飘云阁UPX 脱壳，怎么搞，有这么难吗？？？

taoszyz 发表于 2009-5-21 22:04:13

UPX 脱壳，怎么搞，有这么难吗？？？

PEID V0.95 测为UPX 0.89.6 - 1.02 / 1.05 - 2.90 -> Markus & Laszlo

搞了一天了，还没搞定，请高手们指点

004A81E8 8B07          mov eax, dword ptr
004A81EA 8A5F 04       mov bl, byte ptr
004A81ED 66:C1E8 08    shr ax, 8
004A81F1 C1C0 10       rol eax, 10
004A81F4 86C4          xchg ah, al
004A81F6 29F8          sub eax, edi
004A81F8 80EB E8       sub bl, 0E8
004A81FB 01F0          add eax, esi
004A81FD 8907          mov dword ptr , eax
004A81FF 83C7 05       add edi, 5
004A8202 88D8          mov al, bl
004A8204^ E2 D9       loopd short 004A81DF
004A8206 8DBE 00400A00 lea edi, dword ptr
004A820C 8B07          mov eax, dword ptr
004A820E 09C0          or    eax, eax
004A8210 74 45       je    short 004A8257
004A8212 8B5F 04       mov ebx, dword ptr
004A8215 8D8430 0C930A00 lea eax, dword ptr
004A821C 01F3          add ebx, esi
004A821E 50          push eax
004A821F 83C7 08       add edi, 8
004A8222 FF96 60940A00 call dword ptr
004A8228 95          xchg eax, ebp
004A8229 8A07          mov al, byte ptr
004A822B 47          inc edi
004A822C 08C0          or    al, al
004A822E^ 74 DC       je    short 004A820C
004A8230 89F9          mov ecx, edi
004A8232 79 07       jns short 004A823B
004A8234 0FB707       movzx eax, word ptr
004A8237 47          inc edi
004A8238 50          push eax
004A8239 47          inc edi
004A823A B9 5748F2AE mov ecx, AEF24857
004A823F 55          push ebp
004A8240 FF96 64940A00 call dword ptr
004A8246 09C0          or    eax, eax
004A8248 74 07       je    short 004A8251
004A824A 8903          mov dword ptr , eax
004A824C 83C3 04       add ebx, 4
004A824F^ EB D8       jmp short 004A8229
004A8251 FF96 74940A00 call dword ptr
004A8257 8BAE 68940A00 mov ebp, dword ptr
004A825D 8DBE 00F0FFFF lea edi, dword ptr
004A8263 BB 00100000 mov ebx, 1000
004A8268 50          push eax
004A8269 54          push esp
004A826A 6A 04       push 4
004A826C 53          push ebx
004A826D 57          push edi                            ; bbx003.00400000
004A826E FFD5          call ebp
004A8270 8D87 17020000 lea eax, dword ptr
004A8276 8020 7F       and byte ptr , 7F
004A8279 8060 28 7F    and byte ptr , 7F
004A827D 58          pop eax
004A827E 50          push eax
004A827F 54          push esp
004A8280 50          push eax
004A8281 53          push ebx
004A8282 57          push edi
004A8283 FFD5          call ebp
004A8285 58          pop eax
004A8286 61          popad                                        ------出壳
004A8287 8D4424 80    lea eax, dword ptr
004A828B 6A 00       push 0
004A828D 39C4          cmp esp, eax
004A828F^ 75 FA       jnz short 004A828B
004A8291 83EC 80       sub esp, -80
004A8294- E9 D7F4F6FF jmp 00417770
004A8299 0000          add byte ptr , al
004A829B 0000          add byte ptr , al

我在向下我怎么也找不到oep

glts 发表于 2009-5-22 11:17:53

004A8286 61          popad                                        ------出壳
004A8287 8D4424 80    lea eax, dword ptr
004A828B 6A 00       push 0
004A828D 39C4          cmp esp, eax
004A828F^ 75 FA       jnz short 004A828B
004A8291 83EC 80       sub esp, -80
004A8294- E9 D7F4F6FF jmp 00417770 //清除之前你所下的所有断点后F4运行到此行。F8就到OEP了
004A8299 0000          add byte ptr , al
004A829B 0000          add byte ptr , al
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
晕这么简单的东西随便搜索一下论坛的贴子都有。

