论坛: 菜鸟乐园 标题: ASPack的脱壳实例 复制本贴地址    
作者: wish259 [wish259]    论坛用户   登录


============================================================
1. 完全解析各个程序部分的功能以及脱壳关键点;

2. 指出还原文件的大小的关键数据地址;

其实没有必要写了, ASPack的壳就那么简单, 没有SEH, 没有anti

分析按照程序流程来, 可以顺着顺序看

============================================================

01010001> 60 PUSHAD

01010002 E8 03000000 CALL notepad.0101000A

01010007 E9 db E9 <========花指令

01010008 EB 04 JMP SHORT notepad.0101000E

0101000A 5D POP EBP

0101000B 45 INC EBP

0101000C 55 PUSH EBP

0101000D C3 RETN

0101000E E8 01000000 CALL notepad.01010014

01010013 EB db EB <========花指令

01010014 5D POP EBP

01010015 BB EDFFFFFF MOV EBX,-13

0101001A 03DD ADD EBX,EBP

0101001C 81EB 00000100 SUB EBX,10000

01010022 83BD 22040000 >CMP [DWORD SS:EBP+422],0

01010029 899D 22040000 MOV [DWORD SS:EBP+422],EBX<=========保存ImageBase, 后面会用到的

0101002F 0F85 65030000 JNZ notepad.0101039A

01010035 8D85 2E040000 LEA EAX,[DWORD SS:EBP+42E]

0101003B 50 PUSH EAX

0101003C FF95 4D0F0000 CALL [DWORD SS:EBP+F4D]<===GetModuleHandleA(kernel32.dll)

01010042 8985 26040000 MOV [DWORD SS:EBP+426],EAX

01010048 8BF8 MOV EDI,EAX

0101004A 8D5D 5E LEA EBX,[DWORD SS:EBP+5E]

0101004D 53 PUSH EBX

0101004E 50 PUSH EAX

0101004F FF95 490F0000 CALL [DWORD SS:EBP+F49]<===GetProcAddress(hKernel,VirtualAlloc);

01010055 8985 4D050000 MOV [DWORD SS:EBP+54D],EAX

0101005B 8D5D 6B LEA EBX,[DWORD SS:EBP+6B]

0101005E 53 PUSH EBX

0101005F 57 PUSH EDI

01010060 FF95 490F0000 CALL [DWORD SS:EBP+F49]<===GetProcAddress(hKernel,VirtualFree);

01010066 8985 51050000 MOV [DWORD SS:EBP+551],EAX

0101006C 8D45 77 LEA EAX,[DWORD SS:EBP+77]

0101006F FFE0 JMP EAX

0101008A 8B9D 31050000 MOV EBX,[DWORD SS:EBP+531]

01010090 0BDB OR EBX,EBX

01010092 74 0A JE SHORT notepad.0101009E

01010094 8B03 MOV EAX,[DWORD DS:EBX]

01010096 8785 35050000 XCHG [DWORD SS:EBP+535],EAX

0101009C 8903 MOV [DWORD DS:EBX],EAX

0101009E 8DB5 69050000 LEA ESI,[DWORD SS:EBP+569]

010100A4 833E 00 CMP [DWORD DS:ESI],0<=======这个地方是比较重要的数据

<==========================================================是还原文件源大小的重要数据

<==========================================================数据格式为:

<==========================================================RVA (相对虚拟地址)

<==========================================================Size(解码后的大小, 也就是物理大小)

<==========================================================这是在还原原大小时可以用到, 否则也没用

010100A7 0F84 21010000 JE notepad.010101CE

010100AD 6A 04 PUSH 4

010100AF 68 00100000 PUSH 1000

010100B4 68 00180000 PUSH 1800

010100B9 6A 00 PUSH 0

010100BB FF95 4D050000 CALL [DWORD SS:EBP+54D]====>分配解码缓冲区

010100C1 8985 56010000 MOV [DWORD SS:EBP+156],EAX

010100C7 8B46 04 MOV EAX,[DWORD DS:ESI+4]

