======================================================================================
本文也同时发布在iPB论坛-[脱壳专题], 希望你能够喜欢
DiKeN/iPB
======================================================================================
1. 完全解析各个程序部分的功能以及脱壳关键点;
2. 指出还原文件的大小的关键数据地址;
其实没有必要写了, ASPack的壳就那么简单,
没有SEH, 没有anti
分析按照程序流程来, 可以顺着顺序看
======================================================================================
01010001> 60 PUSHAD
01010002
E8 03000000 CALL notepad.0101000A
01010007 E9
db E9 <========花指令
01010008 EB 04
JMP SHORT notepad.0101000E
0101000A 5D
POP EBP
0101000B 45
INC EBP
0101000C 55
PUSH EBP
0101000D C3
RETN
0101000E E8 01000000 CALL notepad.01010014
01010013 EB db EB <========花指令
01010014 5D
POP EBP
01010015
BB EDFFFFFF MOV EBX,-13
0101001A
03DD ADD EBX,EBP
0101001C
81EB 00000100 SUB EBX,10000
01010022
83BD 22040000 >CMP [DWORD SS:EBP+422],0
01010029 899D 22040000 MOV [DWORD
SS:EBP+422],EBX<=========保存ImageBase, 后面会用到的
0101002F
0F85 65030000 JNZ notepad.0101039A
01010035
8D85 2E040000 LEA EAX,[DWORD SS:EBP+42E]
0101003B 50
PUSH EAX
0101003C
FF95 4D0F0000 CALL [DWORD SS:EBP+F4D]<===GetModuleHandleA('kernel32.dll')
01010042 8985 26040000 MOV
[DWORD SS:EBP+426],EAX
01010048
8BF8 MOV EDI,EAX
0101004A
8D5D 5E LEA EBX,[DWORD
SS:EBP+5E]
0101004D 53
PUSH EBX
0101004E
50 PUSH EAX
0101004F
FF95 490F0000 CALL [DWORD SS:EBP+F49]<===GetProcAddress(hKernel,'VirtualAlloc');
01010055 8985 4D050000 MOV
[DWORD SS:EBP+54D],EAX
0101005B
8D5D 6B LEA EBX,[DWORD SS:EBP+6B]
0101005E
53
PUSH EBX
0101005F 57
PUSH EDI
01010060
FF95 490F0000 CALL [DWORD SS:EBP+F49]<===GetProcAddress(hKernel,'VirtualFree');
01010066 8985 51050000 MOV
[DWORD SS:EBP+551],EAX
0101006C
8D45 77 LEA EAX,[DWORD SS:EBP+77]
0101006F
FFE0 JMP
EAX
0101008A 8B9D 31050000
MOV EBX,[DWORD SS:EBP+531]
01010090
0BDB OR EBX,EBX
01010092
74 0A JE SHORT notepad.0101009E
01010094 8B03
MOV EAX,[DWORD DS:EBX]
01010096
8785 35050000 XCHG [DWORD SS:EBP+535],EAX
0101009C
8903 MOV
[DWORD DS:EBX],EAX
0101009E 8DB5
69050000 LEA ESI,[DWORD SS:EBP+569]
010100A4
833E 00 CMP [DWORD DS:ESI],0<=======这个地方是比较重要的数据
<==========================================================是还原文件源大小的重要数据
<==========================================================数据格式为:
<==========================================================RVA (相对虚拟地址)
<==========================================================Size(解码后的大小, 也就是物理大小)
<==========================================================这是在还原原大小时可以用到,
否则也没用
010100A7 0F84 21010000
JE notepad.010101CE
010100AD 6A
04 PUSH 4
010100AF
68 00100000 PUSH 1000
010100B4
68 00180000 PUSH 1800
010100B9
6A 00 PUSH
0
010100BB FF95 4D050000 CALL
[DWORD SS:EBP+54D]====>分配解码缓冲区
010100C1
8985 56010000 MOV [DWORD SS:EBP+156],EAX
010100C7
8B46 04 MOV EAX,[DWORD
DS:ESI+4]
