壳学习一:PECompact 2.x 加壳脱壳
SkyJacker
Http://blog.csdn.net/skyjacker
Email:HeMiaoYu <At> gmail.com
QQ:67705517
2007-2-5
1、加壳过程
自动动手编写一个简单的窗体程序NullForm.exe。
使用PECompact2.7加壳(按默认选项),生成已加壳程序NullFormPe.exe.
原始文件与加壳后文件信息描述:
原始文件大小:379 KB (388,096 字节)
原始文件占用空间:384 KB (393,216 字节)
加壳文件大小:147 KB (150,528 字节)
加壳文件占用空间:160 KB (163,840 字节)
Aspack2.12 压缩率:38%
2、脱壳过程
使用PEID查壳: PECompact 2.x -> Jeremy Collake
OllyDbg加载,停在程序入口点:
00401000 > $ B8 20684600 mov eax, 00466820
00401005 . 50 push eax
00401006 . 64:FF35 00000>push dword ptr fs:[0]
0040100D . 64:8925 00000>mov dword ptr fs:[0], esp
00401014 . 33C0 xor eax, eax
00401016 . 8908 mov dword ptr [eax], ecx
下断:bp VirtualFree ,运行 //PECompact用VirtualAlloc VirtualFree管理内存
停在:
7C809B14 > 8BFF mov edi, edi
7C809B16 55 push ebp
7C809B17 8BEC mov ebp, esp
7C809B19 FF75 10 push dword ptr [ebp+10]
7C809B1C FF75 0C push dword ptr [ebp+C]
7C809B1F FF75 08 push dword ptr [ebp+8]
7C809B22 6A FF push -1
7C809B24 E8 09000000 call VirtualFreeEx
7C809B29 5D pop ebp
7C809B2A C2 0C00 retn 0C
一直按F8,到retn 0C,返回上一层
003D0934 8B4424 20 mov eax, dword ptr [esp+20]
003D0938 5F pop edi
003D0939 5E pop esi
003D093A 5B pop ebx
003D093B 83C4 10 add esp, 10
003D093E C2 0C00 retn 0C
继续按F8,返回到
003D0F91 8BC8 mov ecx, eax
003D0F93 40 inc eax
003D0F94 74 74 je short 003D100A
003D0F96 33C0 xor eax, eax
003D0F98 0345 F4 add eax, dword ptr [ebp-C]
003D0F9B 74 12 je short 003D0FAF
003D0F9D 48 dec eax
003D0F9E 8945 F4 mov dword ptr [ebp-C], eax
003D0FA1 FF75 EC push dword ptr [ebp-14]
003D0FA4 FF75 E8 push dword ptr [ebp-18]
003D0FA7 8F45 EC pop dword ptr [ebp-14]
003D0FAA 8F45 E8 pop dword ptr [ebp-18]
003D0FAD ^ EB CA jmp short 003D0F79
003D0FAF 5A pop edx
003D0FB0 56 push esi
继续F8
003D0F0C 51 push ecx
003D0F0D 52 push edx
003D0F0E 56 push esi
003D0F0F 0FB746 10 movzx eax, word ptr [esi+10]
003D0F13 A9 10000000 test eax, 10
003D0F18 0F84 D6000000 je 003D0FF4 //成功调转
003D0F1E 56 push esi
003D0F1F 8BBB 191E0010 mov edi, dword ptr [ebx+10001E19]
003D0F25 897D EC mov dword ptr [ebp-14], edi
继续F8
003D0FF4 5E pop esi ; 003D0A10
003D0FF5 5A pop edx
003D0FF6 59 pop ecx
003D0FF7 83C6 1C add esi, 1C
003D0FFA 49 dec ecx
003D0FFB ^ 0F85 0BFFFFFF jnz 003D0F0C //成功调转
003D1001 33C0 xor eax, eax
003D1003 5E pop esi
003D1004 5F pop edi
003D1005 5B pop ebx
003D1006 C9 leave
003D1007 C2 0400 retn 4
继续F8
003D0F0C 51 push ecx
003D0F0D 52 push edx
003D0F0E 56 push esi
003D0F0F 0FB746 10 movzx eax, word ptr [esi+10]
003D0F13 A9 10000000 test eax, 10
003D0F18 0F84 D6000000 je 003D0FF4 //成功调转
F8
003D0FF4 5E pop esi
003D0FF5 5A pop edx
003D0FF6 59 pop ecx
003D0FF7 83C6 1C add esi, 1C
003D0FFA 49 dec ecx
003D0FFB ^ 0F85 0BFFFFFF jnz 003D0F0C
003D1001 33C0 xor eax, eax
003D1003 5E pop esi
