C32Asm外壳脱壳分析笔记
软件名:C32Asm 620 (pll621写的一个PE反编译工具cool)
保护 :外壳(pll621写的非常象是ASPACK的变种)
所用工具:OLLDBG 1.09
脱壳难度:一般
脱壳分析:大老
所属组织:=BCG= =[DCG]=
本人作品:文件加密狗检测工具
本人邮箱:dalao@qdcnc.com dalao@top86.com
本人主页:http://dalao2002.yeah.net
本人论坛:http://61.177.65.168/dalaobbs/cgi-bin/leoboard.cgi
Oicq:79234668
此文献给所有爱好解密的朋友们!
这个外壳曾经在[飞狐交易师-网络版]上也使用过!脱壳后修复的难度非常大呀属于比较怪的那种壳!呵呵!
我只是分析了这个外壳的工作流程!希望对大家有所帮助!
本人脱壳能力不是很高!希望高手不要见笑呀!闲话少说!
(1)
00401000 PUSH C32Asm.0056D001 ===================〉压入外壳处理部分的入口!
00401005 Main RETN
0056D001 Main PUSHAD ====================〉呵呵 很多外壳都会用到这句用来保存寄存器的指令!
0056D002 Main CALL C32Asm.0056D022
0056D022 Main POP EBP ; EBP=0056D007
0056D023 Main INC EBP ; EBP=0056D008
0056D024 Main PUSH EBP
0056D025 Main RETN
注意下面进入壳的主体部分!
0056D008 Main CLD
0056D009 Main LEA ESI,DWORD PTR SS:[EBP+60F] ; ESI=0056D617
0056D00F Main MOV EDI,ESI ; EDI=0056D617
0056D011 Main MOV ECX,97 ; ECX=00000097
0056D016 Main LODS DWORD PTR DS:[ESI] ; EAX=238AD5CA, ESI=0056D61B
0056D017 Main XOR EAX,12345678 ; EAX=31BE83B2
0056D01C Main STOS DWORD PTR ES:[EDI] ; EDI=0056D61B
0056D01D Main DEC ECX ; ECX=00000096
0056D01E Main JNZ SHORT C32Asm.0056D016
0056D016 Main LODS DWORD PTR DS:[ESI] ; EAX=00000000, ECX=00000000, ESI=0056D873, EDI=0056D873
0056D020 Main JMP SHORT C32Asm.0056D026
0056D026 Main JMP C32Asm.0056D72F
0056D72F Main MOV DL,83 ; EDX=FFFFFF83
0056D731 Main MOV ESI,31526A31 ; ESI=31526A31
0056D736 Main CALL C32Asm.0056D74F
0056D74F Main MOV BX,CX ; EBX=7FFD0000
0056D752 Main POP ECX ; ECX=0056D73B
0056D753 Main MOV BL,8C ; EBX=7FFD008C
0056D755 Main MOVSX EDX,AX ; EDX=00000000
0056D758 Main MOVSX EBX,BX ; EBX=0000008C
0056D75B Main MOV EBP,ECX ; EBP=0056D73B
0056D75D Main JMP C32Asm.0056D77E
0056D77E Main MOV CL,0B4 ; ECX=0056D7B4
0056D780 Main MOV EDI,B222BAA9 ; EDI=B222BAA9
0056D785 Main MOV SI,CX ; ESI=3152D7B4
0056D788 Main SBB CH,0C7 ; ECX=005610B4
0056D78B Main ADD EBP,C8EAC111 ; EBP=C941984C
0056D791 Main MOVSX ESI,DX ; ESI=00000000
0056D794 Main MOVSX EDX,CX ; EDX=000010B4
0056D797 Main MOV ESI,10D0FF69 ; ESI=10D0FF69
0056D79C Main ADD ECX,C1C089B1 ; ECX=C2169A65
0056D7A2 Main MOVSX EDX,AX ; EDX=00000000
0056D7A5 Main MOV EBX,37153DC7 ; EBX=37153DC7
0056D7AA Main JMP C32Asm.0056D7CB
(2)
==========================================================================================================================
0056D7CB Main MOV ESI,0CCAE761 ; ESI=0CCAE761
0056D7D0 Main MOV ECX,371723DF ; ECX=371723DF
0056D7D5 Main ADD DWORD PTR SS:[EBP+EBX],665D28DF =================〉[EBP+EBX]地址的数据+665D28DF
0056D7DD Main SUB EBP,4 ; EBP=C9419848
0056D7E3 Main MOV ESI,FA15EFF9 ; ESI=FA15EFF9
0056D7E8 Main MOV EDX,0CE4A433 ; EDX=0CE4A433
0056D7ED Main INC EDI ; EDI=B222BAAA
0056D7EE Main SBB CL,29 ; ECX=371723B6
0056D7F1 Main CMP EDI,B222BC24
0056D7F7 Main JNZ C32Asm.0056D79C ; EBP=C9419260, EDI=B222BC24 这里是一个循环!用来还原部分数据!
