脱域天壳
一、入口,好像一压缩壳啊,可惜ESP就挂了^_^005B3D5A >9C pushfd
005B3D5B 60 pushad
005B3D5C E8 33000000 call fuke.005B3D94
005B3D61 5D pop ebp
005B3D62 B8 73060150 mov eax,50010673
005B3D67 2D 6C060150 sub eax,5001066C
005B3D6C 2BE8 sub ebp,eax
005B3D6E 8DB5 EEFEFFFF lea esi,dword ptr ss:
005B3D74 8B06 mov eax,dword ptr ds:
005B3D76 83F8 00 cmp eax,0
二、F9运行,程序提示“找不到指定的加密锁”F12暂停,ALT+k
调用堆栈 ,项目 14
地址=0012FF04
堆栈=0109213D
函数例程 / 参数=? USER32.MessageBoxA
调用来自=01092137
框架=0012FF00
双击就来到事件调用处了.这里只是断尾而已
01092115 33F6 xor esi,esi
01092117 56 push esi
01092118 6A 01 push 1
0109211A FF35 2DB90901 push dword ptr ds:
01092120 FF15 058B0901 call dword ptr ds: ; kernel32.ReleaseSemaphore
01092126 FF35 2DB90901 push dword ptr ds:
0109212C FF15 518B0901 call dword ptr ds: ; kernel32.CloseHandle
01092132 6A 30 push 30
01092134 57 push edi
01092135 53 push ebx
01092136 56 push esi
01092137 FF15 298C0901 call dword ptr ds: ; USER32.MessageBoxA (是这里)
我们来此段首
01092017 55 push ebp ;硬件执行断点
01092018 8BEC mov ebp,esp
0109201A 83EC 48 sub esp,48
0109201D 53 push ebx
0109201E 56 push esi
0109201F 57 push edi
01092020 68 71AB0901 push 109AB71 ; ASCII "xxsim_nsyt"
01092025 6A 01 push 1
01092027 6A 01 push 1
01092029 6A 00 push 0
0109202B FF15 FD8A0901 call dword ptr ds: ; kernel32.CreateSemaphoreA
三、重载程序F9运行断下后ALT+K 双击调用处代码来到
005B3EAD 05 90FB0000 add eax,0FB90
005B3EB2 FFD0 call eax
005B3EB4 58 pop eax
005B3EB5 50 push eax
005B3EB6 05 72150000 add eax,1572
005B3EBB FFD0 call eax ; 此处调用,再此下好断,重载程序,再运行断下
.
.
.
010920A3^\7C F6 jl short 0109209B
010920A5 8365 08 00 and dword ptr ss:,0
010920A9 68 29B80901 push 109B829
010920AE FF75 08 push dword ptr ss:
010920B1 E8 EF020000 call 010923A5
010920B6 85C0 test eax,eax
010920B8 75 4F jnz short 01092109 ;此跳转不让其实现(一跳就没了)
.
.
.
010920FD E8 E3010000 call 010922E5
01092102 85C0 test eax,eax
01092104 74 3E je short 01092144 ;此跳转让其实现(不跳玩完)
01092106 8B7D F8 mov edi,dword ptr ss:
01092109 FF45 08 inc dword ptr ss:
0109210C 817D 08 FF000000 cmp dword ptr ss:,0FF
01092113^ 7C 94 jl short 010920A9
01092115 33F6 xor esi,esi
.
.
.
005B3ECD 05 A7160000 add eax,16A7
005B3ED2 57 push edi
005B3ED3 FFD0 call eax ; F7进
.
.
.
01092239 395F 30 cmp dword ptr ds:,ebx
0109223C 74 19 je short 01092257 ;此跳转让其实现
0109223E 8D45 F4 lea eax,dword ptr ss:
01092241 83C7 40 add edi,40
01092244 50 push eax
01092245 53 push ebx
01092246 57 push edi
01092247 68 801F0901 push 1091F80
0109224C 53 push ebx
.
.
.
