不错的1 ASPack 2.12(Alexey Solodovnikov )脱壳
首先来看这个程序:
下载地址:
notepad.exe
我们用PEiD打开看
看到壳子是ASPack 2.12 -> Alexey Solodovnikov的
这个也是很基础的了
用Ollydbg打开程序,忽略全部异常
01010001 60 PUSHAD
01010002 E8 03000000 CALL notepad.0101000A ; 走
01010008 EB 04 JMP SHORT notepad.0101000E ; 跳
0101000E E8 01000000 CALL notepad.01010014 ; F7跳
01010014 5D POP EBP ; 跳到这里了
01010015 BB EDFFFFFF MOV EBX,-13
0101001A 03DD ADD EBX,EBP
0101001C 81EB 00000100 SUB EBX,10000
01010022 83BD 22040000 CMP DWORD PTR SS:[EBP+422],0
01010029 899D 22040000 MOV DWORD PTR SS:[EBP+422],EBX
0101002F 0F85 65030000 JNZ notepad.0101039A ; 第一次没有成立
01010035 8D85 2E040000 LEA EAX,DWORD PTR SS:[EBP+42E]
0101003B 50 PUSH EAX
0101003C FF95 4D0F0000 CALL DWORD PTR SS:[EBP+F4D] ; 一路的call都是f8直接走
01010042 8985 26040000 MOV DWORD PTR SS:[EBP+426],EAX
01010048 8BF8 MOV EDI,EAX
0101004A 8D5D 5E LEA EBX,DWORD PTR SS:[EBP+5E]
0101004D 53 PUSH EBX
0101004E 50 PUSH EAX
0101004F FF95 490F0000 CALL DWORD PTR SS:[EBP+F49]
01010055 8985 4D050000 MOV DWORD PTR SS:[EBP+54D],EAX
0101005B 8D5D 6B LEA EBX,DWORD PTR SS:[EBP+6B]
0101005E 53 PUSH EBX
0101005F 57 PUSH EDI
01010060 FF95 490F0000 CALL DWORD PTR SS:[EBP+F49]
01010066 8985 51050000 MOV DWORD PTR SS:[EBP+551],EAX
0101006C 8D45 77 LEA EAX,DWORD PTR SS:[EBP+77]
0101006F FFE0 JMP EAX ; 这里跳
0101008A 8B9D 31050000 MOV EBX,DWORD PTR SS:[EBP+531] ; 跳到这里
01010090 0BDB OR EBX,EBX
01010092 74 0A JE SHORT notepad.0101009E ; 成立了,跳
0101009E 8DB5 69050000 LEA ESI,DWORD PTR SS:[EBP+569] ; 跳到这里
010100A4 833E 00 CMP DWORD PTR DS:[ESI],0
010100A7 0F84 21010000 JE notepad.010101CE ; 没成立
010100AD 6A 04 PUSH 4
010100AF 68 00100000 PUSH 1000
010100B4 68 00180000 PUSH 1800
010100B9 6A 00 PUSH 0
010100BB FF95 4D050000 CALL DWORD PTR SS:[EBP+54D] ; 一路f8走
010100C1 8985 56010000 MOV DWORD PTR SS:[EBP+156],EAX
010100C7 8B46 04 MOV EAX,DWORD PTR DS:[ESI+4]
010100CA 05 0E010000 ADD EAX,10E
010100CF 6A 04 PUSH 4
010100D1 68 00100000 PUSH 1000
010100D6 50 PUSH EAX
010100D7 6A 00 PUSH 0
010100D9 FF95 4D050000 CALL DWORD PTR SS:[EBP+54D]
010100DF 8985 52010000 MOV DWORD PTR SS:[EBP+152],EAX
010100E5 56 PUSH ESI
010100E6 8B1E MOV EBX,DWORD PTR DS:[ESI]
010100E8 039D 22040000 ADD EBX,DWORD PTR SS:[EBP+422]
010100EE FFB5 56010000 PUSH DWORD PTR SS:[EBP+156]
010100F4 FF76 04 PUSH DWORD PTR DS:[ESI+4]
010100F7 50 PUSH EAX
010100F8 53 PUSH EBX
010100F9 E8 6E050000 CALL notepad.0101066C
010100FE B3 01 MOV BL,1
01010100 80FB 00 CMP BL,0
01010103 75 5E JNZ SHORT notepad.01010163
01010105 FE85 EC000000 INC BYTE PTR SS:[EBP+EC]
0101010B 8B3E MOV EDI,DWORD PTR DS:[ESI]
0101010D 03BD 22040000 ADD EDI,DWORD PTR SS:[EBP+422]
01010113 FF37 PUSH DWORD PTR DS:[EDI]
01010115 C607 C3 MOV BYTE PTR DS:[EDI],0C3
01010118 FFD7 CALL EDI
0101011A 8F07 POP DWORD PTR DS:[EDI]
0101011C 50 PUSH EAX
0101011D 51 PUSH ECX
0101011E 56 PUSH ESI
0101011F 53 PUSH EBX
01010120 8BC8 MOV ECX,EAX
01010122 83E9 06 SUB ECX,6
01010125 8BB5 52010000 MOV ESI,DWORD PTR SS:[EBP+152]
0101012B 33DB XOR EBX,EBX
0101012D 0BC9 OR ECX,ECX
