这两天碰上了aspr这个壳,
看了两天的有关脱这个壳的文章,
结果没一个可以顺利走上几个回合的,
f9过call就会异常,
shift+f9就会出来一个protection error的消息框,
警告探测到调试器,
哎,一个病毒它还来这一套、、、、、、
昨天竟然从硬盘里翻出来一个脱壳的视频教程,
本人太菜,
不能明白那位大侠每一步的原理,
只能依葫芦画瓢,
如果哪位大侠路过,
就指导一下小菜,
它是如何知道要这样的??
载入停在这里:
0041A000 > 68 01204200 push 00422001
0041A005 E8 01000000 call 0041A00B
0041A00A C3 retn
0041A00B C3 retn
首先ctrl+g ,GetSystemTime
77E6ECA3 > 55 push ebp ;到这里,
77E6ECA4 8BEC mov ebp, esp
77E6ECA6 83EC 18 sub esp, 18
77E6ECA9 A1 1800FE7F mov eax, dword ptr ds:[7FFE0018]
77E6ECAE 8945 FC mov dword ptr ss:[ebp-4], eax
77E6ECB1 8B0D 1400FE7F mov ecx, dword ptr ds:[7FFE0014]
77E6ECB7 894D F8 mov dword ptr ss:[ebp-8], ecx
77E6ECBA 3B05 1C00FE7F cmp eax, dword ptr ds:[7FFE001C]
77E6ECC0 ^ 75 E7 jnz short 77E6ECA9
77E6ECC2 8D45 E8 lea eax, dword ptr ss:[ebp-18]
77E6ECC5 50 push eax
77E6ECC6 8D45 F8 lea eax, dword ptr ss:[ebp-8]
77E6ECC9 50 push eax
77E6ECCA FF15 BC10E677 call near dword ptr ds:[<&ntdll.RtlTi>; ntdll.RtlTimeToTimeFields
77E6ECD0 8B45 08 mov eax, dword ptr ss:[ebp+8]
77E6ECD3 66:8B4D E8 mov cx, word ptr ss:[ebp-18]
77E6ECD7 66:8908 mov word ptr ds:[eax], cx
77E6ECDA 66:8B4D EA mov cx, word ptr ss:[ebp-16]
77E6ECDE 66:8948 02 mov word ptr ds:[eax+2], cx
77E6ECE2 66:8B4D F6 mov cx, word ptr ss:[ebp-A]
77E6ECE6 66:8948 04 mov word ptr ds:[eax+4], cx
77E6ECEA 66:8B4D EC mov cx, word ptr ss:[ebp-14]
77E6ECEE 66:8948 06 mov word ptr ds:[eax+6], cx
77E6ECF2 66:8B4D EE mov cx, word ptr ss:[ebp-12]
77E6ECF6 66:8948 08 mov word ptr ds:[eax+8], cx
77E6ECFA 66:8B4D F0 mov cx, word ptr ss:[ebp-10]
77E6ECFE 66:8948 0A mov word ptr ds:[eax+A], cx
77E6ED02 66:8B4D F2 mov cx, word ptr ss:[ebp-E]
77E6ED06 66:8948 0C mov word ptr ds:[eax+C], cx
77E6ED0A 66:8B4D F4 mov cx, word ptr ss:[ebp-C]
77E6ED0E 66:8948 0E mov word ptr ds:[eax+E], cx
77E6ED12 C9 leave
77E6ED13 C2 0400 retn 4 ;f4 ,f8 直接返回。
00D82777 0FB745 F0 movzx eax, word ptr ss:[ebp-10] ;返回这里
00D8277B 6BC0 3C imul eax, eax, 3C
00D8277E 66:0345 F2 add ax, word ptr ss:[ebp-E]
00D82782 6BC0 3C imul eax, eax, 3C
00D82785 31D2 xor edx, edx
00D82787 66:8B55 F4 mov dx, word ptr ss:[ebp-C]
00D8278B 01D0 add eax, edx
00D8278D 69C0 E8030000 imul eax, eax, 3E8
00D82793 66:8B55 F6 mov dx, word ptr ss:[ebp-A]
00D82797 01D0 add eax, edx
00D82799 8905 3C30DC00 mov dword ptr ds:[DC303C], eax
00D8279F 8BE5 mov esp, ebp
00D827A1 5D pop ebp
00D827A2 C3 retn ;依旧f4, f8
00DC0B37 C3 retn ;返回到这里,f8
00D83434 3BF3 cmp esi, ebx ;返回这里
00D83436 ^ 7F EC jg short 00D83424
00D83438 33C0 xor eax, eax
00D8343A 5A pop edx
00D8343B 59 pop ecx
00D8343C 59 pop ecx
00D8343D 64:8910 mov dword ptr fs:[eax], edx
00D83440 EB 14 jmp short 00D83456
00D83442 ^ E9 21FAFFFF jmp 00D82E68
00D83447 E8 50FFFFFF call 00D8339C
