PECompact 2.x 脱壳图文
论坛网址 https://www.52hb.com/
1.最近学到恒老师的教程的脱壳篇,正好用这个图标工具来练一练。
壳:PECompact 2.x -> Jeremy Collake
00466227 >B8 AC965400 mov eax,专属卡图.005496AC //载入进来是这个样子的
0046622C 50 push eax
0046622D 64:FF35 0000000>push dword ptr fs: //F8单步在这里,我们用ESP定律(不懂ESP定律的回去看教程)
00466234 64:8925 0000000>mov dword ptr fs:,esp
0046623B 33C0 xor eax,eax
0046623D 8908 mov dword ptr ds:,ecx
0046623F 50 push eax
00466240 45 inc ebp
00466241 43 inc ebx
00466242 6F outs dx,dword ptr es:
00466243 6D ins dword ptr es:,dx
00466244 70 61 jo short 专属卡图.004662A7
00466246 637432 00 arpl word ptr ds:,si
0046624A F631 div byte ptr ds:
0046624C 229F 1237A733 and bl,byte ptr ds:
00466252^ 71 A6 jno short 专属卡图.004661FA
00466254 891A mov dword ptr ds:,ebx
00466256 D6 salc
00466257 37 aaa
00466258 69DA 29A3D061 imul ebx,edx,0x61D0A329 ; ntdll.KiFastSystemCallRet
7C94A573 3B45 F8 cmp eax,dword ptr ss: //然后会断在这里,我们一步一步F8出CALL
7C94A576 72 09 jb short ntdll.7C94A581
7C94A578 3B45 F4 cmp eax,dword ptr ss:
7C94A57B 0F82 FA050000 jb ntdll.7C94AB7B
7C94A581 50 push eax ; 专属卡图.005496AC
7C94A582 E8 67000000 call ntdll.7C94A5EE
7C94A587 84C0 test al,al
7C94A589 0F84 EC050000 je ntdll.7C94AB7B
7C94A58F F605 1AE4997C 8>test byte ptr ds:,0x80
7C94A596 0F85 A75C0200 jnz ntdll.7C970243
7C94A59C FF73 04 push dword ptr ds: ; 专属卡图.005496AC
7C94A59F 8D45 EC lea eax,dword ptr ss:
7C94A5A2 50 push eax ; 专属卡图.005496AC
7C94A5A3 FF75 0C push dword ptr ss:
7C94A5A6 53 push ebx
7C94A5A7 56 push esi
7C94A5A8 E8 9A8CFDFF call ntdll.7C923247
7C94A5AD F605 1AE4997C 8>test byte ptr ds:,0x80
7C94A5B4 8BF8 mov edi,eax ; 专属卡图.005496AC
7C94A5B6 0F85 9D5C0200 jnz ntdll.7C970259
7C94A5BC 395D 08 cmp dword ptr ss:,ebx
7C94A5BF 0F84 A25C0200 je ntdll.7C970267
7C94A5C5 8BC7 mov eax,edi ; ntdll.7C930228
7C94A5C7 33C9 xor ecx,ecx
7C94A5C9 2BC1 sub eax,ecx
7C94A5CB 0F85 89050000 jnz ntdll.7C94AB5A
7C94A5D1 F646 04 01 test byte ptr ds:,0x1
7C94A5D5 0F85 D65C0200 jnz ntdll.7C9702B1
7C94A5DB C645 FF 01 mov byte ptr ss:,0x1
7C94A5DF 5F pop edi ; ntdll.7C930228
7C94A5E0 5B pop ebx ; ntdll.7C930228
7C94A5E1 8A45 FF mov al,byte ptr ss:
7C94A5E4 5E pop esi ; ntdll.7C930228
7C94A5E5 C9 leave
7C94A5E6 C2 0800 retn 0x8
7C92E48A 0AC0 or al,al //出第一个call,我们还要继续(F8)出,因为还在系统领空
7C92E48C 74 0C je short ntdll.7C92E49A
7C92E48E 5B pop ebx ; 0012FCD4
7C92E48F 59 pop ecx ; 0012FCD4
7C92E490 6A 00 push 0x0
7C92E492 51 push ecx
7C92E493 E8 C6EBFFFF call ntdll.ZwContinue
7C92E498 EB 0B jmp short ntdll.7C92E4A5
7C92E49A 5B pop ebx ; 0012FCD4
7C92E49B 59 pop ecx ; 0012FCD4
7C92E49C 6A 00 push 0x0
7C92E49E 51 push ecx
7C92E49F 53 push ebx
7C92E4A0 E8 09F5FFFF call ntdll.ZwRaiseException
7C92E4A5 83C4 EC add esp,-0x14
7C92E4A8 890424 mov dword ptr ss:,eax
7C92E4AB C74424 04 01000>mov dword ptr ss:,0x1
7C92E4B3 895C24 08 mov dword ptr ss:,ebx
7C92E4B7 C74424 10 00000>mov dword ptr ss:,0x0
7C92E4BF 54 push esp
7C92E4C0 E8 63000000 call ntdll.RtlRaiseException
7C92E4C5 C2 0800 retn 0x8
005496DF 53 push ebx //出来了,看最下面的:0054976D- FFE0 jmp eax 很可疑,我们F8单步下去
005496E0 51 push ecx
005496E1 57 push edi ; ntdll.7C930228
005496E2 56 push esi
005496E3 52 push edx ; ntdll.KiFastSystemCallRet
005496E4 8D98 57120010 lea ebx,dword ptr ds:
005496EA 8B53 18 mov edx,dword ptr ds:
005496ED 52 push edx ; ntdll.KiFastSystemCallRet
005496EE 8BE8 mov ebp,eax
005496F0 6A 40 push 0x40
005496F2 68 00100000 push 0x1000
005496F7 FF73 04 push dword ptr ds:
005496FA 6A 00 push 0x0
005496FC 8B4B 10 mov ecx,dword ptr ds:
005496FF 03CA add ecx,edx ; ntdll.KiFastSystemCallRet
00549701 8B01 mov eax,dword ptr ds:
00549703 FFD0 call eax
00549705 5A pop edx ; 0012FFB0
00549706 8BF8 mov edi,eax
00549708 50 push eax
00549709 52 push edx ; ntdll.KiFastSystemCallRet
0054970A 8B33 mov esi,dword ptr ds:
0054970C 8B43 20 mov eax,dword ptr ds: ; ntdll.RtlEnterCriticalSection
0054970F 03C2 add eax,edx ; ntdll.KiFastSystemCallRet
00549711 8B08 mov ecx,dword ptr ds:
00549713 894B 20 mov dword ptr ds:,ecx
00549716 8B43 1C mov eax,dword ptr ds: ; ntdll.7C9A0620
00549719 03C2 add eax,edx ; ntdll.KiFastSystemCallRet
0054971B 8B08 mov ecx,dword ptr ds:
0054971D 894B 1C mov dword ptr ds:,ecx
00549720 03F2 add esi,edx ; ntdll.KiFastSystemCallRet
00549722 8B4B 0C mov ecx,dword ptr ds:
00549725 03CA add ecx,edx ; ntdll.KiFastSystemCallRet
00549727 8D43 1C lea eax,dword ptr ds:
0054972A 50 push eax
0054972B 57 push edi ; ntdll.7C930228
0054972C 56 push esi
0054972D FFD1 call ecx
0054972F 5A pop edx ; 0012FFB0
00549730 58 pop eax ; 0012FFB0
00549731 0343 08 add eax,dword ptr ds: ; 专属卡图.00400000
00549734 8BF8 mov edi,eax
00549736 52 push edx ; ntdll.KiFastSystemCallRet
00549737 8BF0 mov esi,eax
00549739 8B46 FC mov eax,dword ptr ds:
0054973C 83C0 04 add eax,0x4
0054973F 2BF0 sub esi,eax
00549741 8956 08 mov dword ptr ds:,edx ; ntdll.KiFastSystemCallRet
00549744 8B4B 0C mov ecx,dword ptr ds:
00549747 894E 14 mov dword ptr ds:,ecx
0054974A FFD7 call edi ; ntdll.7C930228
0054974C 5A pop edx ; 0012FFB0
0054974D 33C9 xor ecx,ecx
0054974F 66:3B4E 2A cmp cx,word ptr ds:
00549753 75 12 jnz short 专属卡图.00549767
00549755 8BF0 mov esi,eax
00549757 68 00800000 push 0x8000
0054975C 51 push ecx
0054975D 8B4B 14 mov ecx,dword ptr ds:
00549760 03CA add ecx,edx ; ntdll.KiFastSystemCallRet
00549762 57 push edi ; ntdll.7C930228
00549763 FF11 call dword ptr ds:
00549765 8BC6 mov eax,esi
00549767 5A pop edx ; 0012FFB0
00549768 5E pop esi ; 0012FFB0
00549769 5F pop edi ; 0012FFB0
0054976A 59 pop ecx ; 0012FFB0
0054976B 5B pop ebx ; 0012FFB0
0054976C 5D pop ebp ; 0012FFB0
0054976D- FFE0 jmp eax
00466227 >/$55 push ebp //到达OEP
00466228|.8BEC mov ebp,esp
0046622A|.6A FF push -0x1
0046622C|.68 58CF4C00 push 专属卡图.004CCF58
00466231|.68 ACAE4600 push 专属卡图.0046AEAC ;SE 处理程序安装
00466236|.64:A1 0000000>mov eax,dword ptr fs:
0046623C|.50 push eax ;专属卡图.<ModuleEntryPoint>
0046623D|.64:8925 00000>mov dword ptr fs:,esp
00466244|.83EC 58 sub esp,0x58
00466247|.53 push ebx
00466248|.56 push esi
00466249|.57 push edi ;ntdll.7C930228
0046624A|.8965 E8 mov ,esp
0046624D|.FF15 6C634800 call dword ptr ds: ;kernel32.GetVersion
00466253|.33D2 xor edx,edx ;ntdll.KiFastSystemCallRet
00466255|.8AD4 mov dl,ah
00466257|.8915 30D34F00 mov dword ptr ds:,edx ;ntdll.KiFastSystemCallRet
0046625D|.8BC8 mov ecx,eax ;专属卡图.<ModuleEntryPoint>
0046625F|.81E1 FF000000 and ecx,0xFF
00466265|.890D 2CD34F00 mov dword ptr ds:,ecx
0046626B|.C1E1 08 shl ecx,0x8
0046626E|.03CA add ecx,edx ;ntdll.KiFastSystemCallRet
00466270|.890D 28D34F00 mov dword ptr ds:,ecx
00466276|.C1E8 10 shr eax,0x10
00466279|.A3 24D34F00 mov dword ptr ds:,eax ;专属卡图.<ModuleEntryPoint>
0046627E|.6A 01 push 0x1
PS:修复很简单,论坛都有。
很赞,主题给你稍微格式化了一下,图片的插入位置还需要自己调整。 Shark恒 发表于 2018-5-17 21:46
很赞,主题给你稍微格式化了一下,图片的插入位置还需要自己调整。
刚才居然发现,我不会插图片发帖{:5_118:} 学习了
感谢楼主分享 学习下 感谢楼主的无私奉献 学习一下,顶起 十分感谢大佬 感谢楼主分享
[快捷回复]-软件反汇编逆向分析,软件安全必不可少!
页:
[1]
2