0056D7FD Main JMP C32Asm.0056D81E ================>可以用F4直接跳过上面的循环
0056D81E Main MOV ECX,DF55B05F ; ECX=DF55B05F
0056D823 Main MOV SI,DX ; ESI=FA15A433
0056D826 Main JMP C32Asm.0056D617
0056D617 Main MOV DL,83 ; EDX=0CE4A483
0056D619 Main MOV ESI,31526A31 ; ESI=31526A31
0056D61E Main CALL C32Asm.0056D637
0056D637 Main MOV BX,CX ; EBX=3715B05F
0056D63A Main POP ECX ; ECX=0056D623
0056D63B Main MOV BL,8C ; EBX=3715B08C
0056D63D Main MOVSX EDX,AX ; EDX=00000000
0056D640 Main MOVSX EBX,BX ; EBX=FFFFB08C
0056D643 Main MOV EBP,ECX ; EBP=0056D623
0056D645 Main JMP C32Asm.0056D666
0056D666 Main MOV CL,0B4 ; ECX=0056D6B4
0056D668 Main MOV EDI,B222BAA9 ; EDI=B222BAA9
0056D66D Main MOV SI,CX ; ESI=3152D6B4
0056D670 Main SBB CH,0C7 ; ECX=00560FB4
0056D673 Main ADD EBP,C8EABECA ; EBP=C94194ED
0056D679 Main MOVSX ESI,DX ; ESI=00000000
0056D67C Main MOVSX EDX,CX ; EDX=00000FB4
0056D67F Main MOV ESI,10D0FF69 ; ESI=10D0FF69
0056D684 Main ADD ECX,C1C089B1 ; ECX=C2169965
0056D68A Main MOVSX EDX,AX ; EDX=00000000
0056D68D Main MOV EBX,37153DC7 ; EBX=37153DC7
0056D692 Main JMP C32Asm.0056D6B3
0056D6B3 Main MOV ESI,0CCAE761 ; ESI=0CCAE761
0056D6B8 Main MOV ECX,371723DF ; ECX=371723DF
0056D6BD Main ADD DWORD PTR SS:[EBP+EBX],665D28DF======================〉[EBP+EBX]地址的数据+665D28DF
0056D6C5 Main SUB EBP,4 ; EBP=C94194E9
0056D6CB Main MOV ESI,FA15EFF9 ; ESI=FA15EFF9
0056D6D0 Main MOV EDX,0CE4A433 ; EDX=0CE4A433
0056D6D5 Main INC EDI ; EDI=B222BAAA
0056D6D6 Main SBB CL,29 ; ECX=371723B6
0056D6D9 Main CMP EDI,B222BAAC
0056D6DF Main JNZ C32Asm.0056D684
0056D684 Main ADD ECX,C1C089B1 ; ECX=F8D7AD67================>可以用F4直接跳过上面的循环
0056D68A Main MOVSX EDX,AX ; ECX=371723B6, EBP=C94194E1, EDI=B222BAAC
0056D6E5 Main JMP C32Asm.0056D706
0056D706 Main MOV ECX,DF55B05F ; ECX=DF55B05F
0056D70B Main MOV SI,DX ; ESI=FA15A433
0056D70E Main JMP C32Asm.0056D02B
(3)
===============================================================================================================
0056D02B Main CALL C32Asm.0056D031
0056D031 Main POP EBP ; EBP=0056D030
0056D032 Main MOV EBX,-30 ; EBX=FFFFFFD0
0056D037 Main ADD EBX,EBP ; EBX=0056D000
0056D039 Main SUB EBX,16D000 ; EBX=00400000
0056D03F Main CMP DWORD PTR SS:[EBP+84C],0 ==========================〉注意这个比较!
