飞速加的aspr1.3b壳软件:packed.exe
下载地址:问fly 
工具:OD1.10b;lordpe.exe 1.6
aspr1.3b抽代码比上一个版本更厉害,以packed.exe为例,主干代码除了最后一个退出的Call外其它都放到壳里,
fly说了一个方法就是把壳最后一段dump下移植到dump程序,这是一个快捷的好方法,不过对packed.exe来说,
大了一点,壳的相关码大约有2k。另一个方法就是分析壳代码,找出原代码,而这当中属
od的运行跟踪功能最实在(废话,谁不知道),不过aspr1.3b设置了障碍,就是FF代码,要使用运行跟踪功能要先
解决FF代码。
0040C3B0 FFFA ??? ; FF代码
0040C3B2 B8 48BF4000 MOV EAX,packed.0040BF48
0040C3B7 E8 547CFFFF CALL packed.00404010
0040C3BC B8 34C04000 MOV EAX,packed.0040C034
0040C3C1 E8 727CFFFF CALL packed.00404038
0040C3C6 803D 09674500 00 CMP BYTE PTR DS:[456709],0
0040C3CD 74 0F JE SHORT packed.0040C3DE
0040C3CF B8 34414500 MOV EAX,packed.00454134
0040C3D4 BA 14C44000 MOV EDX,packed.0040C414 ; ASCII "0x"
0040C3D9 E8 DA7EFFFF CALL packed.004042B8
0040C3DE E8 59E9FFFF CALL packed.0040AD3C
0040C3E3 FF79 ??? ; FF代码
0040C3E5 95 XCHG EAX,EBP
0040C3E6 AF SCAS DWORD PTR ES:[EDI]
0040C3E7 ^74 E8 JE SHORT packed.0040C3D1
0040C3E9 0BF4 OR ESI,ESP
0040C3EB FFFF ??? ; FF代码
0040C3ED E8 9EEFFFFF CALL packed.0040B390
0040C3F2 33C0 XOR EAX,EAX
0040C3F4 5A POP EDX
0040C3F5 59 POP ECX
0040C3F6 59 POP ECX
0040C3F7 64:8910 MOV DWORD PTR FS:[EAX],EDX
0040C3FA 68 07C44000 PUSH packed.0040C407
0040C3FF C3 RETN
当到达40C3B0异常中断,看ESP+4指向40C400,下bp 40c400按Shift+F9断下后单步跟踪到壳
009865AC 55 PUSH EBP
009865AD 8BEC MOV EBP,ESP
009865AF 51 PUSH ECX
009865B0 53 PUSH EBX
009865B1 56 PUSH ESI
009865B2 57 PUSH EDI
009865B3 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
009865B6 05 9C000000 ADD EAX,9C
009865BB 50 PUSH EAX
009865BC 8B50 1C MOV EDX,DWORD PTR DS:[EAX+1C]
009865BF 52 PUSH EDX
009865C0 52 PUSH EDX
009865C1 E8 92FFFFFF CALL 00986558 《=对FF异常地址查表解密
009865C6 83F8 FF CMP EAX,-1
009865C9 5A POP EDX
009865CA 59 POP ECX
009865CB 74 15 JE SHORT 009865E2
009865CD FF75 0C PUSH DWORD PTR SS:[EBP+C]
009865D0 51 PUSH ECX
009865D1 52 PUSH EDX
009865D2 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
009865D5 81C2 B8000000 ADD EDX,0B8
009865DB 52 PUSH EDX
009865DC 50 PUSH EAX
009865DD E8 12FEFFFF CALL 009863F4 《=F7跟进
009865E2 5F POP EDI
009865E3 5E POP ESI
009865E4 5B POP EBX
009865E5 59 POP ECX
009865E6 5D POP EBP
009865E7 C2 0800 RETN 8
跟进009863F4单步来到这里
00986421 8D45 C4 LEA EAX,DWORD PTR SS:[EBP-3C]
00986424 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
00986427 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0098642A 8A00 MOV AL,BYTE PTR DS:[EAX]
0098642C 2C 01 SUB AL,1
0098642E 72 12 JB SHORT 00986442 <<=跳则为Call指令
00986430 0F84 A0000000 JE 009864D6 <<=跳则为无条件跳转
00986436 FEC8 DEC AL
00986438 74 45 JE SHORT 0098647F <<=跳则为条件跳转
0098643A E9 BB000000 JMP 009864FA
........