003D1004 5F pop edi
003D1005 5B pop ebx
003D1006 C9 leave
003D1007 C2 0400 retn 4 //返回
F8
003D0AC3 8B4E 2C mov ecx, dword ptr [esi+2C]
003D0AC6 898D 1D1E0010 mov dword ptr [ebp+10001E1D], ecx
003D0ACC 6A 40 push 40
003D0ACE 68 00100000 push 1000
003D0AD3 51 push ecx
003D0AD4 6A 00 push 0
003D0AD6 FF95 291E0010 call dword ptr [ebp+10001E29]
003D0ADC 8985 191E0010 mov dword ptr [ebp+10001E19], eax
003D0AE2 56 push esi
003D0AE3 E8 E8030000 call 003D0ED0
003D0AE8 8D8D C81C0010 lea ecx, dword ptr [ebp+10001CC8]
003D0AEE 85C0 test eax, eax
003D0AF0 0F85 94000000 jnz 003D0B8A
003D0AF6 56 push esi
003D0AF7 E8 32030000 call 003D0E2E
003D0AFC 56 push esi
003D0AFD E8 47020000 call 003D0D49
003D0B02 90 nop
003D0B03 90 nop
003D0B04 90 nop
003D0B05 90 nop
003D0B06 90 nop
003D0B07 90 nop
003D0B08 90 nop
003D0B09 90 nop
003D0B0A 90 nop
003D0B0B 90 nop
003D0B0C 90 nop
003D0B0D 90 nop
003D0B0E 90 nop
003D0B0F 90 nop
003D0B10 8B4E 34 mov ecx, dword ptr [esi+34]
003D0B13 85C9 test ecx, ecx
003D0B15 0F84 89000000 je 003D0BA4
003D0B1B 034E 08 add ecx, dword ptr [esi+8]
003D0B1E 51 push ecx
003D0B1F 56 push esi
003D0B20 E8 39060000 call 003D115E
003D0B25 85C0 test eax, eax
003D0B27 74 7B je short 003D0BA4 //调转实现
003D0B29 8B95 571A0010 mov edx, dword ptr [ebp+10001A57]
003D0B2F 8B8D 5B1A0010 mov ecx, dword ptr [ebp+10001A5B]
003D0B35 85C9 test ecx, ecx
003D0B37 75 08 jnz short 003D0B41
F8
003D0BA4 8B7B 08 mov edi, dword ptr [ebx+8] ; NullForm.00400000
003D0BA7 8BDE mov ebx, esi
003D0BA9 837B 48 01 cmp dword ptr [ebx+48], 1
003D0BAD 75 15 jnz short 003D0BC4 //调转实现
003D0BAF 8B43 0C mov eax, dword ptr [ebx+C]
003D0BB2 8B4B 40 mov ecx, dword ptr [ebx+40]
003D0BB5 8BF1 mov esi, ecx
003D0BB7 03F7 add esi, edi
003D0BB9 C606 E9 mov byte ptr [esi], 0E9
003D0BBC 83C1 05 add ecx, 5
003D0BBF 2BC1 sub eax, ecx
003D0BC1 8946 01 mov dword ptr [esi+1], eax
003D0BC4 8BF3 mov esi, ebx
003D0BC6 90 nop
F8
003D0BC4 8BF3 mov esi, ebx
003D0BC6 90 nop
003D0BC7 90 nop
003D0BC8 90 nop
003D0BC9 90 nop
003D0BCA 90 nop
003D0BCB 90 nop
003D0BCC 90 nop
003D0BCD 90 nop
003D0BCE 90 nop
003D0BCF 90 nop
003D0BD0 90 nop
003D0BD1 90 nop
003D0BD2 57 push edi
003D0BD3 E8 35070000 call 003D130D
003D0BD8 68 00800000 push 8000
003D0BDD 6A 00 push 0
003D0BDF FFB5 191E0010 push dword ptr [ebp+10001E19]
003D0BE5 FF95 2D1E0010 call dword ptr [ebp+10001E2D] //进入调用VirtualFreeEx的函数
003D0BEB 8B46 0C mov eax, dword ptr [esi+C]
003D0BEE 03C7 add eax, edi
003D0BF0 5D pop ebp
003D0BF1 5E pop esi
003D0BF2 5F pop edi
003D0BF3 5B pop ebx
003D0BF4 C3 retn
因为没关VirtualFree断点,因此进入
7C809B14 > 8BFF mov edi, edi ; NullForm.00400000
7C809B16 55 push ebp
7C809B17 8BEC mov ebp, esp
7C809B19 FF75 10 push dword ptr [ebp+10]