00D8344C E8 1FFDFFFF call 00D83170
00D83451 E8 6EFDFFFF call 00D831C4
00D83456 5F pop edi
00D83457 5E pop esi
00D83458 5B pop ebx
00D83459 5D pop ebp
00D8345A C3 retn ;f4, f8
00D834FA C2 0400 retn 4 ;返回到这里,f8
00D85DCD C3 retn ;返回到这里,f8
00DC0F38 E8 8326FCFF call 00D835C0 ;返回到这里,f7进去
00D835C0 53 push ebx
00D835C1 56 push esi
00D835C2 57 push edi
00D835C3 55 push ebp
00D835C4 BB 9C34DC00 mov ebx, 0DC349C
00D835C9 BE 3030DC00 mov esi, 0DC3030
00D835CE BF 3430DC00 mov edi, 0DC3034
00D835D3 807B 24 00 cmp byte ptr ds:[ebx+24], 0
00D835D7 75 16 jnz short 00D835EF
00D835D9 833F 00 cmp dword ptr ds:[edi], 0
00D835DC 74 11 je short 00D835EF
00D835DE 8B17 mov edx, dword ptr ds:[edi]
00D835E0 89D0 mov eax, edx
00D835E2 33D2 xor edx, edx
00D835E4 8917 mov dword ptr ds:[edi], edx
00D835E6 8BE8 mov ebp, eax
00D835E8 FFD5 call near ebp
00D835EA 833F 00 cmp dword ptr ds:[edi], 0
00D835ED ^ 75 EF jnz short 00D835DE
00D835EF 833D 3830DC00 0>cmp dword ptr ds:[DC3038], 0
00D835F6 74 47 je short 00D8363F
00D835F8 E8 3FFFFFFF call 00D8353C
00D835FD 803D 4030DC00 0>cmp byte ptr ds:[DC3040], 0
00D83604 74 16 je short 00D8361C
00D83606 BA 2820DC00 mov edx, 0DC2028 ; ASCII "Runtime error at 00000000"
00D8360B B8 1432DC00 mov eax, 0DC3214
00D83610 E8 FB1E0000 call 00D85510
00D83615 E8 791E0000 call 00D85493
00D8361A EB 1C jmp short 00D83638
00D8361C 803D 0C20DC00 0>cmp byte ptr ds:[DC200C], 0
00D83623 75 13 jnz short 00D83638
00D83625 6A 00 push 0
00D83627 68 4820DC00 push 0DC2048 ; ASCII "Error"
00D8362C 68 2820DC00 push 0DC2028 ; ASCII "Runtime error at 00000000"
00D83631 6A 00 push 0
00D83633 E8 A0DAFFFF call 00D810D8 ; jmp 到 user32.MessageBoxA
00D83638 33C0 xor eax, eax
00D8363A A3 3830DC00 mov dword ptr ds:[DC3038], eax
00D8363F 807B 24 02 cmp byte ptr ds:[ebx+24], 2
00D83643 75 0A jnz short 00D8364F
00D83645 833E 00 cmp dword ptr ds:[esi], 0
00D83648 75 05 jnz short 00D8364F
00D8364A 33C0 xor eax, eax
00D8364C 8943 0C mov dword ptr ds:[ebx+C], eax
00D8364F E8 48FDFFFF call 00D8339C
00D83654 807B 24 01 cmp byte ptr ds:[ebx+24], 1
00D83658 76 05 jbe short 00D8365F
00D8365A 833E 00 cmp dword ptr ds:[esi], 0
00D8365D 74 1D je short 00D8367C
00D8365F 8B43 10 mov eax, dword ptr ds:[ebx+10]
00D83662 85C0 test eax, eax
00D83664 74 16 je short 00D8367C
00D83666 E8 E9170000 call 00D84E54
00D8366B 8B43 10 mov eax, dword ptr ds:[ebx+10]
00D8366E 8B50 10 mov edx, dword ptr ds:[eax+10]
00D83671 3B50 04 cmp edx, dword ptr ds:[eax+4]
00D83674 74 06 je short 00D8367C
00D83676 52 push edx
00D83677 E8 74DAFFFF call 00D810F0 ; jmp 到 kernel32.FreeLibrary
00D8367C E8 F3FCFFFF call 00D83374
00D83681 807B 24 01 cmp byte ptr ds:[ebx+24], 1 ; 看那一大堆英文的意思是在这个函数后下断,再单步所以就在这里f4了。
00D83685 75 03 jnz short 00D8368A ; 跳,