0056D046 Main MOV DWORD PTR SS:[EBP+84C],EBX
0056D04C Main JNZ C32Asm.0056D4BD =========================〉这个跳转如果是ASPACK压缩的软件那这里跳转的地址就是外壳最后处理部分的程序!不过在这个外壳中嘿嘿!这里永远不会跳的!这是个陷阱!
0056D052 Main CMP BYTE PTR SS:[EBP+76],1
0056D056 Main JNZ SHORT C32Asm.0056D0A7
0056D0A7 Main CALL C32Asm.0056D1C1 ; EAX=77E60000
0056D0AC Main LEA ESI,DWORD PTR SS:[EBP+92] ; ESI=0056D0C2
0056D0B2 Main LODS DWORD PTR DS:[ESI] ; EAX=00401000, ESI=0056D0C6
0056D0B3 Main OR EAX,EAX
0056D0B5 Main JE SHORT C32Asm.0056D0CC
0056D0B7 Main MOV EDI,EAX ; EDI=00401000
0056D0B9 Main MOV ECX,6 ; ECX=00000006
0056D0BE Main REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]; ECX=00000000, ESI=0056D0CC, EDI=00401006
0056D0C0 Main JMP SHORT C32Asm.0056D0CC
0056D0CC Main MOV DWORD PTR SS:[EBP+2A5],ESP
0056D0D2 Main MOV EBX,DWORD PTR SS:[EBP+84C]
0056D0D8 Main MOV DWORD PTR SS:[EBP+289],EBX
0056D0DE Main PUSH 4
0056D0E0 Main PUSH 1000
0056D0E5 Main PUSH DWORD PTR SS:[EBP+284]
0056D0EB Main PUSH 0
0056D0ED Main CALL DWORD PTR SS:[EBP+270] ; EAX=01250000, ECX=0012FFE0, EDX=FFFFFFFF
0056D0F3 Main MOV DWORD PTR SS:[EBP+855],EAX
0056D0F9 Main MOV EBX,DWORD PTR SS:[EBP+27C] ; EBX=00171458
0056D0FF Main ADD EBX,DWORD PTR SS:[EBP+289] ; EBX=00571458
0056D105 Main PUSH EAX
0056D106 Main PUSH EBX
0056D107 Main CALL C32Asm.0056D4DE ; EAX=0000A000
0056D10C Main PUSH 4
0056D10E Main PUSH 1000
0056D113 Main PUSH DWORD PTR SS:[EBP+284]
0056D119 Main PUSH 0
0056D11B Main CALL DWORD PTR SS:[EBP+270] ; EAX=01270000
0056D121 Main MOV DWORD PTR SS:[EBP+189],EAX
0056D127 Main MOV EDX,DWORD PTR SS:[EBP+855] ; EDX=01250000
0056D12D Main MOV EBX,1F8 ; EBX=000001F8
0056D132 Main MOV EDI,DWORD PTR DS:[EDX+EBX+C] ; EDI=00001000
0056D136 Main OR EDI,EDI
0056D138 Main JE SHORT C32Asm.0056D158
0056D13A Main MOV ECX,DWORD PTR DS:[EDX+EBX+10] ; ECX=00007E00
0056D13E Main OR ECX,ECX
0056D140 Main JE SHORT C32Asm.0056D153
0056D142 Main ADD EDI,DWORD PTR SS:[EBP+189] ; EDI=01271000
0056D148 Main MOV ESI,DWORD PTR DS:[EDX+EBX+14] ; ESI=00000400
0056D14C Main ADD ESI,EDX ; ESI=01250400