7C809B1C FF75 0C push dword ptr [ebp+C]
7C809B1F FF75 08 push dword ptr [ebp+8]
7C809B22 6A FF push -1
7C809B24 E8 09000000 call VirtualFreeEx
7C809B29 5D pop ebp
7C809B2A C2 0C00 retn 0C
F8
004668C0 8985 FA120010 mov dword ptr [ebp+100012FA], eax ; NullForm.00453284
004668C6 8BF0 mov esi, eax
004668C8 8B4B 14 mov ecx, dword ptr [ebx+14]
004668CB 5A pop edx
004668CC EB 0C jmp short 004668DA //无条件调转
004668CE 03CA add ecx, edx
004668D0 68 00800000 push 8000
004668D5 6A 00 push 0
004668D7 57 push edi
004668D8 FF11 call dword ptr [ecx]
004668DA 8BC6 mov eax, esi
004668DC 5A pop edx
004668DD 5E pop esi
来到
004668DA 8BC6 mov eax, esi ; NullForm.00453284
004668DC 5A pop edx
004668DD 5E pop esi
004668DE 5F pop edi
004668DF 59 pop ecx
004668E0 5B pop ebx
004668E1 5D pop ebp
004668E2 FFE0 jmp eax //EAX=$453284 程序OEP 脱壳成功
//程序入口处,单字节显示的
//然后使用OllyDump,存为NullFormPEDump.exe .
//OllyDump自动修改Entry Point为$53284,运行之,OK
00453284 55 db 55 ; CHAR ‘U’
00453285 8B db 8B
00453286 EC db EC
00453287 83 db 83
00453288 C4 db C4
00453289 F0 db F0
0045328A B8 db B8
0045328B 14 db 14
0045328C 31 db 31 ; CHAR ‘1’
0045328D 45 db 45 ; CHAR ‘E’
0045328E 00 db 00
0045328F E8 db E8
00453290 80 db 80
00453291 33 db 33 ; CHAR ‘3’
00453292 FB db FB
00453293 FF db FF
00453294 A1 db A1
00453295 20 db 20 ; CHAR ‘ ‘
00453296 4F db 4F ; CHAR ‘O’
00453297 45 db 45 ; CHAR ‘E’
00453298 00 db 00
00453299 8B db 8B
0045329A 00 db 00
0045329B E8 db E8
0045329C F0 db F0
0045329D E6 db E6
0045329E FF db FF
0045329F FF db FF
004532A0 8B db 8B
004532A1 0D db 0D
004532A2 FC db FC
004532A3 4F db 4F ; CHAR ‘O’
004532A4 45 db 45 ; CHAR ‘E’
004532A5 00 db 00
004532A6 A1 db A1
004532A7 20 db 20 ; CHAR ‘ ‘
004532A8 4F db 4F ; CHAR ‘O’
004532A9 45 db 45 ; CHAR ‘E’
004532AA 00 db 00
004532AB 8B db 8B
004532AC 00 db 00
004532AD 8B db 8B
004532AE 15 db 15
004532AF EC db EC
004532B0 2E db 2E ; CHAR ‘.’
004532B1 45 db 45 ; CHAR ‘E’
004532B2 00 db 00
004532B3 E8 db E8
004532B4 F0 db F0
004532B5 E6 db E6
004532B6 FF db FF
004532B7 FF db FF
004532B8 A1 db A1
004532B9 20 db 20 ; CHAR ‘ ‘
004532BA 4F db 4F ; CHAR ‘O’
004532BB 45 db 45 ; CHAR ‘E’
004532BC 00 db 00
004532BD 8B db 8B
004532BE 00 db 00
004532BF E8 db E8
004532C0 64 db 64 ; CHAR ‘d’
004532C1 E7 db E7
004532C2 FF db FF
004532C3 FF db FF
004532C4 E8 db E8
004532C5 AB db AB
004532C6 0E db 0E
004532C7 FB db FB
004532C8 FF db FF
004532C9 8D db 8D
004532CA 40 db 40 ; CHAR ‘@’
004532CB 00 db 00
004532CC 00 db 00
004532CD 00 db 00
004532CE 00 db 00
004532CF 00 db 00
004532D0 00 db 00
004532D1 00 db 00
004532D2 00 db 00
今天的文章壳学习一:PECompact 2.x 加壳脱壳分享到此就结束了,感谢您的阅读,如果确实帮到您,您可以动动手指转发给其他人。
版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。
如需转载请保留出处:https://bianchenghao.cn/33950.html