010100CA 05 0E010000
ADD EAX,10E
010100CF 6A 04
PUSH 4
010100D1
68 00100000 PUSH 1000
010100D6
50 PUSH EAX
010100D7
6A 00 PUSH
0
010100D9 FF95 4D050000 CALL
[DWORD SS:EBP+54D]====>分配输出缓冲区
010100DF
8985 52010000 MOV [DWORD SS:EBP+152],EAX
010100E5
56 PUSH ESI
010100E6 8B1E
MOV EBX,[DWORD DS:ESI]
010100E8
039D 22040000 ADD EBX,[DWORD SS:EBP+422]
010100EE
FFB5 56010000 PUSH [DWORD SS:EBP+156]
010100F4 FF76 04
PUSH [DWORD DS:ESI+4]
010100F7
50 PUSH EAX
010100F8
53 PUSH EBX
010100F9 E8 6E050000
CALL notepad.0101066C<=====解码数据DeCode(outBuf,inBuf,size,buf)
<=============================================================使用的aPlib的解码库
010100FE B3 00
MOV BL,0
01010100
80FB 00 CMP BL,0
01010103
75 5E JNZ SHORT notepad.01010163<===是否为第一次解码
01010105 FE85 EC000000 INC
[BYTE SS:EBP+EC]
0101010B 8B3E
MOV EDI,[DWORD DS:ESI]
0101010D
03BD 22040000 ADD EDI,[DWORD SS:EBP+422]
01010113 FF37
PUSH [DWORD DS:EDI]
01010115
C607 C3 MOV [BYTE DS:EDI],0C3
01010118
FFD7 CALL EDI
0101011A 8F07
POP [DWORD DS:EDI]
0101011C
50 PUSH EAX
0101011D
51 PUSH ECX
0101011E 56
PUSH ESI
0101011F
53 PUSH EBX
01010120
8BC8 MOV
ECX,EAX
01010122 83E9 06
SUB ECX,6
01010125
8BB5 52010000 MOV ESI,[DWORD SS:EBP+152]
0101012B
33DB XOR EBX,EBX
0101012D
0BC9 OR ECX,ECX
0101012F 74 2E
JE SHORT notepad.0101015F
01010131
78 2C JS SHORT notepad.0101015F
01010133 AC
LODS [BYTE DS:ESI]
01010134
3C E8 CMP AL,0E8
01010136
74 0A JE
SHORT notepad.01010142
01010138
EB 00 JMP SHORT notepad.0101013A
0101013A
3C E9 CMP
AL,0E9
0101013C 74 04
JE SHORT notepad.01010142
0101013E
43 INC EBX
0101013F 49
DEC ECX
01010140 ^EB EB
JMP SHORT notepad.0101012D
01010142
8B06 MOV EAX,[DWORD
DS:ESI]
01010144 EB 00
JMP SHORT notepad.01010146
01010146
803E 07 CMP [BYTE DS:ESI],7
01010149 ^75 F3
JNZ SHORT notepad.0101013E
0101014B
24 00 AND AL,0
0101014D
C1C0 18 ROL EAX,18
01010150
2BC3 SUB
EAX,EBX
01010152 8906
MOV [DWORD DS:ESI],EAX
01010154
83C3 05 ADD EBX,5
01010157
83C6 04 ADD ESI,4
0101015A 83E9 05
SUB ECX,5
0101015D ^EB CE
JMP SHORT notepad.0101012D
0101015F
5B POP EBX
01010160 5E
POP ESI
01010161
59 POP ECX
01010162
58 POP EAX
01010163 EB 08
JMP SHORT notepad.0101016D
0101016D
8BC8 MOV ECX,EAX
0101016F
8B3E MOV
EDI,[DWORD DS:ESI]
01010171 03BD
22040000 ADD EDI,[DWORD SS:EBP+422]
01010177
8BB5 52010000 MOV ESI,[DWORD SS:EBP+152]
0101017D
C1F9 02 SAR ECX,2
01010180 F3:A5
REP MOVS [DWORD ES:EDI],[DWORD DS:ESI]<====将解码后的数据写回
01010182
8BC8 MOV
ECX,EAX
01010184 83E1 03
AND ECX,3
01010187
F3:A4 REP MOVS [BYTE ES:EDI],[BYTE DS:ESI]<====将解码后的数据写回
01010189 5E
POP ESI
0101018A
68 00800000 PUSH 8000
0101018F
6A 00 PUSH 0
01010191
FFB5 52010000 PUSH [DWORD SS:EBP+152]
01010197
FF95 51050000 CALL [DWORD SS:EBP+551]<====释放输出缓冲区
0101019D 83C6 08
ADD ESI,8
010101A0 833E 00
CMP [DWORD DS:ESI],0<=======ESI重要数据哟!