0056D14E Main SAR ECX,2 ; ECX=00001F80
0056D151 Main REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]; ECX=00000000, ESI=01258200, EDI=01278E00
0056D153 Main ADD EBX,28 ; EBX=00000220
0056D156 Main JMP SHORT C32Asm.0056D132
0056D132 Main MOV EDI,DWORD PTR DS:[EDX+EBX+C] ; EDI=00012000
0056D136 Main OR EDI,EDI
0056D138 Main JE SHORT C32Asm.0056D158
0056D13A Main MOV ECX,DWORD PTR DS:[EDX+EBX+10] ; ECX=00000200
0056D13E Main OR ECX,ECX
0056D140 Main JE SHORT C32Asm.0056D153
0056D142 Main ADD EDI,DWORD PTR SS:[EBP+189] ; EDI=01282000
0056D148 Main MOV ESI,DWORD PTR DS:[EDX+EBX+14] ; ESI=00008200
0056D14C Main ADD ESI,EDX ; ESI=01258200
0056D14E Main SAR ECX,2 ; ECX=00000080
0056D151 Main REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]; ECX=00000000, ESI=01258400, EDI=01282200
0056D153 Main ADD EBX,28 ; EBX=00000248
0056D156 Main JMP SHORT C32Asm.0056D132
0056D132 Main MOV EDI,DWORD PTR DS:[EDX+EBX+C] ; EDI=00013000
0056D136 Main OR EDI,EDI
0056D138 Main JE SHORT C32Asm.0056D158
0056D13A Main MOV ECX,DWORD PTR DS:[EDX+EBX+10]
0056D13E Main OR ECX,ECX
0056D140 Main JE SHORT C32Asm.0056D153
0056D153 Main ADD EBX,28 ; EBX=00000270
0056D156 Main JMP SHORT C32Asm.0056D132
0056D132 Main MOV EDI,DWORD PTR DS:[EDX+EBX+C] ; EDI=00014000
0056D136 Main OR EDI,EDI
0056D138 Main JE SHORT C32Asm.0056D158
0056D13A Main MOV ECX,DWORD PTR DS:[EDX+EBX+10] ; ECX=00000400
0056D13E Main OR ECX,ECX
0056D140 Main JE SHORT C32Asm.0056D153
0056D142 Main ADD EDI,DWORD PTR SS:[EBP+189] ; EDI=01284000
0056D148 Main MOV ESI,DWORD PTR DS:[EDX+EBX+14] ; ESI=00008400
0056D14C Main ADD ESI,EDX ; ESI=01258400
0056D14E Main SAR ECX,2 ; ECX=00000100
0056D151 Main REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]; ECX=00000000, ESI=01258800, EDI=01284400
0056D153 Main ADD EBX,28 ; EBX=00000298
0056D156 Main JMP SHORT C32Asm.0056D132
0056D132 Main MOV EDI,DWORD PTR DS:[EDX+EBX+C] ; EDI=00015000
0056D136 Main OR EDI,EDI
0056D138 Main JE SHORT C32Asm.0056D158
0056D13A Main MOV ECX,DWORD PTR DS:[EDX+EBX+10] ; ECX=00000200
0056D13E Main OR ECX,ECX