机器开始卡起来了,可能是我机器差些吧。。。。
005B3F0A /74 1C je short fuke.005B3F28
005B3F0C |0306 add eax,dword ptr ds:
005B3F0E |56 push esi
005B3F0F |51 push ecx
005B3F10 |50 push eax
005B3F11 |53 push ebx
005B3F12 |57 push edi
005B3F13 |53 push ebx
005B3F14 |51 push ecx
005B3F15 |57 push edi
005B3F16 |57 push edi
005B3F17 |68 00000000 push 0
005B3F1C |FFD0 call eax
005B3F1E |5F pop edi
005B3F1F |5B pop ebx
005B3F20 |58 pop eax
005B3F21 |59 pop ecx
005B3F22 |5E pop esi
005B3F23 |83C6 04 add esi,4
005B3F26^|EB DF jmp short fuke.005B3F07 因我下了断的原因,此处我回跳了一次,je跳转实现
005B3F28 \61 popad
005B3F29 8BDF mov ebx,edi
005B3F2B 833F 00 cmp dword ptr ds:,0
.
.
.
慢慢走吧。。。一路向下,回跳不让实现
.
.
.
005B40AB 83C3 0C add ebx,0C
005B40AE^ E2 E1 loopd short fuke.005B4091
005B40B0 61 popad
005B40B1 9D popfd
005B40B2- E9 05EEE4FF jmp fuke.00402EBC ;到站了
.
.
.
00402EB4- FF25 D0114000 jmp dword ptr ds: ; MSVBVM60.ThunRTMain
00402EBA 0000 add byte ptr ds:,al
00402EBC 68 A0F64200 push fuke.0042F6A0 ;终点站到了
00402EC1 E8 EEFFFFFF call fuke.00402EB4 ; jmp 到
00402EC6 0000 add byte ptr ds:,al
00402EC8 0000 add byte ptr ds:,al
00402ECA 0000 add byte ptr ds:,al
00402ECC 3000 xor byte ptr ds:,al
00402ECE 0000 add byte ptr ds:,al
00402ED0 48 dec eax
00402ED1 0000 add byte ptr ds:,al
DUMP&REC....Game over
[ 本帖最后由 glts 于 2007-7-8 02:23 编辑 ] 学习了 。。。。
谢谢楼主哦 支持,脫狗殼的比較少,呵,學習下! 晕。。这附件是什么啊。。怎么只有一些类似用于网站上的图片跟几个不知是什么的WORD文档啊。。。。。 不仔细看附件还看不到FUKE这个应用程序!呵呵,仔细看了下楼主的脱文,
自己对照下脱了一次:前面三部分照抄,呵呵
一、入口,好像一压缩壳啊,可惜ESP就挂了^_^
005B3D5A >9C pushfd
005B3D5B 60 pushad
005B3D5C E8 33000000 call fuke.005B3D94
005B3D61 5D pop ebp
005B3D62 B8 73060150 mov eax,50010673005B3D67 2D 6C060150 sub eax,5001066C
005B3D6C 2BE8 sub ebp,eax
005B3D6E 8DB5 EEFEFFFF lea esi,dword ptr ss:
005B3D74 8B06 mov eax,dword ptr ds:
005B3D76 83F8 00 cmp eax,0
二、F9运行,程序提示“找不到指定的加密锁”F12暂停,ALT+k
调用堆栈 ,项目 14
地址=0012FF04
堆栈=0109213D
函数例程 / 参数=? USER32.MessageBoxA
调用来自=01092137
框架=0012FF00
双击就来到事件调用处了.这里只是断尾而已
01092115 33F6 xor esi,esi
01092117 56 push esi
01092118 6A 01 push 1
0109211A FF35 2DB90901 push dword ptr ds:
01092120 FF15 058B0901 call dword ptr ds: ; kernel32.ReleaseSemaphore
01092126 FF35 2DB90901 push dword ptr ds:
0109212C FF15 518B0901 call dword ptr ds: ; kernel32.CloseHandle
01092132 6A 30 push 30
01092134 57 push edi
01092135 53 push ebx
01092136 56 push esi
01092137 FF15 298C0901 call dword ptr ds: ; USER32.MessageBoxA (是这里)
我们来此段首
01092017 55 push ebp ;硬件执行断点
01092018 8BEC mov ebp,esp
0109201A 83EC 48 sub esp,48
0109201D 53 push ebx
0109201E 56 push esi
0109201F 57 push edi
01092020 68 71AB0901 push 109AB71 ; ASCII "xxsim_nsyt"
01092025 6A 01 push 1
01092027 6A 01 push 1
01092029 6A 00 push 0
