不错的ASPack 2.doc

上传人：文库蛋蛋多

文档编号：3026457

上传时间：2023-03-09

格式：DOC

页数：17

大小：40KB

《不错的ASPack 2.doc》由会员分享，可在线阅读，更多相关《不错的ASPack 2.doc（17页珍藏版）》请在三一办公上搜索。

1、不错的ASPack 2.12（Alexey Solodovnikov ）脱壳2009-07-05 10:03首先来看这个程序：下载地址:notepad.exe我们用PEiD打开看看到壳子是ASPack 2.12 - Alexey Solodovnikov的这个也是很基础的了用Ollydbg打开程序，忽略全部异常01010001 60 PUSHAD01010002 E8 03000000 CALL notepad.0101000A ; 走01010008 EB 04 JMP SHORT notepad.0101000E ; 跳0101000E E8 01000000 CALL notepad.0

2、1010014 ; F7跳01010014 5D POP EBP ; 跳到这里了01010015 BB EDFFFFFF MOV EBX,-130101001A 03DD ADD EBX,EBP0101001C 81EB 00000100 SUB EBX,10000 01010022 83BD 22040000 CMP DWORD PTR SS:EBP+422,001010029 899D 22040000 MOV DWORD PTR SS:EBP+422,EBX0101002F 0F85 65030000 JNZ notepad.0101039A ; 第一次没有成立01010035 8D85

3、 2E040000 LEA EAX,DWORD PTR SS:EBP+42E0101003B 50 PUSH EAX0101003C FF95 4D0F0000 CALL DWORD PTR SS:EBP+F4D ; 一路的call都是f8直接走01010042 8985 26040000 MOV DWORD PTR SS:EBP+426,EAX01010048 8BF8 MOV EDI,EAX0101004A 8D5D 5E LEA EBX,DWORD PTR SS:EBP+5E0101004D 53 PUSH EBX0101004E 50 PUSH EAX0101004F FF95 490

4、F0000 CALL DWORD PTR SS:EBP+F4901010055 8985 4D050000 MOV DWORD PTR SS:EBP+54D,EAX0101005B 8D5D 6B LEA EBX,DWORD PTR SS:EBP+6B0101005E 53 PUSH EBX0101005F 57 PUSH EDI01010060 FF95 490F0000 CALL DWORD PTR SS:EBP+F4901010066 8985 51050000 MOV DWORD PTR SS:EBP+551,EAX0101006C 8D45 77 LEA EAX,DWORD PTR

5、SS:EBP+770101006F FFE0 JMP EAX ; 这里跳0101008A 8B9D 31050000 MOV EBX,DWORD PTR SS:EBP+531 ; 跳到这里01010090 0BDB OR EBX,EBX01010092 74 0A JE SHORT notepad.0101009E ; 成立了，跳0101009E 8DB5 69050000 LEA ESI,DWORD PTR SS:EBP+569 ; 跳到这里010100A4 833E 00 CMP DWORD PTR DS:ESI,0010100A7 0F84 21010000 JE notepad.010

6、101CE ; 没成立010100AD 6A 04 PUSH 4010100AF 68 00100000 PUSH 1000010100B4 68 00180000 PUSH 1800010100B9 6A 00 PUSH 0010100BB FF95 4D050000 CALL DWORD PTR SS:EBP+54D ; 一路f8走010100C1 8985 56010000 MOV DWORD PTR SS:EBP+156,EAX010100C7 8B46 04 MOV EAX,DWORD PTR DS:ESI+4010100CA 05 0E010000 ADD EAX,10E01010

7、0CF 6A 04 PUSH 4010100D1 68 00100000 PUSH 1000010100D6 50 PUSH EAX010100D7 6A 00 PUSH 0010100D9 FF95 4D050000 CALL DWORD PTR SS:EBP+54D010100DF 8985 52010000 MOV DWORD PTR SS:EBP+152,EAX010100E5 56 PUSH ESI010100E6 8B1E MOV EBX,DWORD PTR DS:ESI010100E8 039D 22040000 ADD EBX,DWORD PTR SS:EBP+42201010