0056D140 Main JE SHORT C32Asm.0056D153
0056D142 Main ADD EDI,DWORD PTR SS:[EBP+189] ; EDI=01285000
0056D148 Main MOV ESI,DWORD PTR DS:[EDX+EBX+14] ; ESI=00008800
0056D14C Main ADD ESI,EDX ; ESI=01258800
0056D14E Main SAR ECX,2 ; ECX=00000080
0056D151 Main REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]; ECX=00000000, ESI=01258A00, EDI=01285200
0056D153 Main ADD EBX,28 ; EBX=000002C0
0056D156 Main JMP SHORT C32Asm.0056D132
0056D132 Main MOV EDI,DWORD PTR DS:[EDX+EBX+C] ; EDI=00016000
0056D136 Main OR EDI,EDI
0056D138 Main JE SHORT C32Asm.0056D158
0056D13A Main MOV ECX,DWORD PTR DS:[EDX+EBX+10] ; ECX=00000C00
0056D13E Main OR ECX,ECX ; ECX=00000000, EBX=00000338, ESI=0125A000, EDI=00000000
0056D158 Main MOV EAX,DWORD PTR SS:[EBP+855] ; EAX=01250000
0056D15E Main PUSH EAX
0056D15F Main MOV EDX,DWORD PTR SS:[EBP+189] ; EDX=01270000
0056D165 Main PUSH EDX
0056D166 Main MOV EBX,DWORD PTR DS:[EAX] ; EBX=000178A4
0056D168 Main ADD EBX,EDX ; EBX=012878A4
0056D16A Main MOV EAX,DWORD PTR SS:[EBP+264] ; EAX=77E7564B
0056D170 Main MOV DWORD PTR DS:[EBX],EAX
0056D172 Main MOV EAX,DWORD PTR SS:[EBP+268] ; EAX=77E756DB
0056D178 Main MOV DWORD PTR DS:[EBX+4],EAX
0056D17B Main MOV EAX,DWORD PTR SS:[EBP+26C] ; EAX=77E78023
0056D181 Main MOV DWORD PTR DS:[EBX+8],EAX
0056D184 Main POP EDI ; EDI=01270000
0056D185 Main POP ESI ; ESI=01250000
0056D186 Main MOV EAX,DWORD PTR DS:[ESI+4] ; EAX=00017000
0056D189 Main ADD EAX,EDI ; EAX=01287000
0056D18B Main MOV DWORD PTR SS:[EBP+184],EAX
0056D191 Main LEA EBX,DWORD PTR SS:[EBP+289] ; EBX=0056D2B9
0056D197 Main PUSH EBX
0056D198 Main PUSH 0
0056D19A Main PUSH 0
0056D19C Main PUSH 1
0056D19E Main PUSH EDI
0056D19F Main MOV EBX,DWORD PTR DS:[ESI+8] ; EBX=00010038
0056D1A2 Main ADD EBX,EDI ; EBX=01280038
0056D1A4 Main PUSH EBX
0056D1A5 Main PUSH 8000
0056D1AA Main PUSH 0
0056D1AC Main PUSH ESI
0056D1AD Main CALL DWORD PTR SS:[EBP+274] ; EAX=00000001, ECX=00010101, EDX=FFFFFFFF
0056D1B3 Main PUSH 1287000 ========================〉第二部分的入口点
0056D1B8 Main RETN ==========================〉返回到外壳下半部分的处理程序!