010101A3
^0F85 1EFFFFFF JNZ notepad.010100C7<=======循环解码
010101A9 68 00800000
PUSH 8000
010101AE 6A 00
PUSH 0
010101B0
FFB5 56010000 PUSH [DWORD SS:EBP+156]
010101B6
FF95 51050000 CALL [DWORD SS:EBP+551]<====释放解码缓冲区
010101BC 8B9D 31050000 MOV
EBX,[DWORD SS:EBP+531]
010101C2
0BDB OR EBX,EBX
010101C4
74 08 JE SHORT notepad.010101CE
010101C6 8B03
MOV EAX,[DWORD DS:EBX]
010101C8
8785 35050000 XCHG [DWORD SS:EBP+535],EAX
010101CE
8B95 22040000 MOV EDX,[DWORD SS:EBP+422]
010101D4 8B85 2D050000 MOV
EAX,[DWORD SS:EBP+52D]
010101DA
2BD0 SUB EDX,EAX
010101DC
74 79 JE SHORT notepad.01010257
<=======================下面这一段不知道干什么的, 到如今还没执行过=========>
010101DE
8BC2 MOV
EAX,EDX
010101E0 C1E8 10
SHR EAX,10
010101E3
33DB XOR EBX,EBX
010101E5
8BB5 39050000 MOV ESI,[DWORD SS:EBP+539]
010101EB 03B5 22040000 ADD ESI,[DWORD
SS:EBP+422]
010101F1 833E 00
CMP [DWORD DS:ESI],0
010101F4
74 61 JE SHORT notepad.01010257
010101F6 8B4E 04
MOV ECX,[DWORD DS:ESI+4]
010101F9
83E9 08 SUB ECX,8
010101FC
D1E9 SHR ECX,1
010101FE 8B3E
MOV EDI,[DWORD DS:ESI]
01010200
03BD 22040000 ADD EDI,[DWORD SS:EBP+422]
01010206
83C6 08 ADD ESI,8
01010209 66:8B1E
MOV BX,[WORD DS:ESI]
0101020C
C1EB 0C SHR EBX,0C
0101020F
83FB 01 CMP EBX,1
01010212
74 0C JE
SHORT notepad.01010220
01010214
83FB 02 CMP EBX,2
01010217
74 16 JE SHORT notepad.0101022F
01010219 83FB 03
CMP EBX,3
0101021C 74 20
JE SHORT notepad.0101023E
0101021E
EB 2C JMP SHORT
notepad.0101024C
01010220 66:8B1E
MOV BX,[WORD DS:ESI]
01010223
81E3 FF0F0000 AND EBX,0FFF
01010229
66:01041F ADD [WORD DS:EDI+EBX],AX
0101022D EB 1D
JMP SHORT notepad.0101024C
0101022F
66:8B1E MOV BX,[WORD DS:ESI]
01010232
81E3 FF0F0000 AND EBX,0FFF
01010238
66:01141F ADD [WORD DS:EDI+EBX],DX
0101023C EB 0E
JMP SHORT notepad.0101024C
0101023E
66:8B1E MOV BX,[WORD DS:ESI]
01010241
81E3 FF0F0000 AND EBX,0FFF
01010247
01141F ADD [DWORD
DS:EDI+EBX],EDX
0101024A EB 00
JMP SHORT notepad.0101024C
0101024C
66:830E FF OR [WORD DS:ESI],0FFFF
01010250 83C6 02
ADD ESI,2
01010253 ^E2 B4
LOOPD SHORT notepad.01010209
01010255
^EB 9A JMP SHORT notepad.010101F1
01010257 8B95 22040000
MOV EDX,[DWORD SS:EBP+422]
0101025D
8BB5 41050000 MOV ESI,[DWORD SS:EBP+541]
01010263
0BF6 OR ESI,ESI
01010265
74 11 JE
SHORT notepad.01010278
01010267
03F2 ADD ESI,EDX
01010269
AD LODS [DWORD
DS:ESI]
0101026A 0BC0
OR EAX,EAX
0101026C
74 0A JE SHORT notepad.01010278