8、0EE FFB5 56010000 PUSH DWORD PTR SS:EBP+156010100F4 FF76 04 PUSH DWORD PTR DS:ESI+4010100F7 50 PUSH EAX010100F8 53 PUSH EBX010100F9 E8 6E050000 CALL notepad.0101066C010100FE B3 01 MOV BL,101010100 80FB 00 CMP BL,001010103 75 5E JNZ SHORT notepad.0101016301010105 FE85 EC000000 INC BYTE PTR SS:EBP+EC0

9、101010B 8B3E MOV EDI,DWORD PTR DS:ESI0101010D 03BD 22040000 ADD EDI,DWORD PTR SS:EBP+42201010113 FF37 PUSH DWORD PTR DS:EDI01010115 C607 C3 MOV BYTE PTR DS:EDI,0C301010118 FFD7 CALL EDI0101011A 8F07 POP DWORD PTR DS:EDI0101011C 50 PUSH EAX0101011D 51 PUSH ECX0101011E 56 PUSH ESI0101011F 53 PUSH EBX0

10、1010120 8BC8 MOV ECX,EAX01010122 83E9 06 SUB ECX,601010125 8BB5 52010000 MOV ESI,DWORD PTR SS:EBP+1520101012B 33DB XOR EBX,EBX0101012D 0BC9 OR ECX,ECX0101012F 74 2E JE SHORT notepad.0101015F ; 没成立01010131 78 2C JS SHORT notepad.0101015F01010133 AC LODS BYTE PTR DS:ESI01010134 3C E8 CMP AL,0E80101013

11、6 74 0A JE SHORT notepad.0101014201010138 EB 00 JMP SHORT notepad.0101013A ; 这里跳了0101013A 3C E9 CMP AL,0E9 ; 跳到这里0101013C 74 04 JE SHORT notepad.01010142 ; 没成立0101013E 43 INC EBX0101013F 49 DEC ECX01010140 EB EB JMP SHORT notepad.0101012D ; 这里回跳，所以直接在没 ; 成立的0101012F处回车0101015F 5B POP EBX ; F4 run过来0

12、1010160 5E POP ESI01010161 59 POP ECX01010162 58 POP EAX01010163 EB 08 JMP SHORT notepad.0101016D ; 跳走0101016D 8BC8 MOV ECX,EAX ; 到这里，一路F8走0101016F 8B3E MOV EDI,DWORD PTR DS:ESI01010171 03BD 22040000 ADD EDI,DWORD PTR SS:EBP+42201010177 8BB5 52010000 MOV ESI,DWORD PTR SS:EBP+1520101017D C1F9 02 SAR

13、ECX,201010180 F3:A5 REP MOVS DWORD PTR ES:EDI,DWORD PTR DS01010182 8BC8 MOV ECX,EAX01010184 83E1 03 AND ECX,301010187 F3:A4 REP MOVS BYTE PTR ES:EDI,BYTE PTR DS:01010189 5E POP ESI0101018A 68 00800000 PUSH 80000101018F 6A 00 PUSH 001010191 FFB5 52010000 PUSH DWORD PTR SS:EBP+15201010197 FF95 5105000

14、0 CALL DWORD PTR SS:EBP+5510101019D 83C6 08 ADD ESI,8010101A0 833E 00 CMP DWORD PTR DS:ESI,0010101A3 0F85 1EFFFFFF JNZ notepad.010100C7 ; 又是回跳010101A9 68 00800000 PUSH 8000 ; 所以下断，F9 run过来010101AE 6A 00 PUSH 0010101B0 FFB5 56010000 PUSH DWORD PTR SS:EBP+156010101B6 FF95 51050000 CALL DWORD PTR SS:EB

