ASPack 2.12的简单分析
【破文标题】ASPack 2.12的简单分析【破文作者】yangbing1990
【作者邮箱】[email protected]
【破解工具】OD,LoadPE
【破解平台】WinXp2
【软件名称】试验程序
【原版下载】看附件
【保护方式】ASPack 2.12
【破解声明】高手飘过 - -!
------------------------------------------------------------------------
【破解过程】
00404001 >60 pushad
00404002 E8 03000000 call ASPack_2.0040400A
00404007- E9 EB045D45 jmp 459D44F7
0040400C 55 push ebp
0040400D C3 retn
0040400E E8 01000000 call ASPack_2.00404014
00404013 EB 5D jmp short ASPack_2.00404072
00404015 BB EDFFFFFF mov ebx, -13
0040401A 03DD add ebx, ebp
0040401C 81EB 00400000 sub ebx, 4000
00404022 83BD 22040000 0>cmp dword ptr ss:, 0 ; //00404435
00404029 899D 22040000 mov dword ptr ss:, ebx ; //基址
0040402F 0F85 65030000 jnz ASPack_2.0040439A
00404035 8D85 2E040000 lea eax, dword ptr ss:
0040403B 50 push eax
0040403C FF95 4D0F0000 call near dword ptr ss: ;
//eax=GetModuleHandle("Kernel32.dll")
00404042 8985 26040000 mov dword ptr ss:, eax ; //获得
Kernel32.dll的模块句柄 保存在
00404048 8BF8 mov edi, eax
0040404A 8D5D 5E lea ebx, dword ptr ss:
0040404D 53 push ebx
0040404E 50 push eax
0040404F FF95 490F0000 call near dword ptr ss: ;
//eax=GetProcAddress(eax,"VirtualAlloc")
00404055 8985 4D050000 mov dword ptr ss:, eax ; //获得
VirtualAlloc函数地址 保存在
0040405B 8D5D 6B lea ebx, dword ptr ss:
0040405E 53 push ebx
0040405F 57 push edi
00404060 FF95 490F0000 call near dword ptr ss: ;
//eax=GetProcAddress(eax,"VirtualFree")
00404066 8985 51050000 mov dword ptr ss:, eax ; //获得
VirtualFree函数地址 保存在
0040406C 8D45 77 lea eax, dword ptr ss:
0040406F FFE0 jmp near eax
00404071 56 push esi
00404072 6972 74 75616C4>imul esi, dword ptr ds:, 416C6175
00404079 6C ins byte ptr es:, dx
0040407A 6C ins byte ptr es:, dx
0040407B 6F outs dx, dword ptr es:
0040407C 6300 arpl word ptr ds:, ax
0040407E 56 push esi
0040407F 6972 74 75616C4>imul esi, dword ptr ds:, 466C6175
00404086 72 65 jb short ASPack_2.004040ED
00404088 65:008B 9D31050>add byte ptr gs:, cl
0040408F 000B add byte ptr ds:, cl
00404091 DB ??? ; 未知命令
00404092 74 0A je short ASPack_2.0040409E
00404094 8B03 mov eax, dword ptr ds:
00404096 8785 35050000 xchg dword ptr ss:, eax
0040409C 8903 mov dword ptr ds:, eax
0040409E 8DB5 69050000 lea esi, dword ptr ss:
004040A4 833E 00 cmp dword ptr ds:, 0
004040A7 0F84 21010000 je ASPack_2.004041CE
004040AD 6A 04 push 4
004040AF 68 00100000 push 1000
004040B4 68 00180000 push 1800
004040B9 6A 00 push 0
004040BB FF95 4D050000 call near dword ptr ss: ;
//eax=VirtualAlloc(NULL,0x1800,MEM_COMMIT,PAGE_READWRITE)
004040C1 8985 56010000 mov dword ptr ss:, eax ; //申请一个大
小为0x1800的空间 空间1 保存在
004040C7 8B46 04 mov eax, dword ptr ds: ; //区段文件大
小
004040CA 05 0E010000 add eax, 10E ; //加0x10E
004040CF 6A 04 push 4
004040D1 68 00100000 push 1000
004040D6 50 push eax
004040D7 6A 00 push 0
004040D9 FF95 4D050000 call near dword ptr ss: ;
//eax=VirtualAlloc(NULL,0x90E,MEM_COMMIT,PAGE_READWRITE)
004040DF 8985 52010000 mov dword ptr ss:, eax ; //申请一个 对
应区段文件大小+0x10E的空间 空间2 保存在
004040E5 56 push esi ; //保存着 区段
内存偏移和文件大小
004040E6 8B1E mov ebx, dword ptr ds: ; //内存偏移
004040E8 039D 22040000 add ebx, dword ptr ss: ; //加上基址 获
得VA
004040EE FFB5 56010000 push dword ptr ss: ; //空间1
004040F4 FF76 04 push dword ptr ds: ; //文件大小压
入堆栈
004040F7 50 push eax ; //空间2
004040F8 53 push ebx ; //VA压入堆栈
004040F9 E8 6E050000 call ASPack_2.0040466C ; ---解压函数
004040FE B3 00 mov bl, 0
00404100 80FB 00 cmp bl, 0
00404103 75 5E jnz short ASPack_2.00404163
00404105 FE85 EC000000 inc byte ptr ss: ; //只运行一次
0040410B 8B3E mov edi, dword ptr ds:
0040410D 03BD 22040000 add edi, dword ptr ss: ; //VA
00404113 FF37 push dword ptr ds: ; ---花指令?
00404115 C607 C3 mov byte ptr ds:, 0C3
00404118 FFD7 call near edi
0040411A 8F07 pop dword ptr ds: ; ----花指令?
0040411C 50 push eax
0040411D 51 push ecx
0040411E 56 push esi
0040411F 53 push ebx
00404120 8BC8 mov ecx, eax
00404122 83E9 06 sub ecx, 6
00404125 8BB5 52010000 mov esi, dword ptr ss: ; //空间2
0040412B 33DB xor ebx, ebx
0040412D 0BC9 or ecx, ecx
0040412F 74 2E je short ASPack_2.0040415F
00404131 78 2C js short ASPack_2.0040415F
00404133 AC lods byte ptr ds:
00404134 3C E8 cmp al, 0E8
00404136 74 0A je short ASPack_2.00404142
00404138 EB 00 jmp short ASPack_2.0040413A
0040413A 3C E9 cmp al, 0E9
0040413C 74 04 je short ASPack_2.00404142
0040413E 43 inc ebx
0040413F 49 dec ecx
00404140^ EB EB jmp short ASPack_2.0040412D ; //判断空间2的
数据 是否有等于0x0E8 和 0x0E9 的
00404142 8B06 mov eax, dword ptr ds:
00404144 EB 00 jmp short ASPack_2.00404146
00404146 803E 00 cmp byte ptr ds:, 0
00404149^ 75 F3 jnz short ASPack_2.0040413E
0040414B 24 00 and al, 0
0040414D C1C0 18 rol eax, 18
00404150 2BC3 sub eax, ebx
00404152 8906 mov dword ptr ds:, eax
00404154 83C3 05 add ebx, 5
00404157 83C6 04 add esi, 4
0040415A 83E9 05 sub ecx, 5
0040415D^ EB CE jmp short ASPack_2.0040412D
0040415F 5B pop ebx
00404160 5E pop esi
00404161 59 pop ecx
00404162 58 pop eax
00404163 EB 08 jmp short ASPack_2.0040416D
00404165 0000 add byte ptr ds:, al
00404167 0000 add byte ptr ds:, al
00404169 0000 add byte ptr ds:, al
0040416B 0000 add byte ptr ds:, al
0040416D 8BC8 mov ecx, eax
0040416F 8B3E mov edi, dword ptr ds:
00404171 03BD 22040000 add edi, dword ptr ss: ; //VA
00404177 8BB5 52010000 mov esi, dword ptr ss: ; //空间2
0040417D C1F9 02 sar ecx, 2
00404180 F3:A5 rep movs dword ptr es:, dword ptr ds:[e>; //拷贝数据
00404182 8BC8 mov ecx, eax
00404184 83E1 03 and ecx, 3
00404187 F3:A4 rep movs byte ptr es:, byte ptr ds:[esi>
00404189 5E pop esi
0040418A 68 00800000 push 8000
0040418F 6A 00 push 0
00404191 FFB5 52010000 push dword ptr ss:
00404197 FF95 51050000 call near dword ptr ss: ; //释放空间2
0040419D 83C6 08 add esi, 8
004041A0 833E 00 cmp dword ptr ds:, 0
004041A3^ 0F85 1EFFFFFF jnz ASPack_2.004040C7 ; //循环解压每
个 区段
004041A9 68 00800000 push 8000
004041AE 6A 00 push 0
004041B0 FFB5 56010000 push dword ptr ss:
004041B6 FF95 51050000 call near dword ptr ss: ; //释放空间1
004041BC 8B9D 31050000 mov ebx, dword ptr ss: ; //所有数据解
压完毕(这里就可以DUMP了)
004041C2 0BDB or ebx, ebx
004041C4 74 08 je short ASPack_2.004041CE
004041C6 8B03 mov eax, dword ptr ds:
004041C8 8785 35050000 xchg dword ptr ss:, eax
004041CE 8B95 22040000 mov edx, dword ptr ss:
004041D4 8B85 2D050000 mov eax, dword ptr ss:
004041DA 2BD0 sub edx, eax
004041DC 74 79 je short ASPack_2.00404257
004041DE 8BC2 mov eax, edx
004041E0 C1E8 10 shr eax, 10
004041E3 33DB xor ebx, ebx
004041E5 8BB5 39050000 mov esi, dword ptr ss:
004041EB 03B5 22040000 add esi, dword ptr ss:
004041F1 833E 00 cmp dword ptr ds:, 0
004041F4 74 61 je short ASPack_2.00404257
004041F6 8B4E 04 mov ecx, dword ptr ds:
004041F9 83E9 08 sub ecx, 8
004041FC D1E9 shr ecx, 1
004041FE 8B3E mov edi, dword ptr ds:
00404200 03BD 22040000 add edi, dword ptr ss:
00404206 83C6 08 add esi, 8
00404209 66:8B1E mov bx, word ptr ds:
0040420C C1EB 0C shr ebx, 0C
0040420F 83FB 01 cmp ebx, 1
00404212 74 0C je short ASPack_2.00404220
00404214 83FB 02 cmp ebx, 2
00404217 74 16 je short ASPack_2.0040422F
00404219 83FB 03 cmp ebx, 3
0040421C 74 20 je short ASPack_2.0040423E
0040421E EB 2C jmp short ASPack_2.0040424C
00404220 66:8B1E mov bx, word ptr ds:
00404223 81E3 FF0F0000 and ebx, 0FFF
00404229 66:01041F add word ptr ds:, ax
0040422D EB 1D jmp short ASPack_2.0040424C
0040422F 66:8B1E mov bx, word ptr ds:
00404232 81E3 FF0F0000 and ebx, 0FFF
00404238 66:01141F add word ptr ds:, dx
0040423C EB 0E jmp short ASPack_2.0040424C
0040423E 66:8B1E mov bx, word ptr ds:
00404241 81E3 FF0F0000 and ebx, 0FFF
00404247 01141F add dword ptr ds:, edx
0040424A EB 00 jmp short ASPack_2.0040424C
0040424C 66:830E FF or word ptr ds:, 0FFFF
00404250 83C6 02 add esi, 2
00404253^ E2 B4 loopd short ASPack_2.00404209
00404255^ EB 9A jmp short ASPack_2.004041F1
00404257 8B95 22040000 mov edx, dword ptr ss:
0040425D 8BB5 41050000 mov esi, dword ptr ss:
00404263 0BF6 or esi, esi
00404265 74 11 je short ASPack_2.00404278
00404267 03F2 add esi, edx
00404269 AD lods dword ptr ds:
0040426A 0BC0 or eax, eax
0040426C 74 0A je short ASPack_2.00404278
0040426E 03C2 add eax, edx
00404270 8BF8 mov edi, eax
00404272 66:AD lods word ptr ds:
00404274 66:AB stos word ptr es:
00404276^ EB F1 jmp short ASPack_2.00404269
00404278 BE 70200000 mov esi, 2070
0040427D 8B95 22040000 mov edx, dword ptr ss:
00404283 03F2 add esi, edx
00404285 8B46 0C mov eax, dword ptr ds:
00404288 85C0 test eax, eax
0040428A 0F84 0A010000 je ASPack_2.0040439A
00404290 03C2 add eax, edx
00404292 8BD8 mov ebx, eax
00404294 50 push eax
00404295 FF95 4D0F0000 call near dword ptr ss:
0040429B 85C0 test eax, eax
0040429D 75 07 jnz short ASPack_2.004042A6
0040429F 53 push ebx
004042A0 FF95 510F0000 call near dword ptr ss:
004042A6 8985 45050000 mov dword ptr ss:, eax
004042AC C785 49050000 0>mov dword ptr ss:, 0
004042B6 8B95 22040000 mov edx, dword ptr ss: ; ---遍历dll函
数地址填充IAT
004042BC 8B06 mov eax, dword ptr ds:
004042BE 85C0 test eax, eax
004042C0 75 03 jnz short ASPack_2.004042C5
004042C2 8B46 10 mov eax, dword ptr ds:
004042C5 03C2 add eax, edx
004042C7 0385 49050000 add eax, dword ptr ss:
004042CD 8B18 mov ebx, dword ptr ds:
004042CF 8B7E 10 mov edi, dword ptr ds:
004042D2 03FA add edi, edx
004042D4 03BD 49050000 add edi, dword ptr ss:
004042DA 85DB test ebx, ebx
004042DC 0F84 A2000000 je ASPack_2.00404384
004042E2 F7C3 00000080 test ebx, 80000000
004042E8 75 04 jnz short ASPack_2.004042EE
004042EA 03DA add ebx, edx
004042EC 43 inc ebx