010100CA 05 0E010000 ADD EAX,10E

010100CF 6A 04 PUSH 4

010100D1 68 00100000 PUSH 1000

010100D6 50 PUSH EAX

010100D7 6A 00 PUSH 0

010100D9 FF95 4D050000 CALL [DWORD SS:EBP+54D]====>分配输出缓冲区

010100DF 8985 52010000 MOV [DWORD SS:EBP+152],EAX

010100E5 56 PUSH ESI

010100E6 8B1E MOV EBX,[DWORD DS:ESI]

010100E8 039D 22040000 ADD EBX,[DWORD SS:EBP+422]

010100EE FFB5 56010000 PUSH [DWORD SS:EBP+156]

010100F4 FF76 04 PUSH [DWORD DS:ESI+4]

010100F7 50 PUSH EAX

010100F8 53 PUSH EBX

010100F9 E8 6E050000 CALL notepad.0101066C<=====解码数据DeCode(outBuf,inBuf,size,buf)

<=============================================================使用的aPlib的解码库

010100FE B3 00 MOV BL,0

01010100 80FB 00 CMP BL,0

01010103 75 5E JNZ SHORT notepad.01010163<===是否为第一次解码

01010105 FE85 EC000000 INC [BYTE SS:EBP+EC]

0101010B 8B3E MOV EDI,[DWORD DS:ESI]

0101010D 03BD 22040000 ADD EDI,[DWORD SS:EBP+422]

01010113 FF37 PUSH [DWORD DS:EDI]

01010115 C607 C3 MOV [BYTE DS:EDI],0C3

01010118 FFD7 CALL EDI

0101011A 8F07 POP [DWORD DS:EDI]

0101011C 50 PUSH EAX

0101011D 51 PUSH ECX

0101011E 56 PUSH ESI

0101011F 53 PUSH EBX

01010120 8BC8 MOV ECX,EAX

01010122 83E9 06 SUB ECX,6

01010125 8BB5 52010000 MOV ESI,[DWORD SS:EBP+152]

0101012B 33DB XOR EBX,EBX

0101012D 0BC9 OR ECX,ECX

0101012F 74 2E JE SHORT notepad.0101015F

01010131 78 2C JS SHORT notepad.0101015F

01010133 AC LODS [BYTE DS:ESI]

01010134 3C E8 CMP AL,0E8

01010136 74 0A JE SHORT notepad.01010142

01010138 EB 00 JMP SHORT notepad.0101013A

0101013A 3C E9 CMP AL,0E9

0101013C 74 04 JE SHORT notepad.01010142

0101013E 43 INC EBX

0101013F 49 DEC ECX

01010140 ^EB EB JMP SHORT notepad.0101012D

01010142 8B06 MOV EAX,[DWORD DS:ESI]

01010144 EB 00 JMP SHORT notepad.01010146

01010146 803E 07 CMP [BYTE DS:ESI],7

01010149 ^75 F3 JNZ SHORT notepad.0101013E

0101014B 24 00 AND AL,0

0101014D C1C0 18 ROL EAX,18

01010150 2BC3 SUB EAX,EBX

01010152 8906 MOV [DWORD DS:ESI],EAX

01010154 83C3 05 ADD EBX,5

01010157 83C6 04 ADD ESI,4

0101015A 83E9 05 SUB ECX,5

0101015D ^EB CE JMP SHORT notepad.0101012D

0101015F 5B POP EBX

01010160 5E POP ESI

01010161 59 POP ECX

01010162 58 POP EAX

01010163 EB 08 JMP SHORT notepad.0101016D

0101016D 8BC8 MOV ECX,EAX

0101016F 8B3E MOV EDI,[DWORD DS:ESI]

01010171 03BD 22040000 ADD EDI,[DWORD SS:EBP+422]

01010177 8BB5 52010000 MOV ESI,[DWORD SS:EBP+152]

0101017D C1F9 02 SAR ECX,2

01010180 F3:A5 REP MOVS [DWORD ES:EDI],[DWORD DS:ESI]<====将解码后的数据写回

01010182 8BC8 MOV ECX,EAX

01010184 83E1 03 AND ECX,3

01010187 F3:A4 REP MOVS [BYTE ES:EDI],[BYTE DS:ESI]<====将解码后的数据写回

01010189 5E POP ESI

0101018A 68 00800000 PUSH 8000

0101018F 6A 00 PUSH 0

01010191 FFB5 52010000 PUSH [DWORD SS:EBP+152]

01010197 FF95 51050000 CALL [DWORD SS:EBP+551]<====释放输出缓冲区

0101019D 83C6 08 ADD ESI,8

010101A0 833E 00 CMP [DWORD DS:ESI],0<=======ESI重要数据哟!

