=================================================================
=
= inside Pandora's Box - iPB
= Open Cracking Group -
OCG
=
=
=
DiKeN/iPB
=================================================================
================================================================================
虽然使用了很多花指令,但指令流还是一样
=========Calc.exe
0101B001 >60
PUSHAD
0101B002 E8
03000000 CALL CALC.0101B00A
0101B007 E9 EB045D45
JMP 465EB4F7
0101B00C 55
PUSH EBP
0101B00D C3
RETN
0101B00E E8 01000000
CALL CALC.0101B014
0101B013 EB 5D
JMP SHORT CALC.0101B072
0101B015 BB EDFFFFFF
MOV EBX,-13
0101B01A 03DD
ADD EBX,EBP
0101B01C 81EB 00B00100 SUB EBX,1B000========>
0101B022 83BD 22040000 00 CMP DWORD PTR SS:[EBP+422],0
0101B029
899D 22040000 MOV DWORD PTR SS:[EBP+422],EBX<=====保存ImageBase
0101B02F 0F85 65030000 JNZ CALC.0101B39A
0101B035
8D85 2E040000 LEA EAX,DWORD PTR SS:[EBP+42E]
0101B03B
50 PUSH EAX
0101B03C
FF95 4D0F0000 CALL DWORD PTR SS:[EBP+F4D]
0101B042 8985
26040000 MOV DWORD PTR SS:[EBP+426],EAX
0101B048 8BF8
MOV EDI,EAX
0101B04A 8D5D
5E LEA EBX,DWORD PTR SS:[EBP+5E]
0101B04D
53 PUSH EBX
0101B04E
50 PUSH EAX
0101B04F
FF95 490F0000 CALL DWORD PTR SS:[EBP+F49]====>GetProcAddress(VirtualAlloc)
0101B055 8985 4D050000 MOV DWORD PTR SS:[EBP+54D],EAX
0101B05B 8D5D 6B LEA EBX,DWORD PTR
SS:[EBP+6B]
0101B05E 53
PUSH EBX
0101B05F 57
PUSH EDI
0101B060 FF95 490F0000 CALL DWORD
PTR SS:[EBP+F49]====>GetProcAddress(VirtualFree)
0101B066 8985 51050000
MOV DWORD PTR SS:[EBP+551],EAX
0101B06C 8D45 77
LEA EAX,DWORD PTR SS:[EBP+77]
0101B06F FFE0
JMP EAX
......
......
紧接着分配内存,进行解码
...........
...........
...........
0101B389
8946 10 MOV DWORD PTR DS:[ESI+10],EAX
0101B38C
83C6 14 ADD ESI,14
0101B38F 8B95
22040000 MOV EDX,DWORD PTR SS:[EBP+422]
0101B395 E9 EBFEFFFF
JMP CALC.0101B285
0101B39A B8 E0190100
MOV EAX,119E0<==================这儿就是OEP的VA地址
0101B39F 50
PUSH EAX
******************************************************************************************************
=========Notepad
00411001 >60
PUSHAD
00411002 E8 03000000 CALL NOTEPAD.0041100A
00411007 E9 EB045D45 JMP 459E14F7
0041100C
55 PUSH EBP
0041100D
C3 RETN
0041100E
E8 01000000 CALL NOTEPAD.00411014
00411013 EB 5D
JMP SHORT NOTEPAD.00411072
00411015
BB EDFFFFFF MOV EBX,-13
0041101A 03DD
ADD EBX,EBP
0041101C 81EB 00100100
SUB EBX,11000
00411022 83BD 22040000 00 CMP DWORD PTR
SS:[EBP+422],0
00411029 899D 22040000 MOV DWORD PTR SS:[EBP+422],EBX<=====保存ImageBase
0041102F 0F85 65030000 JNZ NOTEPAD.0041139A
00411035
8D85 2E040000 LEA EAX,DWORD PTR SS:[EBP+42E]===>Kernel32.dll
0041103B 50
PUSH EAX
0041103C FF95 4D0F0000 CALL DWORD PTR SS:[EBP+F4D]
00411042 8985 26040000 MOV DWORD PTR SS:[EBP+426],EAX
00411048 8BF8 MOV EDI,EAX
0041104A 8D5D 5E LEA EBX,DWORD PTR
SS:[EBP+5E]
0041104D 53
PUSH EBX
0041104E 50
PUSH EAX
0041104F FF95 490F0000 CALL DWORD
PTR SS:[EBP+F49]====>GetProcAddress(VirtualAlloc)
00411055 8985 4D050000
MOV DWORD PTR SS:[EBP+54D],EAX
0041105B 8D5D 6B
LEA EBX,DWORD PTR SS:[EBP+6B]
0041105E 53
PUSH EBX
0041105F
57 PUSH EDI
00411060
FF95 490F0000 CALL DWORD PTR SS:[EBP+F49]====>GetProcAddress(VirtualFree)
00411066 8985 51050000 MOV DWORD PTR SS:[EBP+551],EAX
0041106C 8D45 77 LEA EAX,DWORD PTR
SS:[EBP+77]
0041106F FFE0
JMP EAX
......
......
紧接着分配内存,进行解码
...........
...........
...........
