手动脱ASPack 2.001壳
手动脱ASPack 2.001壳脱壳目标:FreeRes0.94.exe
壳 类 型:ASPack 2.001 -> Alexey Solodovnikov
脱壳工具:flyodbg-d
作 者:xbb
下载地址:www.pediy.com
过 程:
0051F001 f>60 pushad <-标志
0051F002 E8 72050000 call freeRes0.0051F579 <-F8
0051F007 EB 4C jmp short freeRes0.0051F055 <-跳了F8
0051F055 BB 7C294400 mov ebx, freeRes0.0044297C <-51F007跳到这里
0051F05A 03DD add ebx, ebp
0051F05C 2B9D AD294400 sub ebx, dword ptr ss:[ebp+4429A>
0051F062 83BD E0374400 00cmp dword ptr ss:, 0
0051F069 899D E0374400 mov dword ptr ss:, e>
0051F06F 0F85 68040000 jnz freeRes0.0051F4DD
0051F075 8D85 E8374400 lea eax, dword ptr ss:[ebp+4437E>
0051F07B 50 push eax
0051F07C FF95 F4384400 call dword ptr ss: <-F8
0051F082 8985 E4374400 mov dword ptr ss:, e>
0051F088 8BF8 mov edi, eax
0051F08A 8D9D F5374400 lea ebx, dword ptr ss:[ebp+4437F>
0051F090 53 push ebx
0051F091 50 push eax
0051F092 FF95 F0384400 call dword ptr ss: <-F8 GetProcAddress
0051F098 8985 B9294400 mov dword ptr ss:, e>
0051F09E 8D9D 02384400 lea ebx, dword ptr ss:[ebp+44380>
0051F0A4 53 push ebx
0051F0A5 57 push edi
0051F0A6 FF95 F0384400 call dword ptr ss: <-F8
0051F0AC 8985 BD294400 mov dword ptr ss:, e>
0051F0B2 8D85 4A2B4400 lea eax, dword ptr ss:[ebp+442B4>
0051F0B8 FFE0 jmp eax<-跳
0051F1CE 8B9D 422A4400 mov ebx, dword ptr ss:[ebp+442A4><-51F0B8跳到这里
0051F1D4 0BDB or ebx, ebx
0051F1D6 74 0A je short freeRes0.0051F1E2<-跳
0051F1D8 8B03 mov eax, dword ptr ds:
0051F1DA 8785 462A4400 xchg dword ptr ss:, >
0051F1E0 8903 mov dword ptr ds:, eax
0051F1E2 8DB5 5A2A4400 lea esi, dword ptr ss:[ebp+442A5><-51F1D6跳到这里
0051F1E8 833E 00 cmp dword ptr ds:, 0
0051F1EB 0F84 1F010000 je freeRes0.0051F310
0051F1F1 8DB5 5A2A4400 lea esi, dword ptr ss:[ebp+442A5>
0051F1F7 6A 04 push 4
0051F1F9 68 00100000 push 1000
0051F1FE 68 00180000 push 1800
0051F203 6A 00 push 0
0051F205 FF95 B9294400 call dword ptr ss:
0051F20B 8985 B5294400 mov dword ptr ss:, eax
0051F211 8B46 04 mov eax, dword ptr ds:
0051F214 05 0E010000 add eax, 10E
0051F219 6A 04 push 4
0051F21B 68 00100000 push 1000
0051F220 50 push eax
0051F221 6A 00 push 0
0051F223 FF95 B9294400 call dword ptr ss:<-VirtualAlloc
0051F229 8985 B1294400 mov dword ptr ss:, eax
0051F22F 56 push esi
0051F230 8B1E mov ebx, dword ptr ds:
0051F232 039D E0374400 add ebx, dword ptr ss:
0051F238 FFB5 B5294400 push dword ptr ss:
0051F23E FF76 04 push dword ptr ds:
0051F241 50 push eax
0051F242 53 push ebx
0051F243 E8 3B030000 call freeRes0.0051F583
0051F248 80BD AC294400 00cmp byte ptr ss:, 0
0051F24F 75 5E jnz short freeRes0.0051F2AF
0051F251 FE85 AC294400 inc byte ptr ss:
0051F257 8B3E mov edi, dword ptr ds:
0051F259 03BD E0374400 add edi, dword ptr ss:
0051F25F FF37 push dword ptr ds:
0051F261 C607 C3 mov byte ptr ds:, 0C3
0051F264 FFD7 call edi <-401000
0051F266 8F07 pop dword ptr ds:
0051F268 50 push eax
0051F269 51 push ecx
0051F26A 56 push esi
0051F26B 53 push ebx
0051F26C 8BC8 mov ecx, eax
0051F26E 83E9 06 sub ecx, 6
0051F271 8BB5 B1294400 mov esi, dword ptr ss:
0051F277 33DB xor ebx, ebx
0051F279 0BC9 or ecx, ecx
0051F27B 74 2E je short freeRes0.0051F2AB
0051F27D 78 2C js short freeRes0.0051F2AB
0051F27F AC lods byte ptr ds:
0051F280 3C E8 cmp al, 0E8
0051F282 74 0A je short freeRes0.0051F28E
0051F284 EB 00 jmp short freeRes0.0051F286
0051F286 3C E9 cmp al, 0E9
0051F288 74 04 je short freeRes0.0051F28E
0051F28A 43 inc ebx
0051F28B 49 dec ecx
0051F28C ^ EB EB jmp short freeRes0.0051F279 <-开始往回跳了
0051F28E 8B06 mov eax, dword ptr ds: <-F4
0051F290 EB 00 jmp short freeRes0.0051F292
0051F292 803E 16 cmp byte ptr ds:, 16
0051F295 ^ 75 F3 jnz short freeRes0.0051F28A
0051F297 24 00 and al, 0
0051F299 C1C0 18 rol eax, 18
0051F29C 2BC3 sub eax, ebx
0051F29E 8906 mov dword ptr ds:, eax
0051F2A0 83C3 05 add ebx, 5
0051F2A3 83C6 04 add esi, 4
0051F2A6 83E9 05 sub ecx, 5
0051F2A9 ^ EB CE jmp short freeRes0.0051F279 <-回跳
0051F2AB 5B pop ebx <-F4
0051F2AC 5E pop esi
0051F2AD 59 pop ecx
0051F2AE 58 pop eax
0051F2AF 8BC8 mov ecx, eax
0051F2B1 8B3E mov edi, dword ptr ds:
0051F2B3 03BD E0374400 add edi, dword ptr ss:
0051F2B9 8BB5 B1294400 mov esi, dword ptr ss:
0051F2BF C1F9 02 sar ecx, 2
0051F2C2 F3:A5 rep movs dword ptr es:, dword ptr ds:
0051F2C4 8BC8 mov ecx, eax
0051F2C6 83E1 03 and ecx, 3
0051F2C9 F3:A4 rep movs byte ptr es:, byte ptr ds:
0051F2CB 5E pop esi
0051F2CC 68 00800000 push 8000
0051F2D1 6A 00 push 0
0051F2D3 FFB5 B1294400 push dword ptr ss:
0051F2D9 FF95 BD294400 call dword ptr ss:<-VirtualFree
0051F2DF 83C6 08 add esi, 8
0051F2E2 833E 00 cmp dword ptr ds:, 0
0051F2E5 ^ 0F85 26FFFFFF jnz freeRes0.0051F211 <-回跳
0051F2EB 68 00800000 push 8000 <-F4
0051F2F0 6A 00 push 0
0051F2F2 FFB5 B5294400 push dword ptr ss:
0051F2F8 FF95 BD294400 call dword ptr ss:
0051F2FE 8B9D 422A4400 mov ebx, dword ptr ss:
0051F304 0BDB or ebx, ebx
0051F306 74 08 je short freeRes0.0051F310<-向下跳
0051F308 8B03 mov eax, dword ptr ds:
0051F30A 8785 462A4400 xchg dword ptr ss:, eax
0051F310 8B95 E0374400 mov edx, dword ptr ss:<-51F306跳到这
0051F316 8B85 3A2A4400 mov eax, dword ptr ss:
0051F31C 2BD0 sub edx, eax
0051F31E 74 79 je short freeRes0.0051F399 <-下跳
0051F320 8BC2 mov eax, edx
0051F322 C1E8 10 shr eax, 10
0051F325 33DB xor ebx, ebx
0051F327 8BB5 4A2A4400 mov esi, dword ptr ss:
0051F32D 03B5 E0374400 add esi, dword ptr ss:
0051F333 833E 00 cmp dword ptr ds:, 0
0051F336 74 61 je short freeRes0.0051F399
0051F338 8B4E 04 mov ecx, dword ptr ds:
0051F33B 83E9 08 sub ecx, 8
0051F33E D1E9 shr ecx, 1
0051F340 8B3E mov edi, dword ptr ds:
0051F342 03BD E0374400 add edi, dword ptr ss:
0051F348 83C6 08 add esi, 8
0051F34B 66:8B1E mov bx, word ptr ds:
0051F34E C1EB 0C shr ebx, 0C
0051F351 83FB 01 cmp ebx, 1
0051F354 74 0C je short freeRes0.0051F362
0051F356 83FB 02 cmp ebx, 2
0051F359 74 16 je short freeRes0.0051F371
0051F35B 83FB 03 cmp ebx, 3
0051F35E 74 20 je short freeRes0.0051F380
0051F360 EB 2C jmp short freeRes0.0051F38E
0051F362 66:8B1E mov bx, word ptr ds:
0051F365 81E3 FF0F0000 and ebx, 0FFF
0051F36B 66:01041F add word ptr ds:, ax
0051F36F EB 1D jmp short freeRes0.0051F38E
0051F371 66:8B1E mov bx, word ptr ds:
0051F374 81E3 FF0F0000 and ebx, 0FFF
0051F37A 66:01141F add word ptr ds:, dx
0051F37E EB 0E jmp short freeRes0.0051F38E
0051F380 66:8B1E mov bx, word ptr ds:
0051F383 81E3 FF0F0000 and ebx, 0FFF
0051F389 01141F add dword ptr ds:, edx
0051F38C EB 00 jmp short freeRes0.0051F38E
0051F38E 66:830E FF or word ptr ds:, 0FFFF
0051F392 83C6 02 add esi, 2
0051F395 ^ E2 B4 loopd short freeRes0.0051F34B
0051F397 ^ EB 9A jmp short freeRes0.0051F333
0051F399 8B95 E0374400 mov edx, dword ptr ss:<-51F31E跳到这里
0051F39F 8BB5 85294400 mov esi, dword ptr ss:
0051F3A5 0BF6 or esi, esi 0051F3A7 74 11 je short freeRes0.0051F3BA<-下跳
0051F3A9 03F2 add esi, edx
0051F3AB AD lods dword ptr ds:
0051F3AC 0BC0 or eax, eax
0051F3AE 74 0A je short freeRes0.0051F3BA
0051F3B0 03C2 add eax, edx
0051F3B2 8BF8 mov edi, eax
0051F3B4 66:AD lods word ptr ds:
0051F3B6 66:AB stos word ptr es:
0051F3B8 ^ EB F1 jmp short freeRes0.0051F3AB
0051F3BA 8BB5 3E2A4400 mov esi, dword ptr ss:<-51F3A7跳到这
0051F3C0 8B95 E0374400 mov edx, dword ptr ss:
0051F3C6 03F2 add esi, edx
0051F3C8 8B46 0C mov eax, dword ptr ds:
0051F3CB 85C0 test eax, eax
0051F3CD 0F84 0A010000 je freeRes0.0051F4DD
0051F3D3 03C2 add eax, edx
0051F3D5 8BD8 mov ebx, eax
0051F3D7 50 push eax
0051F3D8 FF95 F4384400 call dword ptr ss:<-GetModuleHandleA
0051F3DE 85C0 test eax, eax
0051F3E0 75 07 jnz short freeRes0.0051F3E9<-下跳
0051F3E2 53 push ebx
0051F3E3 FF95 F8384400 call dword ptr ss:
0051F3E9 8985 89294400 mov dword ptr ss:, eax
0051F3EF C785 8D294400 000>mov dword ptr ss:, 0
0051F3F9 8B95 E0374400 mov edx, dword ptr ss:<-51F3E0跳到这
0051F3FF 8B06 mov eax, dword ptr ds:
0051F401 85C0 test eax, eax
0051F403 75 03 jnz short freeRes0.0051F408
0051F405 8B46 10 mov eax, dword ptr ds:
0051F408 03C2 add eax, edx
0051F40A 0385 8D294400 add eax, dword ptr ss:
0051F410 8B18 mov ebx, dword ptr ds:
0051F412 8B7E 10 mov edi, dword ptr ds:
0051F415 03FA add edi, edx
0051F417 03BD 8D294400 add edi, dword ptr ss:
0051F41D 85DB test ebx, ebx
0051F41F 0F84 A2000000 je freeRes0.0051F4C7
0051F425 F7C3 00000080 test ebx, 80000000
0051F42B 75 04 jnz short freeRes0.0051F431
0051F42D 03DA add ebx, edx
0051F42F 43 inc ebx
0051F430 43 inc ebx
0051F431 53 push ebx
0051F432 81E3 FFFFFF7F and ebx, 7FFFFFFF
0051F438 53 push ebx
0051F439 FFB5 89294400 push dword ptr ss:
0051F43F FF95 F0384400 call dword ptr ss:
0051F445 85C0 test eax, eax
0051F447 5B pop ebx
0051F448 75 6F jnz short freeRes0.0051F4B9 <-下跳
0051F44A F7C3 00000080 test ebx, 80000000
0051F450 75 19 jnz short freeRes0.0051F46B
0051F452 57 push edi
0051F453 8B46 0C mov eax, dword ptr ds:
0051F456 0385 E0374400 add eax, dword ptr ss:
0051F45C 50 push eax
0051F45D 53 push ebx
0051F45E 8D85 5B384400 lea eax, dword ptr ss:
0051F464 50 push eax
0051F465 57 push edi
0051F466 E9 99000000 jmp freeRes0.0051F504
0051F46B 81E3 FFFFFF7F and ebx, 7FFFFFFF
0051F471 8B85 E4374400 mov eax, dword ptr ss:
0051F477 3985 89294400 cmp dword ptr ss:, eax
0051F47D 75 24 jnz short freeRes0.0051F4A3
0051F47F 57 push edi
0051F480 8BD3 mov edx, ebx
0051F482 4A dec edx
0051F483 C1E2 02 shl edx, 2
0051F486 8B9D 89294400 mov ebx, dword ptr ss:
0051F48C 8B7B 3C mov edi, dword ptr ds:
0051F48F 8B7C3B 78 mov edi, dword ptr ds:
0051F493 035C3B 1C add ebx, dword ptr ds:
0051F497 8B0413 mov eax, dword ptr ds:
0051F49A 0385 89294400 add eax, dword ptr ss:
0051F4A0 5F pop edi
0051F4A1 EB 16 jmp short freeRes0.0051F4B9
0051F4A3 57 push edi
0051F4A4 8B46 0C mov eax, dword ptr ds:
0051F4A7 0385 E0374400 add eax, dword ptr ss:
0051F4AD 50 push eax
0051F4AE 53 push ebx
0051F4AF 8D85 AC384400 lea eax, dword ptr ss:
0051F4B5 50 push eax
0051F4B6 57 push edi
0051F4B7 EB 4B jmp short freeRes0.0051F504
0051F4B9 8907 mov dword ptr ds:, eax <-51F448跳到这
0051F4BB 8385 8D294400 04add dword ptr ss:, 4
0051F4C2 ^ E9 32FFFFFF jmp freeRes0.0051F3F9 <-回跳
0051F4C7 8906 mov dword ptr ds:, eax <-F4
0051F4C9 8946 0C mov dword ptr ds:, eax
0051F4CC 8946 10 mov dword ptr ds:, eax
0051F4CF 83C6 14 add esi, 14
0051F4D2 8B95 E0374400 mov edx, dword ptr ss:
0051F4D8 ^ E9 EBFEFFFF jmp freeRes0.0051F3C8 <-回跳
0051F4DD 8B85 4E2A4400 mov eax, dword ptr ss:<-F4
0051F4E3 50 push eax
0051F4E4 0385 E0374400 add eax, dword ptr ss:
0051F4EA 59 pop ecx
0051F4EB 0BC9 or ecx, ecx
0051F4ED 8985 7B2E4400 mov dword ptr ss:, eax
0051F4F3 61 popad <-对应标志
0051F4F4 75 08 jnz short freeRes0.0051F4FE<-跳
0051F4F6 B8 01000000 mov eax, 1
0051F4FB C2 0C00 retn 0C
0051F4FE 68 F0E04C00 push freeRes0.004CE0F0 <-入口=4CE0F0-400000=CE0F0
0051F503 C3 retn<-希望之光
004CE0F0 55 push ebp <-光标停在这一行,我们用插件脱壳
004CE0F1 8BEC mov ebp, esp
004CE0F3 83C4 F4 add esp, -0C
004CE0F6 53 push ebx
004CE0F7 B8 B8DE4C00 mov eax, freeRes0.004CDEB8
脱壳后的文件无法运行,OK,我们用ImportREC来修复它。运行ImportREC,我们选择进程中的FreeRes0.94,在OEP处填入CE0F0,点IAT自动搜索,然后点获取输入信息,再点修理Dump文件。搞定!
xbb 经典~~ Originally posted by 飘云 at 2005-4-14 21:36:
经典~~
呵呵,坛主过讲了。一年多没Crack了,手都生了。这是以前的脱壳练习。目前在给自己充电中。。。:) 兄弟好强呀.学习! Originally posted by noTme at 2005-4-15 20:19:
兄弟好强呀.学习!
呵呵,坛主过奖了,这是看二哥的教程才学会的。如果软件作者懂壳的话,动点手脚我就不行了。
顺便问一下,坛主签名的图片是自己做的吗?非常不错啊。 充电中 很详细
适合我这种新手 好像脱upx一样。。。。。 学习中。。
页:
[1]
2