UPX 脱壳，怎么搞，有这么难吗？？？

taoszyz · 发表于 2009-5-21 22:04:13

PEID V0.95 测为UPX 0.89.6 - 1.02 / 1.05 - 2.90 -> Markus & Laszlo [Overlay]

搞了一天了，还没搞定，请高手们指点

004A81E8 8B07          mov    eax, dword ptr [edi]
004A81EA 8A5F 04       mov    bl, byte ptr [edi+4]
004A81ED 66:C1E8 08    shr    ax, 8
004A81F1 C1C0 10       rol    eax, 10
004A81F4 86C4          xchg ah, al
004A81F6 29F8          sub    eax, edi
004A81F8 80EB E8       sub    bl, 0E8
004A81FB 01F0          add    eax, esi
004A81FD 8907          mov    dword ptr [edi], eax
004A81FF 83C7 05       add    edi, 5
004A8202 88D8          mov    al, bl
004A8204  ^ E2 D9          loopd short 004A81DF
004A8206 8DBE 00400A00 lea    edi, dword ptr [esi+A4000]
004A820C 8B07          mov    eax, dword ptr [edi]
004A820E 09C0          or    eax, eax
004A8210 74 45          je    short 004A8257
004A8212 8B5F 04       mov    ebx, dword ptr [edi+4]
004A8215 8D8430 0C930A00 lea    eax, dword ptr [eax+esi+A930C]
004A821C 01F3          add    ebx, esi
004A821E 50             push eax
004A821F 83C7 08       add    edi, 8
004A8222 FF96 60940A00 call dword ptr [esi+A9460]
004A8228 95             xchg eax, ebp
004A8229 8A07          mov    al, byte ptr [edi]
004A822B 47             inc    edi
004A822C 08C0          or    al, al
004A822E  ^ 74 DC          je    short 004A820C
004A8230 89F9          mov    ecx, edi
004A8232 79 07          jns    short 004A823B
004A8234 0FB707       movzx eax, word ptr [edi]
004A8237 47             inc    edi
004A8238 50             push eax
004A8239 47             inc    edi
004A823A B9 5748F2AE    mov    ecx, AEF24857
004A823F 55             push ebp
004A8240 FF96 64940A00 call dword ptr [esi+A9464]
004A8246 09C0          or    eax, eax
004A8248 74 07          je    short 004A8251
004A824A 8903          mov    dword ptr [ebx], eax
004A824C 83C3 04       add    ebx, 4
004A824F  ^ EB D8          jmp    short 004A8229
004A8251 FF96 74940A00 call dword ptr [esi+A9474]
004A8257 8BAE 68940A00 mov    ebp, dword ptr [esi+A9468]
004A825D 8DBE 00F0FFFF lea    edi, dword ptr [esi-1000]
004A8263 BB 00100000    mov    ebx, 1000
004A8268 50             push eax
004A8269 54             push esp
004A826A 6A 04          push 4
004A826C 53             push ebx
004A826D 57             push edi                            ; bbx003.00400000
004A826E FFD5          call ebp
004A8270 8D87 17020000 lea    eax, dword ptr [edi+217]
004A8276 8020 7F       and    byte ptr [eax], 7F
004A8279 8060 28 7F    and    byte ptr [eax+28], 7F
004A827D 58             pop    eax
004A827E 50             push eax
004A827F 54             push esp
004A8280 50             push eax
004A8281 53             push ebx
004A8282 57             push edi
004A8283 FFD5          call ebp
004A8285 58             pop    eax
004A8286 61             popad                                           ------出壳
004A8287 8D4424 80    lea    eax, dword ptr [esp-80]
004A828B 6A 00          push 0
004A828D 39C4          cmp    esp, eax
004A828F  ^ 75 FA          jnz    short 004A828B
004A8291 83EC 80       sub    esp, -80
004A8294  - E9 D7F4F6FF    jmp    00417770
004A8299 0000          add    byte ptr [eax], al
004A829B 0000          add    byte ptr [eax], al

我在向下我怎么也找不到oep

glts · 发表于 2009-5-22 11:17:53

004A8286 61             popad                                           ------出壳
004A8287 8D4424 80    lea    eax, dword ptr [esp-80]
004A828B 6A 00          push 0
004A828D 39C4          cmp    esp, eax
004A828F  ^ 75 FA          jnz    short 004A828B
004A8291 83EC 80       sub    esp, -80
004A8294  - E9 D7F4F6FF    jmp    00417770 //清除之前你所下的所有断点后F4运行到此行。F8就到OEP了
004A8299 0000          add    byte ptr [eax], al
004A829B 0000          add    byte ptr [eax], al
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
晕这么简单的东西随便搜索一下论坛的贴子都有。

