用Ollydbg手工脱壳之Pebundle2.3
作者:yongfu81(yongfu81@tom.com)
**数据工厂2003,经查为Pebundle2.3加壳,试用ollydbg手工脱壳.
0048E000 > 9C PUSHFD ; 程序进入点D
0048E001 60 PUSHAD
0048E002 E8 02000000 CALL TotoFact.0048E009
0048E007 33C0 XOR EAX, EAX
0048E009 8BC4 MOV EAX, ESP
0048E00B 83C0 04 ADD EAX, 4
进入点的两个命令pushfd(9c)\pushad(60)非常典型,那我们就寻找619d.
Ctrl+B搜索619d...
0048E36F 61 POPAD ; 搜索到这里
0048E370 9D POPFD
0048E371 68 00204800 PUSH TotoFact.00482000
0048E376 C3 RETN ; 第一个断点
0048E376下断点,F9运行到此,f8一步,到下面.
00482000 9C PUSHFD
00482001 60 PUSHAD
00482002 E8 02000000 CALL TotoFact.00482009
00482007 33C0 XOR EAX, EAX
又是一个与刚才一样的典型命令,再搜索619d...
0048236F 61 POPAD
00482370 9D POPFD
00482371 68 00724500 PUSH TotoFact.00457200
00482376 C3 RETN ; 第二个断点
00482376下断点,F9运行到此,f8一步,到下面.
00457200 /EB 06 JMP SHORT TotoFact.00457208
00457202 |68 D0240000 PUSH 24D0
00457207 |C3 RETN
00457208 \9C PUSHFD ; 这里还不能搜索,F8
00457209 60 PUSHAD
0045720A E8 02000000 CALL TotoFact.00457211 ; 这个call用F7进入
0045720F 33C0 XOR EAX, EAX
00457211 8BC4 MOV EAX, ESP ; 上面call到这里
00457213 83C0 04 ADD EAX, 4
00457216 93 XCHG EAX, EBX
00457217 8BE3 MOV ESP, EBX
00457219 8B5B FC MOV EBX, DWORD PTR DS:[EBX-4]
0045721C 81EB 3F904000 SUB EBX, TotoFact.0040903F
00457222 87DD XCHG EBP, EBX
00457224 8B85 E6904000 MOV EAX, DWORD PTR SS:[EBP+4090E6]
0045722A 0185 33904000 ADD DWORD PTR SS:[EBP+409033], EAX
00457230 66:C785 3090400>MOV WORD PTR SS:[EBP+409030], 9090
00457239 0185 DA904000 ADD DWORD PTR SS:[EBP+4090DA], EAX
0045723F 0185 DE904000 ADD DWORD PTR SS:[EBP+4090DE], EAX
00457245 0185 E2904000 ADD DWORD PTR SS:[EBP+4090E2], EAX
0045724B BB 7B110000 MOV EBX, 117B
00457250 039D EA904000 ADD EBX, DWORD PTR SS:[EBP+4090EA]
00457256 039D E6904000 ADD EBX, DWORD PTR SS:[EBP+4090E6]
0045725C 53 PUSH EBX
0045725D 8BC3 MOV EAX, EBX
0045725F 8BFB MOV EDI, EBX
00457261 2D AC904000 SUB EAX, TotoFact.004090AC
00457266 8985 AD904000 MOV DWORD PTR SS:[EBP+4090AD], EAX
0045726C 8DB5 AC904000 LEA ESI, DWORD PTR SS:[EBP+4090AC]
00457272 B9 40040000 MOV ECX, 440
00457277 F3:A5 REP MOVS DWORD PTR ES:[EDI], DWORD P>
00457279 8BFB MOV EDI, EBX
0045727B C3 RETN ; 运行到这里,F8继续
0045917B BD CF000500 MOV EBP, 500CF ; F8继续
00459180 8BF7 MOV ESI, EDI
00459182 83C6 54 ADD ESI, 54
00459185 81C7 FF100000 ADD EDI, 10FF
0045918B 56 PUSH ESI
0045918C 57 PUSH EDI
0045918D 57 PUSH EDI
0045918E 56 PUSH ESI
0045918F FF95 DA904000 CALL DWORD PTR SS:[EBP+4090DA]
00459195 8BC8 MOV ECX, EAX
00459197 5E POP ESI
00459198 5F POP EDI
00459199 8BC1 MOV EAX, ECX
0045919B C1F9 02 SAR ECX, 2
0045919E F3:A5 REP MOVS DWORD PTR ES:[EDI], DWORD P>
004591A0 03C8 ADD ECX, EAX
004591A2 83E1 03 AND ECX, 3
004591A5 F3:A4 REP MOVS BYTE PTR ES:[EDI], BYTE PTR>
004591A7 EB 26 JMP SHORT TotoFact.004591CF ; 运行到这里,跳
004591CF 8BB5 E6904000 MOV ESI, DWORD PTR SS:[EBP+4090E6] ; TotoFact.00400000
004591D5 56 PUSH ESI
004591D6 03B5 EE904000 ADD ESI, DWORD PTR SS:[EBP+4090EE]
004591DC 83C6 14 ADD ESI, 14
004591DF 03B5 35974000 ADD ESI, DWORD PTR SS:[EBP+409735]
004591E5 8DBD 39974000 LEA EDI, DWORD PTR SS:[EBP+409739]
跳到004591CF后,可以搜索619d了...到下面
0045954E 61 POPAD
0045954F 9D POPFD
00459550 50 PUSH EAX
00459551 68 D0244000 PUSH TotoFact.004024D0 ; ASCII "hhE@"
00459556 C2 0400 RETN 4 ; 这里下断点
00459556下断点,F9到此,F8一步,到OEP啦...
004024D0 68 68454000 PUSH TotoFact.00404568 ; oep,在此dump...
004024D5 E8 F0FFFFFF CALL TotoFact.004024CA ; JMP to MSVBVM60.ThunRTMain
004024DA 0000 ADD BYTE PTR DS:[EAX], AL
004024DC 0000 ADD BYTE PTR DS:[EAX], AL
004024DE 0000 ADD BYTE PTR DS:[EAX], AL
004024E0 3000 XOR BYTE PTR DS:[EAX], AL
004024E2 0000 ADD BYTE PTR DS:[EAX], AL
004024E4 40 INC EAX
明显是vb程序,dump出来,就不需修复IT了,直接可以运行...
|
安全中国首页 > 文章中心 > 脱壳技术