0098645D 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00986460 8B40 04 MOV EAX,DWORD PTR DS:[EAX+4]
00986463 0305 14E79800 ADD EAX,DWORD PTR DS:[98E714] ; 解密的Call地址
00986469 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] ; 改为 JMP 00453620
0098646C 83C2 06 ADD EDX,6
0098646F 8902 MOV DWORD PTR DS:[EDX],EAX
........
00986496 8B40 04 MOV EAX,DWORD PTR DS:[EAX+4]
00986499 0305 14E79800 ADD EAX,DWORD PTR DS:[98E714] ; 解密的跳转地址
0098649F 2B45 F4 SUB EAX,DWORD PTR SS:[EBP-C] ; 改为JMP 00453654
009864A2 83E8 06 SUB EAX,6
009864A5 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
........
009864DF 8B40 04 MOV EAX,DWORD PTR DS:[EAX+4]
009864E2 0305 14E79800 ADD EAX,DWORD PTR DS:[98E714] ; 解密的无条件跳转地址
009864E8 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] ; 改为JMP 00453654
009864EB 42 INC EDX
009864EC 8902 MOV DWORD PTR DS:[EDX],EAX
009864EE 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
现需要对 986469;98649f;9864e8三处加补丁记录解密FF异常的数据
首先要找一个空地放解密的数据我选的是45B000处
在453610处填 00 B0 45 00 在453614处填 04 B0 45 00
在453620处填入如下代码
00453620 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] <<==原壳代码
00453623 83C2 06 ADD EDX,6 <<==原壳代码
00453626 60 PUSHAD
00453627 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10]
0045362A 8B15 10364500 MOV EDX,DWORD PTR DS:[453610]
00453630 8BD8 MOV EBX,EAX <<==计算距离
00453632 2BD9 SUB EBX,ECX
00453634 83EB 05 SUB EBX,5
00453637 C601 E8 MOV BYTE PTR DS:[ECX],0E8 <<==修补代码(Call)
0045363A 8959 01 MOV DWORD PTR DS:[ECX+1],EBX <<==修补代码
0045363D 890A MOV DWORD PTR DS:[EDX],ECX <<==记录FF发生地址
0045363F C642 04 E8 MOV BYTE PTR DS:[EDX+4],0E8 <<==记录类型
00453643 895A 05 MOV DWORD PTR DS:[EDX+5],EBX <<==距离
00453646 8305 10364500 10 ADD DWORD PTR DS:[453610],10
0045364D 61 POPAD
0045364E -E9 1C2E5300 JMP 0098646F
00453653 90 NOP
00453654 A3 14364500 MOV DWORD PTR DS:[453614],EAX <<==保存数据
00453659 2B45 F4 SUB EAX,DWORD PTR SS:[EBP-C] <<==原壳代码
0045365C 83E8 06 SUB EAX,6 <<==原壳代码
0045365F 60 PUSHAD
00453660 9C PUSHFD
00453661 A1 14364500 MOV EAX,DWORD PTR DS:[453614]
00453666 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10]
00453669 3BC1 CMP EAX,ECX <<==比较跳转方向
0045366B 72 5A JB SHORT packed.004536C7
0045366D 2BC1 SUB EAX,ECX
0045366F 83E8 02 SUB EAX,2
00453672 83F8 7F CMP EAX,7F <<==是否为远距离
00453675 77 27 JA SHORT packed.0045369E
00453677 8B52 FF MOV EDX,DWORD PTR DS:[EDX-1]
0045367A 80EE 10 SUB DH,10
0045367D 8831 MOV BYTE PTR DS:[ECX],DH <<==修补代码
0045367F 8841 01 MOV BYTE PTR DS:[ECX+1],AL <<==修补代码
00453682 8B1D 10364500 MOV EBX,DWORD PTR DS:[453610]
00453688 890B MOV DWORD PTR DS:[EBX],ECX <<==记录FF发生地址
0045368A 8873 04 MOV BYTE PTR DS:[EBX+4],DH <<==记录类型
