E 59 pop ecx
0040644F 5E pop esi ; (Initial CPU selection)
00406450 83C3 0C add ebx,0C
00406453 ^ E2 E1 loopd short ke.00406436 ; 向上跳。
00406455 61 popad ; F4到这里
00406456 9D popfd ; 这里是ESP定律断下的地方.
00406457 - E9 A4ABFFFF jmp ke.00401000 ; 跳到OEP
脱壳测试:http://good.gd/1005428.htm
|
|
发表于 2011-2-24 20:29