0101026E 03C2
ADD EAX,EDX
01010270 8BF8
MOV EDI,EAX
01010272
66:AD LODS [WORD DS:ESI]
01010274 66:AB
STOS [WORD ES:EDI]
01010276 ^EB
F1 JMP SHORT notepad.01010269
01010278 BE 50660000 MOV
ESI,6650<===============Import Table
<========================这个是原始导入表的入口
<========================在程序入口的这个偏移, 肯定没错
<========================乘现在导入表还没覆盖dumper之
0101027D 8B95 22040000 MOV
EDX,[DWORD SS:EBP+422]
01010283
03F2 ADD ESI,EDX
01010285
8B46 0C MOV EAX,[DWORD
DS:ESI+C]
01010288 85C0
TEST EAX,EAX
0101028A
0F84 0A010000 JE notepad.0101039A
01010290
03C2 ADD EAX,EDX
01010292
8BD8 MOV
EBX,EAX
01010294 50
PUSH EAX
01010295
FF95 4D0F0000 CALL [DWORD SS:EBP+F4D]
0101029B
85C0 TEST
EAX,EAX
0101029D 75 07
JNZ SHORT notepad.010102A6
0101029F
53 PUSH EBX
010102A0 FF95 510F0000 CALL [DWORD
SS:EBP+F51]
010102A6 8985 45050000
MOV [DWORD SS:EBP+545],EAX
010102AC
C785 49050000 >MOV [DWORD SS:EBP+549],0
010102B6
8B95 22040000 MOV EDX,[DWORD SS:EBP+422]
010102BC
8B06 MOV
EAX,[DWORD DS:ESI]
010102BE 85C0
TEST EAX,EAX
010102C0
75 03 JNZ SHORT notepad.010102C5
010102C2 8B46 10
MOV EAX,[DWORD DS:ESI+10]
010102C5
03C2 ADD EAX,EDX
010102C7
0385 49050000 ADD EAX,[DWORD SS:EBP+549]
010102CD 8B18
MOV EBX,[DWORD DS:EAX]
010102CF
8B7E 10 MOV EDI,[DWORD DS:ESI+10]
010102D2 03FA
ADD EDI,EDX
010102D4 03BD
49050000 ADD EDI,[DWORD SS:EBP+549]
010102DA
85DB TEST EBX,EBX
010102DC
0F84 A2000000 JE notepad.01010384
010102E2 F7C3 00000080 TEST EBX,80000000
010102E8 75 04
JNZ SHORT notepad.010102EE
010102EA
03DA ADD EBX,EDX
010102EC
43
INC EBX
010102ED 43
INC EBX
010102EE
53 PUSH EBX
010102EF
81E3 FFFFFF7F AND EBX,7FFFFFFF
010102F5
53
PUSH EBX
010102F6 FFB5 45050000
PUSH [DWORD SS:EBP+545]
010102FC
FF95 490F0000 CALL [DWORD SS:EBP+F49]
01010302
85C0 TEST EAX,EAX
01010304 5B
POP EBX
01010305 75
6F JNZ SHORT notepad.01010376
01010307
F7C3 00000080 TEST EBX,80000000
0101030D 75 19
JNZ SHORT notepad.01010328
0101030F
57 PUSH EDI
01010310
8B46 0C MOV EAX,[DWORD
DS:ESI+C]
01010313 0385 22040000
ADD EAX,[DWORD SS:EBP+422]
01010319
50 PUSH EAX
0101031A
53 PUSH EBX
0101031B 8D85 75040000 LEA
EAX,[DWORD SS:EBP+475]
01010321
50 PUSH EAX
01010322
57 PUSH EDI
01010323 E9 98000000
JMP notepad.010103C0
01010328 81E3
FFFFFF7F AND EBX,7FFFFFFF
0101032E
8B85 26040000 MOV EAX,[DWORD SS:EBP+426]
01010334
3985 45050000 CMP [DWORD SS:EBP+545],EAX
0101033A 75 24
JNZ SHORT notepad.01010360