00D83687 FF53 28 call near dword ptr ds:[ebx+28]
00D8368A 807B 24 00 cmp byte ptr ds:[ebx+24], 0
00D8368E 74 05 je short 00D83695 ; 没跳,
00D83690 E8 F7FEFFFF call 00D8358C ; 进去。说是因为f8它就运行了,我猜的,E文不好。
00D83695 833B 00 cmp dword ptr ds:[ebx], 0
00D83698 75 08 jnz short 00D836A2
00D8369A 8B06 mov eax, dword ptr ds:[esi]
00D8369C 50 push eax
00D8369D E8 2EDAFFFF call 00D810D0 ; jmp 到 kernel32.ExitProcess
00D8358C BF 9C34DC00 mov edi, 0DC349C ; 进入这里,
00D83591 8B1D B434DC00 mov ebx, dword ptr ds:[DC34B4]
00D83597 8B2D B034DC00 mov ebp, dword ptr ds:[DC34B0]
00D8359D FF77 1C push dword ptr ds:[edi+1C]
00D835A0 FF77 20 push dword ptr ds:[edi+20]
00D835A3 8B37 mov esi, dword ptr ds:[edi]
00D835A5 B9 0B000000 mov ecx, 0B
00D835AA F3:A5 rep movsd
00D835AC 5F pop edi
00D835AD 5E pop esi
00D835AE 31C0 xor eax, eax
00D835B0 8705 3030DC00 xchg dword ptr ds:[DC3030], eax
00D835B6 F7D8 neg eax
00D835B8 19C0 sbb eax, eax
00D835BA 40 inc eax
00D835BB C9 leave
00D835BC C2 0C00 retn 0C ; f4, f8
00DBFFE2 A1 F02BDC00 mov eax, dword ptr ds:[DC2BF0] ; 返回到这里,
00DBFFE7 8B55 08 mov edx, dword ptr ss:[ebp+8]
00DBFFEA 8910 mov dword ptr ds:[eax], edx
00DBFFEC A1 F02BDC00 mov eax, dword ptr ds:[DC2BF0]
00DBFFF1 8B00 mov eax, dword ptr ds:[eax]
00DBFFF3 8B00 mov eax, dword ptr ds:[eax]
00DBFFF5 8B15 082CDC00 mov edx, dword ptr ds:[DC2C08]
00DBFFFB 8902 mov dword ptr ds:[edx], eax
00DBFFFD E8 7A37FFFF call 00DB377C
00DC0002 33C0 xor eax, eax
00DC0004 55 push ebp
00DC0005 68 3E00DC00 push 0DC003E
00DC000A 64:FF30 push dword ptr fs:[eax]
00DC000D 64:8920 mov dword ptr fs:[eax], esp
00DC0010 68 08EDD800 push 0D8ED08 ; 教程说这个是关键ctrl+g 0d8ed08;
00DC0015 68 7800DC00 push 0DC0078
00DC001A 68 E0F6DB00 push 0DBF6E0
00DC001F 68 18F7DB00 push 0DBF718
00DC0024 68 A4EFDB00 push 0DBEFA4
00DC0029 68 8CEADB00 push 0DBEA8C
00DC002E 68 E8FCDB00 push 0DBFCE8
00DC0033 C3 retn
00D8ED08 68 1F8724DD push DD24871F ; 来到这里。不管f4 还是下断 就会protection error 。
《这里视频里说
RSTDC GETS US. ASPROTECT THROWS AN REEOR,SO WE HAVE TO MAKE SURE THE RDTSC PROTECTION IS ALSO BYPASSED.
像是在说Asprotect 扔出一个错误, 和RDTSC有关。字面上是这样,不明白实质的关系。》
00D8ED0D 68 2C2A0000 push 2A2C
00D8ED12 68 900A0200 push 20A90
00D8ED17 68 C0200000 push 20C0
00D8ED1C 68 44CC0000 push 0CC44
00D8ED21 68 00F00400 push 4F000
00D8ED26 FF35 D434DC00 push dword ptr ds:[DC34D4]
00D8ED2C E8 23D1FFFF call 00D8BE54
00D8ED31 310424 xor dword ptr ss:[esp], eax
00D8ED34 8B05 D434DC00 mov eax, dword ptr ds:[DC34D4]
00D8ED3A 010424 add dword ptr ss:[esp], eax
00D8ED3D C3 retn
00D8ED3E C3 retn
然后视频用了一个插件,好像是phantom,看不清只好猜了。
再后来,我也没办法再画下去了。
让各位大侠们见笑了,
如果您故意扔个砖头让俺开开窍,俺谢谢您了,
最近老是遇到啃不动的。
还不知道该从那啃。
在不断的打击中我会选择过两天再看,
在不断的再看中承受着再一次的打击。
[培训]科锐逆向工程师培训第53期2025年7月8日开班!
