变形UPX脱壳
自己对压缩壳的一点肤浅的理解,压缩壳,只要一直走下去,遇循环F4跳出,即可直达目的地。
载入后停在这里
0053DD70 unEb> 60 pushad
0053DD71 BE 00D04C00 mov esi,unEbookE.004CD000
0053DD76 8DBE 0040F3FF lea edi,dword ptr ds:[esi+FFF34000]
0053DD7C C787 0C870D00 9F11ACC1 mov dword ptr ds:[edi+D870C],C1AC119F
0053DD86 57 push edi
0053DD87 83CD FF or ebp,FFFFFFFF
0053DD8A EB 0E jmp short unEbookE.0053DD9A
跳到这里:F8向下走:
0053DD9A 8B1E mov ebx,dword ptr ds:[esi]
0053DD9C 83EE FC sub esi,-4
0053DD9F 11DB adc ebx,ebx
0053DDA1 ^ 72 ED jb short unEbookE.0053DD90 这里循环
0053DDA3 B8 01000000 mov eax,1 光标移到这里,F4跳出循环
0053DDA8 01DB add ebx,ebx
0053DDAA 75 07 jnz short unEbookE.0053DDB3
0053DDAC 8B1E mov ebx,dword ptr ds:[esi]
0053DD9C 83EE FC sub esi,-4
0053DD9F 11DB adc ebx,ebx
0053DDA1 ^ 72 ED jb short unEbookE.0053DD90
0053DDA3 B8 01000000 mov eax,1
0053DDA8 01DB add ebx,ebx
0053DDAA 75 07 jnz short unEbookE.0053DDB3
0053DDAC 8B1E mov ebx,dword ptr ds:[esi]
0053DDAE 83EE FC sub esi,-4
0053DDB1 11DB adc ebx,ebx
0053DDB3 11C0 adc eax,eax
0053DDB5 01DB add ebx,ebx
0053DDB7 73 0B jnb short unEbookE.0053DDC4
0053DDB9 75 19 jnz short unEbookE.0053DDD4 跳走
跳到这里:
0053DDD4 31C9 xor ecx,ecx
0053DDD6 83E8 03 sub eax,3
0053DDD9 72 11 jb short unEbookE.0053DDEC 跳走
跳到这里:
0053DDEC 01DB add ebx,ebx
0053DDEE 75 07 jnz short unEbookE.0053DDF7
0053DDF0 8B1E mov ebx,dword ptr ds:[esi]
0053DDF2 83EE FC sub esi,-4
0053DDF5 11DB adc ebx,ebx
0053DDF7 11C9 adc ecx,ecx
0053DDF9 01DB add ebx,ebx
0053DDFB 75 07 jnz short unEbookE.0053DE04
如此一直F8向下走,来到这里:
0053DE39 8A02 mov al,byte ptr ds:[edx]
0053DE3B 42 inc edx
0053DE3C 8807 mov byte ptr ds:[edi],al
0053DE3E 47 inc edi
0053DE3F 49 dec ecx
0053DE40 ^ 75 F7 jnz short unEbookE.0053DE39
0053DE42 ^ E9 4FFFFFFF jmp unEbookE.0053DD96 又一个循环
0053DE47 90 nop 光标移到此处,F4跳出,程序运行。
0053DE48 8B02 mov eax,dword ptr ds:[edx]
0053DE4A 83C2 04 add edx,4
0053DE4D 8907 mov dword ptr ds:[edi],eax
0053DE4F 83C7 04 add edi,4
0053DE52 83E9 04 sub ecx,4
重新运行ctrl+G 0053DE42 在此处F4,再F8,来到这里,进入一个大循环:
0053DD96 01DB add ebx,ebx
0053DD98 75 07 jnz short unEbookE.0053DDA1
0053DD9A 8B1E mov ebx,dword ptr ds:[esi]
0053DD9C 83EE FC sub esi,-4
0053DD9F 11DB adc ebx,ebx
0053DDA1 ^ 72 ED jb short unEbookE.0053DD90
0053DDA3 B8 01000000 mov eax,1
0053DDA8 01DB add ebx,ebx
0053DDAA 75 07 jnz short unEbookE.0053DDB3
0053DDAC 8B1E mov ebx,dword ptr ds:[esi]
0053DDAE 83EE FC sub esi,-4
0053DDB1 11DB adc ebx,ebx
0053DDB3 11C0 adc eax,eax
0053DDB5 01DB add ebx,ebx
0053DDB7 73 0B jnb short unEbookE.0053DDC4
0053DDB9 75 19 jnz short unEbookE.0053DDD4
0053DDBB 8B1E mov ebx,dword ptr ds:[esi]
0053DDBD 83EE FC sub esi,-4
0053DDC0 11DB adc ebx,ebx
0053DDC2 72 10 jb short unEbookE.0053DDD4
0053DDC4 48 dec eax
0053DDC5 01DB add ebx,ebx
0053DDC7 75 07 jnz short unEbookE.0053DDD0
0053DDC9 8B1E mov ebx,dword ptr ds:[esi]
0053DDCB 83EE FC sub esi,-4
0053DDCE 11DB adc ebx,ebx