01287000 Main NOP
01287001 Main PUSHAD ===============〉呵呵这部分非常想ASPACK的压缩程序的外壳代码
01287002 Main CALL 01287647
01287647 Main MOV EBP,DWORD PTR SS:[ESP] ; EBP=01287007
0128764A Main SUB EBP,44294B ; EBP=00E446BC
01287650 Main RETN
01287007 Main JMP SHORT 0128704D
0128704D Main MOV EBX,442944 ; EBX=00442944
01287052 Main ADD EBX,EBP ; EBX=01287000
01287054 Main SUB EBX,DWORD PTR SS:[EBP+442971] ; EBX=01270000
0128705A Main CMP DWORD PTR SS:[EBP+4430D8],0 ==================〉注意这里
01287061 Main MOV DWORD PTR SS:[EBP+442E2F],EBX
01287067 Main JNZ 012875AB ===============================〉外壳处理完毕后会从这里跳转到最后处理部分!
0128706D Main LEA EAX,DWORD PTR SS:[EBP+4430E0] ; EAX=0128779C
01287073 Main PUSH EAX
01287074 Main CALL DWORD PTR SS:[EBP+4431EC] ; EAX=77E60000, ECX=0012FFE0, EDX=77FCD348
0128707A Main MOV DWORD PTR SS:[EBP+4430DC],EAX
01287080 Main MOV EDI,EAX ; EDI=77E60000
01287082 Main LEA EBX,DWORD PTR SS:[EBP+4430ED] ; EBX=012877A9
01287088 Main PUSH EBX
01287089 Main PUSH EAX
0128708A Main CALL DWORD PTR SS:[EBP+4431E8] ; EAX=77E70EE2
01287090 Main MOV DWORD PTR SS:[EBP+442979],EAX
01287096 Main LEA EBX,DWORD PTR SS:[EBP+4430FA] ; EBX=012877B6
0128709C Main PUSH EBX
0128709D Main PUSH EDI
0128709E Main CALL DWORD PTR SS:[EBP+4431E8] ; EAX=77E6D002
012870A4 Main MOV DWORD PTR SS:[EBP+44297D],EAX
012870AA Main MOV EAX,DWORD PTR SS:[EBP+442E2F] ; EAX=01270000
012870B0 Main MOV DWORD PTR SS:[EBP+4430D8],EAX
012870B6 Main PUSH 4
012870B8 Main PUSH 1000
012870BD Main PUSH 546
012870C2 Main PUSH 0
012870C4 Main CALL DWORD PTR SS:[EBP+442979] ; EAX=01290000, EDX=FFFFFFFF
012870CA Main MOV DWORD PTR SS:[EBP+442975],EAX
012870D0 Main LEA EBX,DWORD PTR SS:[EBP+442A45] ; EBX=01287101
012870D6 Main PUSH EAX
012870D7 Main PUSH EBX
012870D8 Main CALL 01287651 ; EAX=00000546
012870DD Main MOV ECX,EAX ; ECX=00000546
012870DF Main LEA EDI,DWORD PTR SS:[EBP+442A45] ; EDI=01287101
012870E5 Main MOV ESI,DWORD PTR SS:[EBP+442975] ; ESI=01290000
012870EB Main REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]; ECX=00000000, ESI=01290546, EDI=01287647
012870ED Main MOV EAX,DWORD PTR SS:[EBP+442975] ; EAX=01290000
012870F3 Main PUSH 8000
012870F8 Main PUSH 0
012870FA Main PUSH EAX
012870FB Main CALL DWORD PTR SS:[EBP+44297D] ; EAX=00000001, ECX=00010101
01287101 Main LEA EAX,DWORD PTR SS:[EBP+442C51] ; EAX=0128730D
(4)最后部分
=========================================================================================================================
012875AB 8B85 652A4400 MOV EAX,DWORD PTR SS:[EBP+442A65]
012875B1 50 PUSH EAX
012875B2 0385 D8304400 ADD EAX,DWORD PTR SS:[EBP+4430D8]
012875B8 5B POP EBX
012875B9 0BDB OR EBX,EBX
012875BB 8985 112F4400 MOV DWORD PTR SS:[EBP+442F11],EAX
012875C1 61 POPAD ==========================〉恢复入口点
012875C2 75 08 JNZ SHORT 012875CC
012875C4 B8 01000000 MOV EAX,1
012875C9 C2 0C00 RETN 0C
012875CC 68 A8132801 PUSH 12813A8 解压后程序的入口点!
012875D1 C3 RETN
==========================================================================================================================
到达入口点后剩下的工作!就是dump文件修复iat!
这个外壳的工作流程: 1开始部分代码解码生成========>2 aspack解码程序通过这个再解码生成===========〉3原始的程序!
好了这个外壳工作流程到此分析完了!
在这我提一下c32asm这个PE反编译软件!
这是一款有中国人自己开发的PE反编译工具
软件作者是:pll621
主要功能有:
支持解析符号,支持反汇编直接HEX编辑功能不过这个功能如果能像HIEW或OLLYDBG一样可以用汇编直接更改程序HEX代码的话就好了!支持数据解释器 支持多语言 支持插件 界面非常漂亮!
大老
写于凌晨
5:15
2003-6-26