010101A3 ^0F85 1EFFFFFF JNZ notepad.010100C7<=======循环解码

010101A9 68 00800000 PUSH 8000

010101AE 6A 00 PUSH 0

010101B0 FFB5 56010000 PUSH [DWORD SS:EBP+156]

010101B6 FF95 51050000 CALL [DWORD SS:EBP+551]<====释放解码缓冲区

010101BC 8B9D 31050000 MOV EBX,[DWORD SS:EBP+531]

010101C2 0BDB OR EBX,EBX

010101C4 74 08 JE SHORT notepad.010101CE

010101C6 8B03 MOV EAX,[DWORD DS:EBX]

010101C8 8785 35050000 XCHG [DWORD SS:EBP+535],EAX

010101CE 8B95 22040000 MOV EDX,[DWORD SS:EBP+422]

010101D4 8B85 2D050000 MOV EAX,[DWORD SS:EBP+52D]

010101DA 2BD0 SUB EDX,EAX

010101DC 74 79 JE SHORT notepad.01010257

<=======================下面这一段不知道干什么的, 到如今还没执行过=========>

010101DE 8BC2 MOV EAX,EDX

010101E0 C1E8 10 SHR EAX,10

010101E3 33DB XOR EBX,EBX

010101E5 8BB5 39050000 MOV ESI,[DWORD SS:EBP+539]

010101EB 03B5 22040000 ADD ESI,[DWORD SS:EBP+422]

010101F1 833E 00 CMP [DWORD DS:ESI],0

010101F4 74 61 JE SHORT notepad.01010257

010101F6 8B4E 04 MOV ECX,[DWORD DS:ESI+4]

010101F9 83E9 08 SUB ECX,8

010101FC D1E9 SHR ECX,1

010101FE 8B3E MOV EDI,[DWORD DS:ESI]

01010200 03BD 22040000 ADD EDI,[DWORD SS:EBP+422]

01010206 83C6 08 ADD ESI,8

01010209 66:8B1E MOV BX,[WORD DS:ESI]

0101020C C1EB 0C SHR EBX,0C

0101020F 83FB 01 CMP EBX,1

01010212 74 0C JE SHORT notepad.01010220

01010214 83FB 02 CMP EBX,2

01010217 74 16 JE SHORT notepad.0101022F

01010219 83FB 03 CMP EBX,3

0101021C 74 20 JE SHORT notepad.0101023E

0101021E EB 2C JMP SHORT notepad.0101024C

01010220 66:8B1E MOV BX,[WORD DS:ESI]

01010223 81E3 FF0F0000 AND EBX,0FFF

01010229 66:01041F ADD [WORD DS:EDI+EBX],AX

0101022D EB 1D JMP SHORT notepad.0101024C

0101022F 66:8B1E MOV BX,[WORD DS:ESI]

01010232 81E3 FF0F0000 AND EBX,0FFF

01010238 66:01141F ADD [WORD DS:EDI+EBX],DX

0101023C EB 0E JMP SHORT notepad.0101024C

0101023E 66:8B1E MOV BX,[WORD DS:ESI]

01010241 81E3 FF0F0000 AND EBX,0FFF

01010247 01141F ADD [DWORD DS:EDI+EBX],EDX

0101024A EB 00 JMP SHORT notepad.0101024C

0101024C 66:830E FF OR [WORD DS:ESI],0FFFF

01010250 83C6 02 ADD ESI,2

01010253 ^E2 B4 LOOPD SHORT notepad.01010209

01010255 ^EB 9A JMP SHORT notepad.010101F1

01010257 8B95 22040000 MOV EDX,[DWORD SS:EBP+422]

0101025D 8BB5 41050000 MOV ESI,[DWORD SS:EBP+541]

