-
-
[原创]MPRESS v2.12脱壳分析
-
发表于: 2019-10-8 21:10
-
平时喜欢下棋,发现某某名手软件感觉挺好用的样子,想学习一下用什么软件开发的,用ExeInfo PE 查看一下,发现是MPRESS v2.12^ -> [ v2.19 ] - MATCODE comPRESSor for executables (C) 2007,2010, MATCODE Software - 3e7K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3#2S2N6r3y4G2k6r3g2Q4x3X3g2U0L8$3#2Q4c8f1k6Q4b7V1y4Q4z5p5y4Q4c8e0S2Q4b7V1k6Q4z5e0W2Q4c8e0c8Q4b7U0S2Q4b7f1q4Q4c8e0g2Q4b7e0y4Q4b7U0y4Q4c8e0N6Q4z5f1q4Q4z5o6c8Q4c8f1k6Q4b7V1y4Q4z5p5y4Q4c8e0g2Q4b7e0g2Q4b7V1c8Q4c8e0g2Q4z5o6y4Q4z5p5k6Q4c8e0c8Q4b7U0W2Q4z5p5u0Q4c8e0g2Q4z5o6W2Q4z5p5c8Q4c8e0k6Q4b7U0u0Q4b7e0q4Q4c8e0k6Q4z5f1y4Q4z5o6W2Q4c8e0k6Q4z5p5g2Q4b7e0g2Q4c8e0S2Q4b7e0N6Q4b7e0k6Q4c8e0S2Q4b7V1k6Q4z5o6N6Q4c8f1k6Q4b7V1y4Q4z5p5y4Q4c8e0k6Q4z5f1k6Q4b7e0g2Q4c8e0c8Q4b7V1q4Q4z5o6k6Q4c8e0c8Q4b7U0S2Q4z5o6m8Q4c8e0c8Q4b7U0S2Q4z5p5u0Q4c8e0N6Q4b7V1c8Q4z5e0q4Q4c8e0c8Q4b7U0S2Q4z5p5q4Q4c8f1k6Q4b7V1y4Q4z5p5y4Q4c8e0g2Q4b7U0N6Q4b7U0u0Q4c8e0N6Q4b7V1u0Q4z5p5k6Q4c8e0k6Q4z5f1y4Q4z5o6W2Q4c8e0g2Q4z5o6W2Q4z5p5c8Q4c8e0S2Q4b7V1g2Q4z5o6S2Q4c8e0S2Q4z5o6c8Q4b7U0q4Q4c8e0S2Q4b7V1k6Q4z5o6N6Q4c8e0c8Q4b7V1q4Q4z5o6k6Q4c8f1k6Q4b7V1y4Q4z5p5y4Q4c8e0S2Q4z5o6N6Q4b7f1q4Q4c8e0g2Q4b7U0N6Q4b7U0q4Q4c8e0S2Q4b7U0g2Q4b7U0m8Q4c8e0c8Q4b7U0S2Q4z5o6m8Q4c8e0W2Q4z5o6q4Q4z5p5c8Q4c8e0g2Q4z5e0m8Q4b7e0N6Q4c8f1k6Q4b7V1y4Q4z5p5y4Q4c8e0S2Q4b7f1g2Q4b7U0m8Q4c8e0g2Q4b7V1c8Q4z5e0g2Q4c8e0c8Q4b7U0S2Q4z5o6m8Q4c8e0c8Q4b7U0S2Q4z5p5u0Q4c8e0S2Q4b7V1k6Q4z5o6N6Q4c8e0N6Q4b7e0S2Q4z5p5u0Q4c8e0y4Q4z5o6m8Q4z5o6t1`.
虚拟机运行看看,哇塞,不让运行
没有办法,照样脱。
OD载入:
下断点 BP VirtualProtectEx , Shift+F9 二次,因为
三次就跑飞了,Alt+F9一次,达到004B883F,看到了 GetModuleHandelA 函数了,
继续,往下看找到了 popad了,哇塞,运气太好了,直接下断点 004B889A,按F9,F8 2次进到入口,
OEP 00492846
OEP:
OEP 00492846
赶快DUMP下来,接下了就说常规操作,
FIX DUMP,运行OK了。
原来是 Microsoft Visual C++ ver. 7.1 EXE (3 bytes sign - easy to fake) 这个写的。
接下来继续分析代码,等待后续。
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AHK=AutoHotKey是一门开源的热键脚本语言 |
|
|
|