0045368D 8843 05 MOV BYTE PTR DS:[EBX+5],AL <<==记录距离
00453690 8305 10364500 10 ADD DWORD PTR DS:[453610],10
00453697 9D POPFD
00453698 61 POPAD
00453699 -E9 072E5300 JMP 009864A5
0045369E 83E8 04 SUB EAX,4 <<==远距离条件跳转
004536A1 8B52 FF MOV EDX,DWORD PTR DS:[EDX-1]
004536A4 66:8911 MOV WORD PTR DS:[ECX],DX <<==修补代码
004536A7 8941 02 MOV DWORD PTR DS:[ECX+2],EAX <<==修补代码
004536AA 8B1D 10364500 MOV EBX,DWORD PTR DS:[453610]
004536B0 890B MOV DWORD PTR DS:[EBX],ECX <<==记录FF发生地址
004536B2 66:8953 04 MOV WORD PTR DS:[EBX+4],DX <<==记录类型
004536B6 8943 06 MOV DWORD PTR DS:[EBX+6],EAX <<==记录距离
004536B9 8305 10364500 10 ADD DWORD PTR DS:[453610],10
004536C0 9D POPFD
004536C1 61 POPAD
004536C2 -E9 DE2D5300 JMP 009864A5
004536C7 2BC1 SUB EAX,ECX <<==反方向计算
004536C9 83E8 02 SUB EAX,2
004536CC 83F8 80 CMP EAX,-80 <<==是否为远距离
004536CF ^72 CD JB SHORT packed.0045369E
004536D1 ^EB A4 JMP SHORT packed.00453677
004536D3 90 NOP
004536D4 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] <<==原壳代码
004536D7 42 INC EDX <<==原壳代码
004536D8 8902 MOV DWORD PTR DS:[EDX],EAX <<==原壳代码
004536DA 60 PUSHAD
004536DB 9C PUSHFD
004536DC 8BF8 MOV EDI,EAX
004536DE 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10]
004536E1 3BC1 CMP EAX,ECX
004536E3 72 53 JB SHORT packed.00453738
004536E5 2BC1 SUB EAX,ECX
004536E7 83E8 02 SUB EAX,2
004536EA 83F8 7F CMP EAX,7F <<==是否为远距离
004536ED 77 23 JA SHORT packed.00453712
004536EF 8B1D 10364500 MOV EBX,DWORD PTR DS:[453610]
004536F5 C601 EB MOV BYTE PTR DS:[ECX],0EB <<==修补代码
004536F8 8841 01 MOV BYTE PTR DS:[ECX+1],AL <<==修补代码
004536FB 890B MOV DWORD PTR DS:[EBX],ECX <<==记录FF发生地址
004536FD C643 04 EB MOV BYTE PTR DS:[EBX+4],0EB <<==记录类型
00453701 8843 05 MOV BYTE PTR DS:[EBX+5],AL <<==记录距离
00453704 8305 10364500 10 ADD DWORD PTR DS:[453610],10
0045370B 9D POPFD
0045370C 61 POPAD
0045370D -E9 DC2D5300 JMP 009864EE
00453712 83E8 03 SUB EAX,3
00453715 8B1D 10364500 MOV EBX,DWORD PTR DS:[453610]
0045371B C601 E9 MOV BYTE PTR DS:[ECX],0E9 <<==修补代码
0045371E 8941 01 MOV DWORD PTR DS:[ECX+1],EAX <<==修补代码
00453721 890B MOV DWORD PTR DS:[EBX],ECX <<==记录FF发生地址
00453723 C643 04 E9 MOV BYTE PTR DS:[EBX+4],0E9 <<==记录类型
00453727 8943 05 MOV DWORD PTR DS:[EBX+5],EAX <<==记录距离
0045372A 8305 10364500 10 ADD DWORD PTR DS:[453610],10
00453731 9D POPFD
00453732 61 POPAD
00453733 -E9 B62D5300 JMP 009864EE
00453738 2BC1 SUB EAX,ECX
0045373A 83E8 02 SUB EAX,2
0045373D 83F8 80 CMP EAX,-80 <<==是否为远距离
00453740 ^72 D0 JB SHORT packed.00453712
00453742 ^EB AB JMP SHORT packed.004536EF
完成上述的代码修改后不断按Shift+F9直到程序画面跳出来,用鼠标点击程序右上角的关闭,然后继续按
Shift+F9直到程序退出,这时d 45b000并把45b000-45bc60的代码用二进制复制到记事本备用。
上述的方法有缺陷,不能完全修复FF代码,且工作量大,一直想利用壳的地址表解密没想通(笨啊)
(明天继续)
感谢在学脱aspr1.3b过程中Volx的指点