Nisy · 发表于 2009-5-22 11:26:09

004A8286 61             popad                                           ------出壳
004A8287 8D4424 80    lea    eax, dword ptr [esp-80]
004A828B 6A 00          push 0
004A828D 39C4          cmp    esp, eax
004A828F  ^ 75 FA          jnz    short 004A828B
004A8291 83EC 80       sub    esp, -80
004A8294  - E9 D7F4F6FF    jmp    00417770

popad 是解码完成恢复寄存器数据下边的jmp指令将跳向OEP 过两天我们公开教学班的基础视频

HDd1145 · 发表于 2009-5-22 13:15:20

提示: 作者被禁止或删除内容自动屏蔽

taoszyz · 发表于 2009-5-22 16:57:09

谢谢楼上分析,是的,
004A8294  - E9 D7F4F6FF    jmp    00417770 F8就到OEP了

00417770 E8 C4AF0000    CALL bbx003.00422739
00417775  ^ E9 79FEFFFF    JMP bbx003.004175F3
0041777A 8BFF          MOV EDI,EDI
0041777C 55             PUSH EBP
0041777D 8BEC          MOV EBP,ESP
0041777F 8BC1          MOV EAX,ECX
00417781 8B4D 08       MOV ECX,DWORD PTR SS:[EBP+8]
00417784 C700 88DA4700 MOV DWORD PTR DS:[EAX],bbx003.0047DA88
0041778A 8B09          MOV ECX,DWORD PTR DS:[ECX]
0041778C 8360 08 00    AND DWORD PTR DS:[EAX+8],0
00417790 8948 04       MOV DWORD PTR DS:[EAX+4],ECX
00417793 5D             POP EBP
00417794 C2 0800       RETN 8
00417797 8BFF          MOV EDI,EDI
00417799 55             PUSH EBP
0041779A 8BEC          MOV EBP,ESP
0041779C 53             PUSH EBX
0041779D 8B5D 08       MOV EBX,DWORD PTR SS:[EBP+8]
004177A0 56             PUSH ESI
004177A1 8BF1          MOV ESI,ECX
004177A3 C706 88DA4700 MOV DWORD PTR DS:[ESI],bbx003.0047DA88
004177A9 8B43 08       MOV EAX,DWORD PTR DS:[EBX+8]
004177AC 8946 08       MOV DWORD PTR DS:[ESI+8],EAX
004177AF 85C0          TEST EAX,EAX
004177B1 8B43 04       MOV EAX,DWORD PTR DS:[EBX+4]
004177B4 57             PUSH EDI
004177B5 74 31          JE SHORT bbx003.004177E8
004177B7 85C0          TEST EAX,EAX
004177B9 74 27          JE SHORT bbx003.004177E2
004177BB 50             PUSH EAX
004177BC E8 EFD3FFFF    CALL bbx003.00414BB0
004177C1 8BF8          MOV EDI,EAX
004177C3 47             INC EDI
004177C4 57             PUSH EDI
004177C5 E8 10D3FFFF    CALL bbx003.00414ADA
004177CA 59             POP ECX
004177CB 59             POP ECX
004177CC 8946 04       MOV DWORD PTR DS:[ESI+4],EAX
004177CF 85C0          TEST EAX,EAX
004177D1 74 18          JE SHORT bbx003.004177EB
004177D3 FF73 04       PUSH DWORD PTR DS:[EBX+4]
004177D6 57             PUSH EDI
004177D7 50             PUSH EAX
004177D8 E8 F2AF0000    CALL bbx003.004227CF
004177DD 83C4 0C       ADD ESP,0C
004177E0 EB 09          JMP SHORT bbx003.004177EB
004177E2 8366 04 00    AND DWORD PTR DS:[ESI+4],0
004177E6 EB 03          JMP SHORT bbx003.004177EB
004177E8 8946 04       MOV DWORD PTR DS:[ESI+4],EAX
004177EB 5F             POP EDI
004177EC 8BC6          MOV EAX,ESI
004177EE 5E             POP ESI
004177EF 5B             POP EBX
004177F0 5D             POP EBP
004177F1 C2 0400       RETN 4
004177F4 8379 08 00    CMP DWORD PTR DS:[ECX+8],0
004177F8 C701 88DA4700 MOV DWORD PTR DS:[ECX],bbx003.0047DA88
004177FE 74 09          JE SHORT bbx003.00417809
00417800 FF71 04       PUSH DWORD PTR DS:[ECX+4]

可我这后dump后,运行不了,不知道为什么,请指点

[ 本帖最后由 taoszyz 于 2009-5-23 08:06 编辑 ]

		自动登录	找回密码
密码			加入我们

UPX 脱壳，怎么搞，有这么难吗？？？

本帖子中包含更多资源

相关帖子