0109202B FF15 FD8A0901 call dword ptr ds: ; kernel32.CreateSemaphoreA
三、重载程序F9运行断下后ALT+K 双击调用处代码来到
005B3EAD 05 90FB0000 add eax,0FB90
005B3EB2 FFD0 call eax
005B3EB4 58 pop eax
005B3EB5 50 push eax
005B3EB6 05 72150000 add eax,1572
005B3EBB FFD0 call eax ; 此处调用,再此下好断,重载程序,再运行断下
第四步:
5b3ebb F7跟进去来到下面的代码:
010820B8 /75 4F JNZ SHORT 01082109 这里有跳转不让它跳 ZF求反
010820BA |8B4E 20 MOV ECX,DWORD PTR DS:
010820BD |8B7E 24 MOV EDI,DWORD PTR DS:
010820C0 |B8 57FAA37C MOV EAX,7CA3FA57
010820C5 |33C8 XOR ECX,EAX
010820C7 |33F8 XOR EDI,EAX
010820C9 |51 PUSH ECX
010820CA |8D45 B8 LEA EAX,DWORD PTR SS:
010820CD |68 6DAB0801 PUSH 108AB6D ; ASCII "%x"
010820D2 |50 PUSH EAX
010820D3 |E8 F01C0000 CALL 01083DC8
010820D8 |57 PUSH EDI
010820D9 |8D45 D8 LEA EAX,DWORD PTR SS:
010820DC |68 6DAB0801 PUSH 108AB6D ; ASCII "%x"
010820E1 |50 PUSH EAX
010820E2 |E8 E11C0000 CALL 01083DC8
010820E7 |83C4 18 ADD ESP,18
010820EA |8D45 D8 LEA EAX,DWORD PTR SS:
010820ED |68 29B80801 PUSH 108B829
010820F2 |50 PUSH EAX
010820F3 |8D45 B8 LEA EAX,DWORD PTR SS:
010820F6 |50 PUSH EAX
010820F7 |8D45 FF LEA EAX,DWORD PTR SS:
010820FA |6A 00 PUSH 0
010820FC |50 PUSH EAX
010820FD |E8 E3010000 CALL 010822E5
01082102 |85C0 TEST EAX,EAX
01082104 |74 3E JE SHORT 01082144
01082106 |8B7D F8 MOV EDI,DWORD PTR SS:
01082109 \FF45 08 INC DWORD PTR SS:
01082104 /74 3E JE SHORT 01082144 这里跳转,默认是不跳的,不跳的话看下面就知道要OVER
01082106 |8B7D F8 MOV EDI,DWORD PTR SS:
01082109 |FF45 08 INC DWORD PTR SS:
0108210C |817D 08 FF00000>CMP DWORD PTR SS:,0FF
01082113^|7C 94 JL SHORT 010820A9
01082115 |33F6 XOR ESI,ESI
01082117 |56 PUSH ESI
01082118 |6A 01 PUSH 1
0108211A |FF35 2DB90801 PUSH DWORD PTR DS:
01082120 |FF15 058B0801 CALL DWORD PTR DS: ; kernel32.ReleaseSemaphore
01082126 |FF35 2DB90801 PUSH DWORD PTR DS:
0108212C |FF15 518B0801 CALL DWORD PTR DS: ; kernel32.CloseHandle
01082132 |6A 30 PUSH 30
01082134 |57 PUSH EDI
01082135 |53 PUSH EBX
01082136 |56 PUSH ESI
01082137 |FF15 298C0801 CALL DWORD PTR DS: ; USER32.MessageBoxA
0108213D |56 PUSH ESI
0108213E |FF15 098B0801 CALL DWORD PTR DS: ; kernel32.ExitProcess
01082144 \6A 01 PUSH 1
F8到005B3ED3 F7进
0108216E /74 16 JE SHORT 01082186 这里默认要跳,看下面的函数,知道应该不跳
01082170 |8D45 F4 LEA EAX,DWORD PTR SS:
01082173 |50 PUSH EAX
01082174 |53 PUSH EBX
01082175 |57 PUSH EDI
01082176 |68 551F0801 PUSH 1081F55
0108217B |53 PUSH EBX
0108217C |53 PUSH EBX
0108217D |FF15 F98A0801 CALL DWORD PTR DS: ; kernel32.CreateThread
01082183 |50 PUSH EAX
01082184 |FFD6 CALL ESI
返回到程序领空就有点慢了,一路F8,直到有个大的跳转,就来到OEP了,用OD的插件脱壳,运行OK
005B40B2- E9 05EEE4FF JMP fuke.00402EBC
. 不错的文章
学习 俺也需要学习哦,谢谢 学习一下、、、、多谢楼主 怎么会事我按照 楼主的文章脱既然 脱不下来郁闷 楼主就是强,强烈支持!!!/:good
页:
[1]
2