004042ED 43 inc ebx
004042EE 53 push ebx
004042EF 81E3 FFFFFF7F and ebx, 7FFFFFFF
004042F5 53 push ebx
004042F6 FFB5 45050000 push dword ptr ss:
004042FC FF95 490F0000 call near dword ptr ss:
00404302 85C0 test eax, eax
00404304 5B pop ebx
00404305 75 6F jnz short ASPack_2.00404376
00404307 F7C3 00000080 test ebx, 80000000
0040430D 75 19 jnz short ASPack_2.00404328
0040430F 57 push edi
00404310 8B46 0C mov eax, dword ptr ds:
00404313 0385 22040000 add eax, dword ptr ss:
00404319 50 push eax
0040431A 53 push ebx
0040431B 8D85 75040000 lea eax, dword ptr ss:
00404321 50 push eax
00404322 57 push edi
00404323 E9 98000000 jmp ASPack_2.004043C0
00404328 81E3 FFFFFF7F and ebx, 7FFFFFFF
0040432E 8B85 26040000 mov eax, dword ptr ss:
00404334 3985 45050000 cmp dword ptr ss:, eax
0040433A 75 24 jnz short ASPack_2.00404360
0040433C 57 push edi
0040433D 8BD3 mov edx, ebx
0040433F 4A dec edx
00404340 C1E2 02 shl edx, 2
00404343 8B9D 45050000 mov ebx, dword ptr ss:
00404349 8B7B 3C mov edi, dword ptr ds:
0040434C 8B7C3B 78 mov edi, dword ptr ds:
00404350 035C3B 1C add ebx, dword ptr ds:
00404354 8B0413 mov eax, dword ptr ds:
00404357 0385 45050000 add eax, dword ptr ss:
0040435D 5F pop edi
0040435E EB 16 jmp short ASPack_2.00404376
00404360 57 push edi
00404361 8B46 0C mov eax, dword ptr ds:
00404364 0385 22040000 add eax, dword ptr ss:
0040436A 50 push eax
0040436B 53 push ebx
0040436C 8D85 C6040000 lea eax, dword ptr ss:
00404372 50 push eax
00404373 57 push edi
00404374 EB 4A jmp short ASPack_2.004043C0
00404376 8907 mov dword ptr ds:, eax
00404378 8385 49050000 0>add dword ptr ss:, 4
0040437F^ E9 32FFFFFF jmp ASPack_2.004042B6 ; ---遍历dll函
数地址填充IAT
00404384 8906 mov dword ptr ds:, eax
00404386 8946 0C mov dword ptr ds:, eax
00404389 8946 10 mov dword ptr ds:, eax
0040438C 83C6 14 add esi, 14
0040438F 8B95 22040000 mov edx, dword ptr ss:
00404395^ E9 EBFEFFFF jmp ASPack_2.00404285 ; //遍历DLL
0040439A B8 00100000 mov eax, 1000
0040439F 50 push eax
004043A0 0385 22040000 add eax, dword ptr ss: ; //OEP
004043A6 59 pop ecx
004043A7 0BC9 or ecx, ecx
004043A9 8985 A8030000 mov dword ptr ss:, eax
004043AF 61 popad
004043B0 75 08 jnz short ASPack_2.004043BA
004043B2 B8 01000000 mov eax, 1
004043B7 C2 0C00 retn 0C
004043BA 68 00000000 push 0
004043BF C3 retn
------------------------------------------------------------------------
【破解总结】发现 压缩壳的流程好像都是 解压 拷贝数据 填充IAT 然后跳向OEP
再次膜拜yaya兽 00404384 8906 mov dword ptr ds:, eax
00404386 8946 0C mov dword ptr ds:, eax
00404389 8946 10 mov dword ptr ds:, eax
这三句是用0填充原始输入表的IID数组的,nop掉就不需要用ImportRec来修复了。
回复 1# yangbing1990 的帖子
这个简单分析也太简单了/:001 00404285 8B46 0C mov eax, dword ptr ds:00404288 85C0 test eax, eax
0040428A 0F84 0A010000 je ASPack_2.0040439A
我是改的这个跳转 不让他填充IAT
00404384 8906 mov dword ptr ds:, eax
00404386 8946 0C mov dword ptr ds:, eax
00404389 8946 10 mov dword ptr ds:, eax
这三个真没注意/:013
在仔细看看/:018 今天买了本汇编语言第二版在看呢。以后经常要来这里了。 不错,分析的很详细,谢谢 好的,学习下
页:
[1]