Mpress 2.12 脱壳分析
【文章标题】: Mpress 2.12 脱壳分析【文章作者】: huzhao23
【作者主页】: hi.baidu.com/hacknight
【软件名称】: Mpress_GUI 2.12 主程序Mpress_gui By goastship
【下载地址】: 自己搜索下载
【保护方式】: MPRESS V2.00-V2.0X -> MATCODE Software
【使用工具】: OD,CHimpREC,PEID
--------------------------------------------------------------------------------
【详细过程】
刚刚看见goastship大侠写了个Mpress 2.12 GUI 版程序,加的壳也是Mpress 2.12,索性就拿来脱下。这个也算是个软柿子吧,单步分析后总结了下快速脱壳的方法。。。
1. 查壳
PEID 显示是:MPRESS V2.00-V2.0X -> MATCODE Software * Sign.By.fly * 20090423 *
2.脱壳
OD 载入
004C830A >60 pushad // 壳的入口点
004C830B E8 00000000 call 004C8310
004C8310 58 pop eax
004C8311 05 5A0B0000 add eax, 0B5A
004C8316 8B30 mov esi, dword ptr
004C8318 03F0 add esi, eax
004C831A 2BC0 sub eax, eax
004C831C 8BFE mov edi, esi
下断点: bp VirtualProtect
7C801AD4 >- E9 B7028093 jmp guard32.10001D90 // bp VirtualProtect
7C801AD9 FF75 14 push dword ptr
7C801ADC FF75 10 push dword ptr
7C801ADF FF75 0C push dword ptr
7C801AE2 FF75 08 push dword ptr
7C801AE5 6A FF push -1
7C801AE7 E8 75FFFFFF call VirtualProtectEx
7C801AEC 5D pop ebp
7C801AED C2 1000 retn 10
SHIFT + F9 两次后,取消断点返回
6FFF0560 8BFF mov edi, edi ; Mpress_g.0040015F // 返回到这里
6FFF0562 55 push ebp
6FFF0563 8BEC mov ebp, esp
6FFF0565- E9 6F15810C jmp kernel32.7C801AD9
6FFF056A CC int3
6FFF056B CC int3
6FFF056C CC int3
接着F8单步走
7C801AD4 >- E9 B7028093 jmp guard32.10001D90
7C801AD9 FF75 14 push dword ptr
7C801ADC FF75 10 push dword ptr
7C801ADF FF75 0C push dword ptr
7C801AE2 FF75 08 push dword ptr
7C801AE5 6A FF push -1
7C801AE7 E8 75FFFFFF call VirtualProtectEx
7C801AEC 5D pop ebp
7C801AED C2 1000 retn 10 // 走过这个retn
之后来到这里
0049486F 58 pop eax // 一直单步到这里
00494870 8BFE mov edi, esi
00494872 AD lods dword ptr
00494873 83F8 FF cmp eax, -1
00494876 74 3D je short 004948B5
00494878 03F8 add edi, eax
0049487A 56 push esi
0049487B E8 54000000 call <jmp.&KERNEL32.GetModuleHandleA>
00494880 8BD8 mov ebx, eax
00494882 AC lods byte ptr
00494883 0AC0 or al, al
00494885 B0 00 mov al, 0
00494887 8846 FF mov byte ptr , al
0049488A^ 75 F6 jnz short 00494882
0049488C AC lods byte ptr
0049488D 0AC0 or al, al
0049488F^ 74 E1 je short 00494872
00494891 3C 20 cmp al, 20
00494893 76 04 jbe short 00494899
00494895 4E dec esi
00494896 56 push esi
00494897 EB 09 jmp short 004948A2
00494899 2BC0 sub eax, eax
0049489B 66:AD lods word ptr
0049489D 4E dec esi
0049489E C606 00 mov byte ptr , 0
004948A1 50 push eax
004948A2 53 push ebx
004948A3 E8 32000000 call <jmp.&KERNEL32.GetProcAddress>
004948A8 AB stos dword ptr es:
004948A9 32C0 xor al, al
004948AB 8846 FF mov byte ptr , al
004948AE AC lods byte ptr
004948AF 0AC0 or al, al
004948B1^ 75 F6 jnz short 004948A9
004948B3^ EB D7 jmp short 0049488C
004948B5 E8 00000000 call 004948BA
004948BA 5F pop edi
004948BB 81C7 EEFEFFFF add edi, -112
004948C1 B0 E9 mov al, 0E9
004948C3 AA stos byte ptr es:
004948C4 B8 1E010000 mov eax, 11E
004948C9 AB stos dword ptr es:
004948CA 61 popad
004948CB^ E9 6CFEFFFF jmp 0049473C // 这里就是跳向OEP
004948D0 40 inc eax
004948D1 3F aas
004948D2 0000 add byte ptr , al
004948D4- FF25 54814C00 jmp dword ptr [<&KERNEL32.GetModuleH>; kernel32.GetModuleHandleA
004948DA- FF25 58814C00 jmp dword ptr [<&KERNEL32.GetProcAdd>; kernel32.GetProcAddress
OEP:
0049473C 55 push ebp // OEP
0049473D 8BEC mov ebp, esp
0049473F 83C4 F0 add esp, -10
00494742 B8 6C454900 mov eax, 0049456C
00494747 E8 AC20F7FF call 004067F8
0049474C A1 14634900 mov eax, dword ptr
00494751 8B00 mov eax, dword ptr
00494753 E8 2CDEFCFF call 00462584
00494758 A1 14634900 mov eax, dword ptr
0049475D 8B00 mov eax, dword ptr
0049475F BA 9C474900 mov edx, 0049479C ; ASCII "Mpress_gui"
00494764 E8 27DAFCFF call 00462190
00494769 8B0D 1C644900 mov ecx, dword ptr ; Mpress_g.00497CB4
0049476F A1 14634900 mov eax, dword ptr
00494774 8B00 mov eax, dword ptr
00494776 8B15 88394900 mov edx, dword ptr ; Mpress_g.004939D4
0049477C E8 1BDEFCFF call 0046259C
00494781 A1 14634900 mov eax, dword ptr
00494786 8B00 mov eax, dword ptr
然后就是 CHimpREC 工具直接DUMP ,然后在修复下IAT ,FIX 下就成功脱壳了。。。
--------------------------------------------------------------------------------
【经验总结】
很简单的一个压缩新壳,简单的分析了下,失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【版权声明】: 本文原创于PYG官方论坛, 转载请注明作者并保持文章的完整, 谢谢!
2009年08月27日 21:50:20 用esp定律的话会更快啊..直接用od那个dump出来就ok啦
页:
[1]