脱壳WinUpack 0.33
Upack v0.33 ~ v0.34 Beta -> Dwing *010011A4 > $BE E8110001 MOV ESI,calc.010011E8载入程序
010011A9 .AD LODS DWORD PTR DS:
010011AA .50 PUSH EAX
010011AB .AD LODS DWORD PTR DS:
010011AC .50 PUSH EAX
010011AD .66:BE 5801 MOV SI,158
010011B1 .6A 12 PUSH 12
010011B3 .BF 08670301 MOV EDI,calc.01036708
010011CB .B5 1C MOV CH,1C
010011CD .F3:AB REP STOS DWORD PTR ES:
010011CF .BF 00100001 MOV EDI,calc.01001000 ;ASCII "MZLoadLibraryA"
010011D4 .E9 30530300 JMP calc.01036509 这里断点单步走
010011D9 .47 65 74 50 7>ASCII "GetProcAddress",0
01036509 57 PUSH EDI ; calc.01001000
0103650A 51 PUSH ECX
0103650B 58 POP EAX
0103650C 8D5483 58 LEA EDX,DWORD PTR DS:
010366B3 56 PUSH ESI
010366B4 97 XCHG EAX,EDI
010366B5 FFD1 CALL ECX 关键这里断点F9
010366B7 93 XCHG EAX,EBX
ECX=7C801D77 (kernel32.LoadLibraryA)
010366DE^\72 F4 JB SHORT calc.010366D4
010366E0 2BC1 SUB EAX,ECX
010366E2 C3 RETN 关键这里断点 F9F8oep
01012475 6A 70 PUSH 70 oep ; (初始 cpu 选择)
01012477 68 E0150001 PUSH calc.010015E0
0101247C E8 47030000 CALL calc.010127C8
01012481 33DB XOR EBX,EBX
01012483 53 PUSH EBX
01012484 8B3D 20700201 MOV EDI,DWORD PTR DS: ; kernel32.GetModuleHandleA
30988ce32b3cd7e4edda33dd3cf1337e 教程.exe
脱壳WinUpack 0.33 (Training Package) http://www.namipan.com/d/WinUpack%200.33%20(Training%20Package).rar/2db95e9cfd2143dd734ebd27acb911238a35226364df6b00 WinUpack 0.33还是比较简单的
页:
[1]