15、P+551010101BC 8B9D 31050000 MOV EBX,DWORD PTR SS:EBP+531010101C2 0BDB OR EBX,EBX010101C4 74 08 JE SHORT notepad.010101CE ; 跳010101CE 8B95 22040000 MOV EDX,DWORD PTR SS:EBP+422 ; 跳到010101D4 8B85 2D050000 MOV EAX,DWORD PTR SS:EBP+52D010101DA 2BD0 SUB EDX,EAX010101DC 74 79 JE SHORT notepad.01010257 ; 跳

16、01010257 8B95 22040000 MOV EDX,DWORD PTR SS:EBP+422 ; 跳到0101025D 8BB5 41050000 MOV ESI,DWORD PTR SS:EBP+54101010263 0BF6 OR ESI,ESI01010265 74 11 JE SHORT notepad.01010278 ; 跳01010278 BE 50660000 MOV ESI,6650 ; 跳到0101027D 8B95 22040000 MOV EDX,DWORD PTR SS:EBP+42201010283 03F2 ADD ESI,EDX01010285 8B

17、46 0C MOV EAX,DWORD PTR DS:ESI+C01010288 85C0 TEST EAX,EAX0101028A 0F84 0A010000 JE notepad.0101039A01010290 03C2 ADD EAX,EDX01010292 8BD8 MOV EBX,EAX01010294 50 PUSH EAX01010295 FF95 4D0F0000 CALL DWORD PTR SS:EBP+F4D0101029B 85C0 TEST EAX,EAX0101029D 75 07 JNZ SHORT notepad.010102A6 ; 跳010102A6 89

18、85 45050000 MOV DWORD PTR SS:EBP+545,EAX ; 跳到010102AC C785 49050000 0MOV DWORD PTR SS:EBP+549,0010102B6 8B95 22040000 MOV EDX,DWORD PTR SS:EBP+422010102BC 8B06 MOV EAX,DWORD PTR DS:ESI010102BE 85C0 TEST EAX,EAX010102C0 75 03 JNZ SHORT notepad.010102C5 ; 跳010102C5 03C2 ADD EAX,EDX ; 跳到，后面一律F8走010102C

19、7 0385 49050000 ADD EAX,DWORD PTR SS:EBP+549010102CD 8B18 MOV EBX,DWORD PTR DS:EAX010102CF 8B7E 10 MOV EDI,DWORD PTR DS:ESI+10010102D2 03FA ADD EDI,EDX010102D4 03BD 49050000 ADD EDI,DWORD PTR SS:EBP+549010102DA 85DB TEST EBX,EBX010102DC 0F84 A2000000 JE notepad.01010384010102E2 F7C3 00000080 TEST EB

20、X,80000000010102E8 75 04 JNZ SHORT notepad.010102EE010102EA 03DA ADD EBX,EDX010102EC 43 INC EBX010102ED 43 INC EBX010102EE 53 PUSH EBX010102EF 81E3 FFFFFF7F AND EBX,7FFFFFFF010102F5 53 PUSH EBX010102F6 FFB5 45050000 PUSH DWORD PTR SS:EBP+545010102FC FF95 490F0000 CALL DWORD PTR SS:EBP+F4901010302 85

21、C0 TEST EAX,EAX01010304 5B POP EBX01010305 75 6F JNZ SHORT notepad.0101037601010307 F7C3 00000080 TEST EBX,800000000101030D 75 19 JNZ SHORT notepad.010103280101030F 57 PUSH EDI01010310 8B46 0C MOV EAX,DWORD PTR DS:ESI+C01010313 0385 22040000 ADD EAX,DWORD PTR SS:EBP+42201010319 50 PUSH EAX0101031A 5

22、3 PUSH EBX0101031B 8D85 75040000 LEA EAX,DWORD PTR SS:EBP+47501010321 50 PUSH EAX01010322 57 PUSH EDI01010323 E9 98000000 JMP notepad.010103C001010328 81E3 FFFFFF7F AND EBX,7FFFFFFF0101032E 8B85 26040000 MOV EAX,DWORD PTR SS:EBP+42601010334 3985 45050000 CMP DWORD PTR SS:EBP+545,EAX0101033A 75 24 JN