01010263 0BF6 OR ESI,ESI

01010265 74 11 JE SHORT notepad.01010278

01010267 03F2 ADD ESI,EDX

01010269 AD LODS [DWORD DS:ESI]

0101026A 0BC0 OR EAX,EAX

0101026C 74 0A JE SHORT notepad.01010278

0101026E 03C2 ADD EAX,EDX

01010270 8BF8 MOV EDI,EAX

01010272 66:AD LODS [WORD DS:ESI]

01010274 66:AB STOS [WORD ES:EDI]

01010276 ^EB F1 JMP SHORT notepad.01010269

 

01010278 BE 50660000 MOV ESI,6650<===============Import Table

<========================这个是原始导入表的入口

<========================在程序入口的这个偏移, 肯定没错

<========================乘现在导入表还没覆盖dumper之

0101027D 8B95 22040000 MOV EDX,[DWORD SS:EBP+422]

01010283 03F2 ADD ESI,EDX

01010285 8B46 0C MOV EAX,[DWORD DS:ESI+C]

01010288 85C0 TEST EAX,EAX

0101028A 0F84 0A010000 JE notepad.0101039A

01010290 03C2 ADD EAX,EDX

01010292 8BD8 MOV EBX,EAX

01010294 50 PUSH EAX

01010295 FF95 4D0F0000 CALL [DWORD SS:EBP+F4D]

0101029B 85C0 TEST EAX,EAX

0101029D 75 07 JNZ SHORT notepad.010102A6

0101029F 53 PUSH EBX

010102A0 FF95 510F0000 CALL [DWORD SS:EBP+F51]

010102A6 8985 45050000 MOV [DWORD SS:EBP+545],EAX

010102AC C785 49050000 >MOV [DWORD SS:EBP+549],0

010102B6 8B95 22040000 MOV EDX,[DWORD SS:EBP+422]

010102BC 8B06 MOV EAX,[DWORD DS:ESI]

010102BE 85C0 TEST EAX,EAX

010102C0 75 03 JNZ SHORT notepad.010102C5

010102C2 8B46 10 MOV EAX,[DWORD DS:ESI+10]

010102C5 03C2 ADD EAX,EDX

010102C7 0385 49050000 ADD EAX,[DWORD SS:EBP+549]

010102CD 8B18 MOV EBX,[DWORD DS:EAX]

010102CF 8B7E 10 MOV EDI,[DWORD DS:ESI+10]

010102D2 03FA ADD EDI,EDX

010102D4 03BD 49050000 ADD EDI,[DWORD SS:EBP+549]

010102DA 85DB TEST EBX,EBX

010102DC 0F84 A2000000 JE notepad.01010384

010102E2 F7C3 00000080 TEST EBX,80000000

010102E8 75 04 JNZ SHORT notepad.010102EE

010102EA 03DA ADD EBX,EDX

010102EC 43 INC EBX

010102ED 43 INC EBX

010102EE 53 PUSH EBX

010102EF 81E3 FFFFFF7F AND EBX,7FFFFFFF

010102F5 53 PUSH EBX

010102F6 FFB5 45050000 PUSH [DWORD SS:EBP+545]

010102FC FF95 490F0000 CALL [DWORD SS:EBP+F49]

01010302 85C0 TEST EAX,EAX

01010304 5B POP EBX

01010305 75 6F JNZ SHORT notepad.01010376

01010307 F7C3 00000080 TEST EBX,80000000

0101030D 75 19 JNZ SHORT notepad.01010328

0101030F 57 PUSH EDI

01010310 8B46 0C MOV EAX,[DWORD DS:ESI+C]

01010313 0385 22040000 ADD EAX,[DWORD SS:EBP+422]

01010319 50 PUSH EAX

0101031A 53 PUSH EBX

0101031B 8D85 75040000 LEA EAX,[DWORD SS:EBP+475]

01010321 50 PUSH EAX

01010322 57 PUSH EDI

01010323 E9 98000000 JMP notepad.010103C0

01010328 81E3 FFFFFF7F AND EBX,7FFFFFFF

0101032E 8B85 26040000 MOV EAX,[DWORD SS:EBP+426]