0041136C 8D85 C6040000 LEA
EAX,DWORD PTR SS:[EBP+4C6]
00411372 50
PUSH EAX
00411373 57
PUSH EDI
00411374 EB 4A
JMP SHORT NOTEPAD.004113C0
00411376 8907
MOV DWORD PTR DS:[EDI],EAX
00411378
8385 49050000 04 ADD DWORD PTR SS:[EBP+549],4
0041137F E9 32FFFFFF
JMP NOTEPAD.004112B6
00411384 8906
MOV DWORD PTR DS:[ESI],EAX
00411386 8946
0C MOV DWORD PTR DS:[ESI+C],EAX
00411389
8946 10 MOV DWORD PTR DS:[ESI+10],EAX
0041138C
83C6 14 ADD ESI,14
0041138F 8B95
22040000 MOV EDX,DWORD PTR SS:[EBP+422]
00411395 E9 EBFEFFFF
JMP NOTEPAD.00411285
0041139A B8 CC100000
MOV EAX,10CC=========================>???偏移多少?
0041139F
50 PUSH EAX
004113A0
0385 22040000 ADD EAX,DWORD PTR SS:[EBP+422]
004113A6
59 POP ECX
004113A7
0BC9 OR ECX,ECX
004113A9
8985 A8030000 MOV DWORD PTR SS:[EBP+3A8],EAX
004113AF
61 POPAD
004113B0
75 08 JNZ SHORT NOTEPAD.004113BA
0101B389 8946 10 MOV DWORD
PTR DS:[ESI+10],EAX
0101B38C 83C6 14
ADD ESI,14
0101B38F 8B95 22040000 MOV EDX,DWORD PTR SS:[EBP+422]
0101B395 E9 EBFEFFFF JMP CALC.0101B285
0101B39A
B8 E0190100 MOV EAX,119E0<==================这儿就是OEP的VA地址
0101B39F 50
PUSH EAX
=========================================================================
最后比较法发现,EP+0x399均为指令MOV EAX,????????
也就是说原始OEP为
ImageBase+[EP+0x39A]
******************************************************************************************************
=========================================================================
下面看看Aspack压缩LordPE的结果
=========================================================================
00432001 >60 PUSHAD
00432002 E8 03000000 CALL LORDPEP.0043200A
00432007 E9 EB045D45 JMP 45A024F7
0043200C
55 PUSH EBP
0043200D
C3 RETN
/************************
00432001+399=43239A
************************/
00432395
E9 EBFEFFFF JMP LORDPEP.00432285
0043239A B8 103E0000
MOV EAX,3E10
0043239F 50
PUSH EAX
004323A0 0385 22040000 ADD
EAX,DWORD PTR SS:[EBP+422]==========>ImageBase
004323A6 59
POP ECX
004323A7 0BC9
OR ECX,ECX
004323A9 8985
A8030000 MOV DWORD PTR SS:[EBP+3A8],EAX
004323AF 61
POPAD
/************************
OEP=00400000+3E10=403E10
************************/
=========================================================================
******************************************************************************************************
哈哈,搞定,再来看一个大一点的文件,Flashget如何
00507001 >60
PUSHAD
00507002 E8 03000000
CALL JETCAR.0050700A
00507007 E9 EB045D45 JMP 45AD74F7
0050700C 55
PUSH EBP
0050700D C3
RETN
0050700E E8 01000000 CALL JETCAR.00507014
00507013 EB 5D JMP SHORT JETCAR.00507072
00507015 BB EDFFFFFF MOV EBX,-13
0050701A
03DD ADD EBX,EBP
0050701C
81EB 00701000 SUB EBX,107000
00507022 83BD 22040000 00
CMP DWORD PTR SS:[EBP+422],0
00507029 899D 22040000 MOV
DWORD PTR SS:[EBP+422],EBX
计算Mov指令地址
507001+399=50739A
到指令50739A看看
0050738F 8B95 22040000 MOV EDX,DWORD
PTR SS:[EBP+422]
00507395 E9 EBFEFFFF JMP JETCAR.00507285
0050739A B8 056D0700 MOV EAX,76D05<==================这儿就是OEP的VA地址
0050739F 50
PUSH EAX
005073A0 0385 22040000 ADD EAX,DWORD PTR SS:[EBP+422]==========>ImageBase
005073A6 59
POP ECX
005073A7 0BC9
OR ECX,ECX
005073A9 8985 A8030000 MOV DWORD PTR SS:[EBP+3A8],EAX
005073AF 61
POPAD
计算OEP
OEP=ImageBase+[EP+39A]
=400000+[507001+39A]
=400000+76D05
=476D05
=========================================================================
******************************************************************************************************
正确.再来使用TRW2000脱一个看看如何,使用Aspack压缩UltraEdit
004D3001 >60
PUSHAD
004D3002 E8 03000000
CALL UEDIT32.004D300A
004D3007 E9 EB045D45
JMP 45AA34F7
004D300C 55
PUSH EBP
004D339A B8 D0850400
MOV EAX,485D0
004D339F 50
PUSH EAX
:u 4d339A
:bpx 4485d0
:g
:bc *
:pedump c:\mm.exe
ok,mm.exe脱壳完成
=========================================================================
ASPack的壳,不是自身,采用了SEH等技术,不能用此方法脱壳
=================================================================
=
= inside Pandora's
Box - iPB
= Open Cracking
Group - OCG
=
=
=
DiKeN/iPB
=================================================================