23、Z SHORT notepad.010103600101033C 57 PUSH EDI0101033D 8BD3 MOV EDX,EBX0101033F 4A DEC EDX01010340 C1E2 02 SHL EDX,201010343 8B9D 45050000 MOV EBX,DWORD PTR SS:EBP+54501010349 8B7B 3C MOV EDI,DWORD PTR DS:EBX+3C0101034C 8B7C3B 78 MOV EDI,DWORD PTR DS:EBX+EDI+7801010350 035C3B 1C ADD EBX,DWORD PTR DS:E

24、BX+EDI+1C01010354 8B0413 MOV EAX,DWORD PTR DS:EBX+EDX01010357 0385 45050000 ADD EAX,DWORD PTR SS:EBP+5450101035D 5F POP EDI0101035E EB 16 JMP SHORT notepad.0101037601010360 57 PUSH EDI01010361 8B46 0C MOV EAX,DWORD PTR DS:ESI+C01010364 0385 22040000 ADD EAX,DWORD PTR SS:EBP+4220101036A 50 PUSH EAX01

25、01036B 53 PUSH EBX0101036C 8D85 C6040000 LEA EAX,DWORD PTR SS:EBP+4C601010372 50 PUSH EAX01010373 57 PUSH EDI01010374 EB 4A JMP SHORT notepad.010103C001010376 8907 MOV DWORD PTR DS:EDI,EAX01010378 8385 49050000 0ADD DWORD PTR SS:EBP+549,40101037F E9 32FFFFFF JMP notepad.010102B6 ; 到这里观察，回跳01010384 8

26、906 MOV DWORD PTR DS:ESI,EAX01010386 8946 0C MOV DWORD PTR DS:ESI+C,EAX01010389 8946 10 MOV DWORD PTR DS:ESI+10,EAX0101038C 83C6 14 ADD ESI,140101038F 8B95 22040000 MOV EDX,DWORD PTR SS:EBP+42201010395 E9 EBFEFFFF JMP notepad.01010285 ; 又是回跳0101039A B8 20640000 MOV EAX,6420 ; 所以下断,F9 run过来0101039F 5

27、0 PUSH EAX010103A0 0385 22040000 ADD EAX,DWORD PTR SS:EBP+422010103A6 59 POP ECX010103A7 0BC9 OR ECX,ECX010103A9 8985 A8030000 MOV DWORD PTR SS:EBP+3A8,EAX010103AF 61 POPAD ; 到这里已经有点曙光了010103B0 /75 08 JNZ SHORT notepad.010103BA010103BA 68 20640001 PUSH notepad.01006420010103BF C3 RETN ; 跳01006420 .

28、55 PUSH EBP ; 跳到这里，一看，显然是 ; oep了一切ok，dump下来01006421 . 8BEC MOV EBP,ESP01006423 . 6A FF PUSH -101006425 . 68 88180001 PUSH notepad.010018880100642A . 68 D0650001 PUSH notepad.010065D00100642F . 64:A1 0000000MOV EAX,DWORD PTR FS:001006435 . 50 PUSH EAX01006436 . 64:8925 00000MOV DWORD PTR FS:0,ESP0100

29、643D . 83C4 98 ADD ESP,-6801006440 . 53 PUSH EBX01006441 . 56 PUSH ESI01006442 . 57 PUSH EDI01006443 . 8965 E8 MOV DWORD PTR SS:EBP-18,ESP . . .打开importREC选择该进程-oep填写为6420-点iat autosearch-get import,指针全部有效-点fix dump修正dump下来的文件.搞定.得到脱壳文件dump_notepad.exe运行，证明没有问题。学习概要：1 基本操作：下断和如何使用F7 F8 F92 回跳的处理方式：在下一句F4 run过去