Nisy 发表于 2009-5-22 11:26:09

HDd1145 发表于 2009-5-22 13:15:20

taoszyz 发表于 2009-5-22 16:57:09

谢谢楼上分析,是的,
004A8294- E9 D7F4F6FF jmp 00417770 F8就到OEP了

00417770 E8 C4AF0000 CALL bbx003.00422739
00417775^ E9 79FEFFFF JMP bbx003.004175F3
0041777A 8BFF          MOV EDI,EDI
0041777C 55          PUSH EBP
0041777D 8BEC          MOV EBP,ESP
0041777F 8BC1          MOV EAX,ECX
00417781 8B4D 08       MOV ECX,DWORD PTR SS:
00417784 C700 88DA4700 MOV DWORD PTR DS:,bbx003.0047DA88
0041778A 8B09          MOV ECX,DWORD PTR DS:
0041778C 8360 08 00    AND DWORD PTR DS:,0
00417790 8948 04       MOV DWORD PTR DS:,ECX
00417793 5D          POP EBP
00417794 C2 0800       RETN 8
00417797 8BFF          MOV EDI,EDI
00417799 55          PUSH EBP
0041779A 8BEC          MOV EBP,ESP
0041779C 53          PUSH EBX
0041779D 8B5D 08       MOV EBX,DWORD PTR SS:
004177A0 56          PUSH ESI
004177A1 8BF1          MOV ESI,ECX
004177A3 C706 88DA4700 MOV DWORD PTR DS:,bbx003.0047DA88
004177A9 8B43 08       MOV EAX,DWORD PTR DS:
004177AC 8946 08       MOV DWORD PTR DS:,EAX
004177AF 85C0          TEST EAX,EAX
004177B1 8B43 04       MOV EAX,DWORD PTR DS:
004177B4 57          PUSH EDI
004177B5 74 31       JE SHORT bbx003.004177E8
004177B7 85C0          TEST EAX,EAX
004177B9 74 27       JE SHORT bbx003.004177E2
004177BB 50          PUSH EAX
004177BC E8 EFD3FFFF CALL bbx003.00414BB0
004177C1 8BF8          MOV EDI,EAX
004177C3 47          INC EDI
004177C4 57          PUSH EDI
004177C5 E8 10D3FFFF CALL bbx003.00414ADA
004177CA 59          POP ECX
004177CB 59          POP ECX
004177CC 8946 04       MOV DWORD PTR DS:,EAX
004177CF 85C0          TEST EAX,EAX
004177D1 74 18       JE SHORT bbx003.004177EB
004177D3 FF73 04       PUSH DWORD PTR DS:
004177D6 57          PUSH EDI
004177D7 50          PUSH EAX
004177D8 E8 F2AF0000 CALL bbx003.004227CF
004177DD 83C4 0C       ADD ESP,0C
004177E0 EB 09       JMP SHORT bbx003.004177EB
004177E2 8366 04 00    AND DWORD PTR DS:,0
004177E6 EB 03       JMP SHORT bbx003.004177EB
004177E8 8946 04       MOV DWORD PTR DS:,EAX
004177EB 5F          POP EDI
004177EC 8BC6          MOV EAX,ESI
004177EE 5E          POP ESI
004177EF 5B          POP EBX
004177F0 5D          POP EBP
004177F1 C2 0400       RETN 4
004177F4 8379 08 00    CMP DWORD PTR DS:,0
004177F8 C701 88DA4700 MOV DWORD PTR DS:,bbx003.0047DA88
004177FE 74 09       JE SHORT bbx003.00417809
00417800 FF71 04       PUSH DWORD PTR DS:

可我这后dump后,运行不了,不知道为什么,请指点

[ 本帖最后由 taoszyz 于 2009-5-23 08:06 编辑 ]

页: [1]

飘云阁's Archiver

UPX 脱壳，怎么搞，有这么难吗？？？