0101033C
57 PUSH EDI
0101033D
8BD3 MOV
EDX,EBX
0101033F 4A
DEC EDX
01010340
C1E2 02 SHL EDX,2
01010343
8B9D 45050000 MOV EBX,[DWORD SS:EBP+545]
01010349 8B7B 3C
MOV EDI,[DWORD DS:EBX+3C]
0101034C
8B7C3B 78 MOV EDI,[DWORD DS:EBX+EDI+78]
01010350
035C3B 1C ADD EBX,[DWORD
DS:EBX+EDI+1C]
01010354 8B0413
MOV EAX,[DWORD DS:EBX+EDX]
01010357
0385 45050000 ADD EAX,[DWORD SS:EBP+545]
0101035D
5F
POP EDI
0101035E EB 16
JMP SHORT notepad.01010376
01010360
57 PUSH EDI
01010361 8B46 0C
MOV EAX,[DWORD DS:ESI+C]
01010364
0385 22040000 ADD EAX,[DWORD SS:EBP+422]
0101036A
50 PUSH EAX
0101036B 53
PUSH EBX
0101036C
8D85 C6040000 LEA EAX,[DWORD SS:EBP+4C6]
01010372
50 PUSH EAX
01010373 57
PUSH EDI
01010374
EB 4A JMP SHORT
notepad.010103C0
01010376 8907
MOV [DWORD DS:EDI],EAX
01010378
8385 49050000 >ADD [DWORD SS:EBP+549],4
0101037F
^E9 32FFFFFF JMP notepad.010102B6
01010384 8906
MOV [DWORD DS:ESI],EAX
01010386
8946 0C MOV [DWORD DS:ESI+C],EAX
01010389
8946 10 MOV [DWORD
DS:ESI+10],EAX
0101038C 83C6 14
ADD ESI,14
0101038F
8B95 22040000 MOV EDX,[DWORD SS:EBP+422]
01010395
^E9 EBFEFFFF JMP notepad.01010285
0101039A B8 20640000 MOV
EAX,6420
<========================这个是原始程序的入口, 也就是OEP了
<========================在程序入口的这个偏移,
肯定没错
<========================好了, 到此你已经没事了, 唯一需要的就是修复导入表入口和EP了
0101039F
50
PUSH EAX
010103A0 0385 22040000
ADD EAX,[DWORD SS:EBP+422]<====修改OEP的RVA程VA
010103A6
59 POP ECX
010103A7 0BC9
OR ECX,ECX
010103A9 8985
A8030000 MOV [DWORD SS:EBP+3A8],EAX<====+写入
010103AF
61 POPAD
+
010103B0 75 08
JNZ SHORT notepad.010103BA +
010103B2
B8 01000000 MOV EAX,1
+
010103B7
C2 0C00 RETN 0C
+
010103BA 68 00000000
PUSH 0=========================+
010103BF
C3 RETN<==========================返回原始程序
======================================================================================
Enjoy it:)
DiKeN/iPB
======================================================================================
我相信, 看了这篇文章, 你应该会了ASPack的脱壳了.
关于完全修复, 我就不做赘述, 精通PE结构的人可以修复, 新手没有必要修复了
======================================================================================
结束语:
标准ASPack的壳, 就这样简单. 都是这样, 要还原成原样也没问题
tELock的壳, 也使用了aPLib作为其压缩引擎, 不过它有一次加密/解密
UPX也使用了aPLib这个压缩引擎.
aPLib引擎, 以前的版本没有了. 可以到http://apack.cjb.net
或者http://home19.inet.tele.dk/jibz/apack/
或者到iPB论坛, 工具栏下载. 有兴趣的可以看一下
======================================================================================