0053DDD0 11C0 adc eax,eax
0053DDD2 ^ EB D4 jmp short unEbookE.0053DDA8
0053DDD4 31C9 xor ecx,ecx
0053DDD6 83E8 03 sub eax,3
0053DDD9 72 11 jb short unEbookE.0053DDEC
0053DDDB C1E0 08 shl eax,8
0053DDDE 8A06 mov al,byte ptr ds:[esi]
0053DDE0 46 inc esi
0053DDE1 83F0 FF xor eax,FFFFFFFF
0053DDE4 74 78 je short unEbookE.0053DE5E
0053DDE6 D1F8 sar eax,1
0053DDE8 89C5 mov ebp,eax
0053DDEA EB 0B jmp short unEbookE.0053DDF7
0053DDEC 01DB add ebx,ebx
0053DDEE 75 07 jnz short unEbookE.0053DDF7
0053DDF0 8B1E mov ebx,dword ptr ds:[esi]
0053DDF2 83EE FC sub esi,-4
0053DDF5 11DB adc ebx,ebx
0053DDF7 11C9 adc ecx,ecx
0053DDF9 01DB add ebx,ebx
0053DDFB 75 07 jnz short unEbookE.0053DE04
0053DDFD 8B1E mov ebx,dword ptr ds:[esi]
0053DDFF 83EE FC sub esi,-4
0053DE02 11DB adc ebx,ebx
0053DE04 11C9 adc ecx,ecx
0053DE06 75 20 jnz short unEbookE.0053DE28
0053DE08 41 inc ecx
0053DE09 01DB add ebx,ebx
0053DE0B 75 07 jnz short unEbookE.0053DE14
0053DE0D 8B1E mov ebx,dword ptr ds:[esi]
0053DE0F 83EE FC sub esi,-4
0053DE12 11DB adc ebx,ebx
0053DE14 11C9 adc ecx,ecx
0053DE16 01DB add ebx,ebx
0053DE18 ^ 73 EF jnb short unEbookE.0053DE09
0053DE1A 75 09 jnz short unEbookE.0053DE25
0053DE1C 8B1E mov ebx,dword ptr ds:[esi]
0053DE1E 83EE FC sub esi,-4
0053DE21 11DB adc ebx,ebx
0053DE23 ^ 73 E4 jnb short unEbookE.0053DE09
0053DE25 83C1 02 add ecx,2
0053DE28 81FD 00FBFFFF cmp ebp,-500
0053DE2E 83D1 01 adc ecx,1
0053DE31 8D142F lea edx,dword ptr ds:[edi+ebp]
0053DE34 83FD FC cmp ebp,-4
0053DE37 76 0F jbe short unEbookE.0053DE48
0053DE39 8A02 mov al,byte ptr ds:[edx]
0053DE3B 42 inc edx
0053DE3C 8807 mov byte ptr ds:[edi],al
0053DE3E 47 inc edi
0053DE3F 49 dec ecx
0053DE40 ^ 75 F7 jnz short unEbookE.0053DE39
0053DE42 ^ E9 4FFFFFFF jmp unEbookE.0053DD96 这里跳回去
0053DE47 90 nop
0053DE48 8B02 mov eax,dword ptr ds:[edx]
0053DE4A 83C2 04 add edx,4
0053DE4D 8907 mov dword ptr ds:[edi],eax
0053DE4F 83C7 04 add edi,4
0053DE52 83E9 04 sub ecx,4
0053DE55 ^ 77 F1 ja short unEbookE.0053DE48
0053DE57 01CF add edi,ecx
0053DE59 ^ E9 38FFFFFF jmp unEbookE.0053DD96 这里跳回去
在上面可以找到跳出循环的地方,如下:
0053DDE4 74 78 je short unEbookE.0053DE5E
在0053DE5E处下断点,F9运行,中断后F8向下走,遇循环F4跳出:
0053DE5E 5E pop esi ; unEbookE.00401000
0053DE5F 89F7 mov edi,esi
0053DE61 B9 406A0000 mov ecx,6A40
0053DE66 8A07 mov al,byte ptr ds:[edi]
0053DE68 47 inc edi
0053DE69 2C E8 sub al,0E8
0053DE6B 3C 01 cmp al,1
0053DE6D ^ 77 F7 ja short unEbookE.0053DE66
0053DE6F 803F 1E cmp byte ptr ds:[edi],1E 这里F4
0053DE72 ^ 75 F2 jnz short unEbookE.0053DE66
0053DE74 8B07 mov eax,dword ptr ds:[edi] 这里F4
0053DE76 8A5F 04 mov bl,byte ptr ds:[edi+4]
0053DE79 66:C1E8 08 shr ax,8
0053DE7D C1C0 10 rol eax,10
0053DE80 86C4 xchg ah,al
0053DE82 29F8 sub eax,edi
0053DE84 80EB E8 sub bl,0E8
0053DE87 01F0 add eax,esi
0053DE89 8907 mov dword ptr ds:[edi],eax
0053DE8B 83C7 05 add edi,5