01010334 3985 45050000 CMP [DWORD SS:EBP+545],EAX

0101033A 75 24 JNZ SHORT notepad.01010360

0101033C 57 PUSH EDI

0101033D 8BD3 MOV EDX,EBX

0101033F 4A DEC EDX

01010340 C1E2 02 SHL EDX,2

01010343 8B9D 45050000 MOV EBX,[DWORD SS:EBP+545]

01010349 8B7B 3C MOV EDI,[DWORD DS:EBX+3C]

0101034C 8B7C3B 78 MOV EDI,[DWORD DS:EBX+EDI+78]

01010350 035C3B 1C ADD EBX,[DWORD DS:EBX+EDI+1C]

01010354 8B0413 MOV EAX,[DWORD DS:EBX+EDX]

01010357 0385 45050000 ADD EAX,[DWORD SS:EBP+545]

0101035D 5F POP EDI

0101035E EB 16 JMP SHORT notepad.01010376

01010360 57 PUSH EDI

01010361 8B46 0C MOV EAX,[DWORD DS:ESI+C]

01010364 0385 22040000 ADD EAX,[DWORD SS:EBP+422]

0101036A 50 PUSH EAX

0101036B 53 PUSH EBX

0101036C 8D85 C6040000 LEA EAX,[DWORD SS:EBP+4C6]

01010372 50 PUSH EAX

01010373 57 PUSH EDI

01010374 EB 4A JMP SHORT notepa

01010374 EB 4A JMP SHORT notepad.010103C0

01010376 8907 MOV [DWORD DS:EDI],EAX

01010378 8385 49050000 >ADD [DWORD SS:EBP+549],4

0101037F ^E9 32FFFFFF JMP notepad.010102B6

01010384 8906 MOV [DWORD DS:ESI],EAX

01010386 8946 0C MOV [DWORD DS:ESI+C],EAX

01010389 8946 10 MOV [DWORD DS:ESI+10],EAX

0101038C 83C6 14 ADD ESI,14

0101038F 8B95 22040000 MOV EDX,[DWORD SS:EBP+422]

01010395 ^E9 EBFEFFFF JMP notepad.01010285

0101039A B8 20640000 MOV EAX,6420

<========================这个是原始程序的入口, 也就是OEP了

<========================在程序入口的这个偏移, 肯定没错

<========================好了, 到此你已经没事了, 唯一需要的就是修复导入表入口和EP了

0101039F 50 PUSH EAX

010103A0 0385 22040000 ADD EAX,[DWORD SS:EBP+422]<====修改OEP的RVA程VA

010103A6 59 POP ECX

010103A7 0BC9 OR ECX,ECX

010103A9 8985 A8030000 MOV [DWORD SS:EBP+3A8],EAX<====+写入

010103AF 61 POPAD +

010103B0 75 08 JNZ SHORT notepad.010103BA +

010103B2 B8 01000000 MOV EAX,1 +

010103B7 C2 0C00 RETN 0C +

010103BA 68 00000000 PUSH 0=========================+

010103BF C3 RETN<==========================返回原始程序

======================================================================================

Enjoy it:)

DiKeN/iPB

======================================================================================

我相信, 看了这篇文章, 你应该会了ASPack的脱壳了.

关于完全修复, 我就不做赘述, 精通PE结构的人可以修复, 新手没有必要修复了

======================================================================================

结束语:

标准ASPack的壳, 就这样简单. 都是这样, 要还原成原样也没问题

tELock的壳, 也使用了aPLib作为其压缩引擎, 不过它有一次加密/解密

UPX也使用了aPLib这个压缩引擎.

aPLib引擎, 以前的版本没有了. 可以到http://apack.cjb.net

或者http://home19.inet.tele.dk/jibz/apack


地主 发表时间: 04-06-11 13:04

回复: lijingxi [lijingxi]   见习版主   登录
这个应该发到变成破解里面啊!

B1层 发表时间: 04-06-11 13:26

回复: jacker [jacker]   论坛用户   登录
010103B7 C2 0C00 RETN 0C +

010103BA 68 00000000 PUSH 0=========================+

010103BF C3 RETN<========================== ; 此处设置为断点. 运行后,自动中断至此.

把这些机器码作为特征码搜索就可以迅速定位在接近入口处.

B2层 发表时间: 04-06-11 14:24

论坛: 菜鸟乐园

20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon

粤ICP备05087286号