返回首页

UASPR详细脱壳过程

时间:2005-12-20 来源: 作者: 点击:
老规矩: 1、先用FI看文件用什么加的壳 2、找入口点,由于老飞以说明,免了 3、用OLLYDBG载入程序来到这 00401000 /$ 68 01D04000 PUSH PACK.0040D001 00401005 |. E8 01000000 CALL PACK.0040100B 0040100A \. C3 RETN 0040100B $ C3 RETN 0040100C 89 DB 89 0040100D
  老规矩:
1、先用FI看文件用什么加的壳
2、找入口点,由于老飞以说明,免了
3、用OLLYDBG载入程序来到这
00401000 >/$ 68 01D04000 PUSH PACK.0040D001
00401005 |. E8 01000000 CALL PACK.0040100B
0040100A \. C3 RETN
0040100B $ C3 RETN
0040100C 89 DB 89
0040100D E8 DB E8
0040100E D4 DB D4
0040100F 4A DB 4A ; CHAR 'J'
00401010 39 DB 39 ; CHAR '9'
00401011 . 01E2 ADD EDX,ESP
00401013 . 3D BC665ECB CMP EAX,CB5E66BC
00401018 . D038 SAR BYTE PTR DS:[EAX],1
0040101A . C2 5AC1 RETN 0C15A
0040101D 03 DB 03
0040101E 16 DB 16
0040101F 4B DB 4B ; CHAR 'K'
00401020 FA DB FA
00401021 C8 DB C8
00401022 25 DB 25 ; CHAR '%'
00401023 96 DB 96
00401024 BC DB BC
00401025 03 DB 03
00401026 13 DB 13
00401027 7A DB 7A ; CHAR 'z'
00401028 . 02E2 ADD AH,DL
0040102A . C3 RETN
0040102B 4F DB 4F ; CHAR 'O'
0040102C 0E DB 0E
0040102D 1F DB 1F
0040102E E9 DB E9
0040102F 3A DB 3A ; CHAR ':'

F9进行,按提示操作SHIFT+F9进行25次到这
00692CD1 3100 XOR DWORD PTR DS:[EAX],EAX
00692CD3 64:8F05 00000000 POP DWORD PTR FS:[0]
00692CDA 58 POP EAX
00692CDB 833D 7C6D6900 00 CMP DWORD PTR DS:[696D7C],0
00692CE2 74 14 JE SHORT 00692CF8
00692CE4 6A 0C PUSH 0C
00692CE6 B9 7C6D6900 MOV ECX,696D7C
00692CEB 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
00692CEE BA 04000000 MOV EDX,4
00692CF3 E8 54E1FFFF CALL 00690E4C
00692CF8 FF75 FC PUSH DWORD PTR SS:[EBP-4]
00692CFB FF75 F8 PUSH DWORD PTR SS:[EBP-8]
00692CFE 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
00692D01 8338 00 CMP DWORD PTR DS:[EAX],0
00692D04 74 02 JE SHORT 00692D08
00692D06 FF30 PUSH DWORD PTR DS:[EAX]
00692D08 FF75 F0 PUSH DWORD PTR SS:[EBP-10]
00692D0B FF75 EC PUSH DWORD PTR SS:[EBP-14]
00692D0E C3 RETN ///关键断点F2
00692D0F 5F POP EDI
00692D10 5E POP ESI
00692D11 5B POP EBX
00692D12 8BE5 MOV ESP,EBP
00692D14 5D POP EBP
00692D15 C3 RETN
00692D16 8BC0 MOV EAX,EAX
00692D18 B8 5C6D6900 MOV EAX,696D5C
00692D1D BA 0A000000 MOV EDX,0A
00692D22 E8 C5DFFFFF CALL 00690CEC
00692D27 E8 24FEFFFF CALL 00692B50
00692D2C C3 RETN
按SHIFT+F9来到断点00692D0E
在插件处选命令下BP 00401000 回车,关掉对话框,按F9来到入口点
00401000 >/$ 6A 00 PUSH 0
00401002 |? E8 41170000 CALL PACK.00402748
00401007 |? A3 23404000 MOV DWORD PTR DS:[404023],EAX
0040100C E8 DB E8
0040100D 31 DB 31 ; CHAR '1'
0040100E 17 DB 17
0040100F 00 DB 00
00401010 00 DB 00
00401011 . A3 1B404000 MOV DWORD PTR DS:[40401B],EAX
00401016 ? 6A 0A PUSH 0A
00401018 . FF35 1B404000 PUSH DWORD PTR DS:[40401B]
0040101E 6A DB 6A ; CHAR 'j'
0040101F 00 DB 00
00401020 FF DB FF
00401021 35 DB 35 ; CHAR '5'
00401022 23 DB 23 ; CHAR '#'
00401023 40 DB 40 ; CHAR '@'
00401024 40 DB 40 ; CHAR '@'
00401025 00 DB 00
00401026 E8 DB E8
00401027 06 DB 06
00401028 . 0000 ADD BYTE PTR DS:[EAX],AL
0040102A . 0050 E8 ADD BYTE PTR DS:[EAX-18],DL
0040102D 0B DB 0B
0040102E 17 DB 17
0040102F 00 DB 00

选插件下转存DUMP出文件UNPACKED
关掉OLLYDBG
接下来修复输入表
进行PACK.EXE
启动IMPORTREC
选进程PACK
自动搜输入表OK
然后点获得输入表
这时会看到有两个是NO
点SHOW无效看动画吧太难写了,修复后运行OK,收工。
------分隔线----------------------------
顶一下
(0)
0%
踩一下
(0)
0%
------分隔线----------------------------
最新评论 查看所有评论
发表评论 查看所有评论
请自觉遵守互联网相关的政策法规,严禁发布色情、暴力、反动的言论。
评价:
表情:
用户名: 密码: 验证码:
推荐内容