0053DE8E 89D8 mov eax,ebx
0053DE90 ^ E2 D9 loopd short unEbookE.0053DE6B
0053DE92 8DBE 00901300 lea edi,dword ptr ds:[esi+139000] 这里F4
0053DE98 8B07 mov eax,dword ptr ds:[edi]
0053DE9A 09C0 or eax,eax
0053DE9C 74 3C je short unEbookE.0053DEDA
0053DE9E 8B5F 04 mov ebx,dword ptr ds:[edi+4]
0053DEA1 8D8430 F8F31300 lea eax,dword ptr ds:[eax+esi+13F3F8]
0053DEA8 01F3 add ebx,esi
0053DEAA 50 push eax
0053DEAB 83C7 08 add edi,8
0053DEAE FF96 E8F41300 call dword ptr ds:[esi+13F4E8]
0053DEB4 95 xchg eax,ebp
0053DEB5 8A07 mov al,byte ptr ds:[edi]
0053DEB7 47 inc edi
0053DEB8 08C0 or al,al
0053DEBA ^ 74 DC je short unEbookE.0053DE98
0053DEBC 89F9 mov ecx,edi
0053DEBE 57 push edi
0053DEBF 48 dec eax
0053DEC0 F2:AE repne scas byte ptr es:[edi]
0053DEC2 55 push ebp
0053DEC3 FF96 ECF41300 call dword ptr ds:[esi+13F4EC]
0053DEC9 09C0 or eax,eax
0053DECB 74 07 je short unEbookE.0053DED4
0053DECD 8903 mov dword ptr ds:[ebx],eax
0053DECF 83C3 04 add ebx,4
0053DED2 ^ EB E1 jmp short unEbookE.0053DEB5 又一个循环
0053DED4 FF96 F0F41300 call dword ptr ds:[esi+13F4F0] 这里F4后程序运行
重新运行 ctrl+G 0053DED2 在此处F4,再F8,来到这里,又一个循环:
0053DEB5 8A07 mov al,byte ptr ds:[edi]
0053DEB7 47 inc edi
0053DEB8 08C0 or al,al
0053DEBA ^ 74 DC je short unEbookE.0053DE98
0053DEBC 89F9 mov ecx,edi
0053DEBE 57 push edi
0053DEBF 48 dec eax
0053DEC0 F2:AE repne scas byte ptr es:[edi]
0053DEC2 55 push ebp
0053DEC3 FF96 ECF41300 call dword ptr ds:[esi+13F4EC]
0053DEC9 09C0 or eax,eax
0053DECB 74 07 je short unEbookE.0053DED4
0053DECD 8903 mov dword ptr ds:[ebx],eax
0053DECF 83C3 04 add ebx,4
0053DED2 ^ EB E1 jmp short unEbookE.0053DEB5 这里跳回去
可以看到此处跳出循环,如下:
0053DEBA ^ 74 DC je short unEbookE.0053DE98
在0053DE98下断点,F9后中断,又一个循环:
0053DE98 8B07 mov eax,dword ptr ds:[edi]
0053DE9A 09C0 or eax,eax
0053DE9C 74 3C je short unEbookE.0053DEDA
0053DE9E 8B5F 04 mov ebx,dword ptr ds:[edi+4]
0053DEA1 8D8430 F8F31300 lea eax,dword ptr ds:[eax+esi+13F3F8]
0053DEA8 01F3 add ebx,esi
0053DEAA 50 push eax
0053DEAB 83C7 08 add edi,8
0053DEAE FF96 E8F41300 call dword ptr ds:[esi+13F4E8]
0053DEB4 95 xchg eax,ebp
0053DEB5 8A07 mov al,byte ptr ds:[edi]
0053DEB7 47 inc edi
0053DEB8 08C0 or al,al
0053DEBA ^ 74 DC je short unEbookE.0053DE98
看到此处跳出循环,如下:
0053DE9C 74 3C je short unEbookE.0053DEDA
在0053DEDA下断点,F9后中断,来到这里:
0053DEDA 61 popad
0053DEDB ^ E9 6460F9FF jmp unEbookE.004D3F44 目的地到了
F8来到入口点:
004D3F44 55 push ebp
004D3F45 8BEC mov ebp,esp
004D3F47 83C4 F0 add esp,-10
004D3F4A B8 FC3B4D00 mov eax,unEbookE.004D3BFC
004D3F4F E8 582AF3FF call unEbookE.004069AC
004D3F54 A1 E88A4D00 mov eax,dword ptr ds:[4D8AE8]
004D3F59 8B00 mov eax,dword ptr ds:[eax]
004D3F5B E8 586CF9FF call unEbookE.0046ABB8
004D3F60 33C9 xor ecx,ecx
004D3F62 B2 01 mov dl,1
用lordpe选中进程,dump full,再用Import,选中进程,OEP填000D3F44,再IAT自动搜索,然后获得输入信息,修理抓取文件。463K=>1.26M,运行后程序一闪即逝,原因为有自校验。
[培训]科锐逆向工程师培训第53期2025年7月8日开班!
