---------------------------------------------------------------------------
; eXPressor v1.1 脱壳
; ---------------------------------------------------------------------------
; ---------------------------------------------------------------------------
; 寻找恰当时机 Dump 文件
; ---------------------------------------------------------------------------
OllyDbg 载入,
00438019 > $Content$nbsp;/E9 15130000 jmp 00439333
0043801E . |E9 F0120000 jmp 00439313
00438023 . |E9 58120000 jmp 00439280
00438028 $Content$nbsp;|E9 AF0C0000 jmp 00438CDC
0043802D $Content$nbsp;|E9 AE020000 jmp 004382E0
00438032 $Content$nbsp;|E9 B40B0000 jmp 00438BEB
00438037 $Content$nbsp;|E9 E00C0000 jmp 00438D1C
运行起来有个 NAG,拦截 MessageBoxA 试试:
77D5050B > 8BFF mov edi, edi
77D5050D 55 push ebp
77D5050E 8BEC mov ebp, esp
77D50510 833D 1C04D777 0>cmp dword ptr [77D7041C], 0
77D50517 74 24 je short 77D5053D
77D50519 64:A1 18000000 mov eax, fs:[18]
77D5051F 6A 00 push 0
77D50521 FF70 24 push dword ptr [eax+24]
77D50524 68 F40AD777 push 77D70AF4
77D50529 FF15 1812D177 call [<&KERNEL32.InterlockedCompareEx>; kernel32.InterlockedCompareExchange
77D5052F 85C0 test eax, eax
77D50531 75 0A jnz short 77D5053D
77D50533 C705 F00AD777 0>mov dword ptr [77D70AF0], 1
77D5053D 6A 00 push 0
77D5053F FF75 14 push dword ptr [ebp+14]
77D50542 FF75 10 push dword ptr [ebp+10]
77D50545 FF75 0C push dword ptr [ebp+C]
77D50548 FF75 08 push dword ptr [ebp+8]
77D5054B E8 2D000000 call MessageBoxExA
77D50550 5D pop ebp
77D50551 C2 1000 retn 10 ; Breakpoint
在 retn 上设置一个断点,运行程序,出现:
---------------------------
Nfo
---------------------------
This program was packed with a demo version of eXPressor
---------------------------
确定
---------------------------
关闭 NAG,返回到程序领空:
004393A8 > /8B85 34FEFFFF mov eax, [ebp-1CC]
004393AE . |0FBE08 movsx ecx, byte ptr [eax]
004393B1 . |83F9 5C cmp ecx, 5C
004393B4 . |74 11 je short 004393C7
004393B6 . |8B95 34FEFFFF mov edx, [ebp-1CC]
为了找到处理输入表的地方,拦截 LoadLibraryA ,然后 Alt+F9 返回程序:
004396A5 . 8985 58FEFFFF mov [ebp-1A8], eax ; comdlg32.76320000
004396AB > 83BD 58FEFFFF>cmp dword ptr [ebp-1A8], 0
004396B2 . 75 37 jnz short 004396EB
004396B4 . 8B4D F8 mov ecx, [ebp-8]
004396B7 . 51 push ecx ; /<%hs>
004396B8 . 68 78814300 push 00438178 ; |Format = "A required .DLL file, %hs, was not found."
004396BD . 8D95 60FEFFFF lea edx, [ebp-1A0] ; |
004396C3 . 52 push edx ; |s
004396C4 . FF15 2CE14300 call [<&USER32.wsprintfA>] ; \wsprintfA
明显开始装载引入表了,向上回溯:
00439636 . 8B95 ECFEFFFF mov edx, [ebp-114]
0043963C . 0315 88F04300 add edx, [43F088]
00439642 . 8995 38FEFFFF mov [ebp-1C8], edx
00439648 > 8B85 38FEFFFF mov eax, [ebp-1C8]
0043964E . 8378 0C 00 cmp dword ptr [eax+C], 0
00439652 . 0F84 65020000 je 004398BD
[ebp-1C8] 应该就是引入表了,运行到这里可能已经修改,重新来,直达 00439642;
在命令行输入 dd edx,看看引入表 IID 有多大:
004231F8 00023350
004231FC 00000000
00423200 00000000
00423204 00023EDC
00423208 0001F0B8
0042320C 00023520
00423210 00000000
00423214 00000000
00423218 000245FC
0042321C 0001F288
00423220 000232B4
00423224 00000000
00423228 00000000
0042322C 0002482E
00423230 0001F01C
00423234 00023710
00423238 00000000
0042323C 00000000
00423240 0002485C
00423244 0001F478
00423248 00023700
0042324C 00000000
00423250 00000000
00423254 000248A0
00423258 0001F468
0042325C 00023298
00423260 00000000
00423264 00000000
00423268 000248F0
0042326C 0001F000
00423270 000232AC
00423274 00000000
00423278 00000000
0042327C 0002490A
00423280 0001F014
00423284 00000000
00423288 00000000
0042328C 00000000
00423290 00000000
00423294 00000000
[1] [2] 下一页 |