0101012F 74 2E JE SHORT notepad.0101015F ; 没成立
01010131 78 2C JS SHORT notepad.0101015F
01010133 AC LODS BYTE PTR DS:[ESI]
01010134 3C E8 CMP AL,0E8
01010136 74 0A JE SHORT notepad.01010142
01010138 EB 00 JMP SHORT notepad.0101013A ; 这里跳了
0101013A 3C E9 CMP AL,0E9 ; 跳到这里
0101013C 74 04 JE SHORT notepad.01010142 ; 没成立
0101013E 43 INC EBX
0101013F 49 DEC ECX
01010140 ^ EB EB JMP SHORT notepad.0101012D ; 这里回跳,所以直接在没
; 成立的0101012F处回车
0101015F 5B POP EBX ; F4 run过来
01010160 5E POP ESI
01010161 59 POP ECX
01010162 58 POP EAX
01010163 EB 08 JMP SHORT notepad.0101016D ; 跳走
0101016D 8BC8 MOV ECX,EAX ; 到这里,一路F8走
0101016F 8B3E MOV EDI,DWORD PTR DS:[ESI]
01010171 03BD 22040000 ADD EDI,DWORD PTR SS:[EBP+422]
01010177 8BB5 52010000 MOV ESI,DWORD PTR SS:[EBP+152]
0101017D C1F9 02 SAR ECX,2
01010180 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
01010182 8BC8 MOV ECX,EAX
01010184 83E1 03 AND ECX,3
01010187 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
01010189 5E POP ESI
0101018A 68 00800000 PUSH 8000
0101018F 6A 00 PUSH 0
01010191 FFB5 52010000 PUSH DWORD PTR SS:[EBP+152]
01010197 FF95 51050000 CALL DWORD PTR SS:[EBP+551]
0101019D 83C6 08 ADD ESI,8
010101A0 833E 00 CMP DWORD PTR DS:[ESI],0
010101A3 ^ 0F85 1EFFFFFF JNZ notepad.010100C7 ; 又是回跳
010101A9 68 00800000 PUSH 8000 ; 所以下断,F9 run过来
010101AE 6A 00 PUSH 0
010101B0 FFB5 56010000 PUSH DWORD PTR SS:[EBP+156]
010101B6 FF95 51050000 CALL DWORD PTR SS:[EBP+551]
010101BC 8B9D 31050000 MOV EBX,DWORD PTR SS:[EBP+531]
010101C2 0BDB OR EBX,EBX
010101C4 74 08 JE SHORT notepad.010101CE ; 跳
010101CE 8B95 22040000 MOV EDX,DWORD PTR SS:[EBP+422] ; 跳到
010101D4 8B85 2D050000 MOV EAX,DWORD PTR SS:[EBP+52D]
010101DA 2BD0 SUB EDX,EAX
010101DC 74 79 JE SHORT notepad.01010257 ; 跳
01010257 8B95 22040000 MOV EDX,DWORD PTR SS:[EBP+422] ; 跳到
0101025D 8BB5 41050000 MOV ESI,DWORD PTR SS:[EBP+541]
01010263 0BF6 OR ESI,ESI
01010265 74 11 JE SHORT notepad.01010278 ; 跳
01010278 BE 50660000 MOV ESI,6650 ; 跳到
0101027D 8B95 22040000 MOV EDX,DWORD PTR SS:[EBP+422]
01010283 03F2 ADD ESI,EDX
01010285 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C]
01010288 85C0 TEST EAX,EAX
0101028A 0F84 0A010000 JE notepad.0101039A
01010290 03C2 ADD EAX,EDX
01010292 8BD8 MOV EBX,EAX
01010294 50 PUSH EAX
01010295 FF95 4D0F0000 CALL DWORD PTR SS:[EBP+F4D]
0101029B 85C0 TEST EAX,EAX
0101029D 75 07 JNZ SHORT notepad.010102A6 ; 跳
010102A6 8985 45050000 MOV DWORD PTR SS:[EBP+545],EAX ; 跳到
010102AC C785 49050000 0>MOV DWORD PTR SS:[EBP+549],0
010102B6 8B95 22040000 MOV EDX,DWORD PTR SS:[EBP+422]
010102BC 8B06 MOV EAX,DWORD PTR DS:[ESI]
010102BE 85C0 TEST EAX,EAX
010102C0 75 03 JNZ SHORT notepad.010102C5 ; 跳
010102C5 03C2 ADD EAX,EDX ; 跳到,后面一律F8走
010102C7 0385 49050000 ADD EAX,DWORD PTR SS:[EBP+549]
010102CD 8B18 MOV EBX,DWORD PTR DS:[EAX]
010102CF 8B7E 10 MOV EDI,DWORD PTR DS:[ESI+10]
010102D2 03FA ADD EDI,EDX
010102D4 03BD 49050000 ADD EDI,DWORD PTR SS:[EBP+549]
010102DA 85DB TEST EBX,EBX
010102DC 0F84 A2000000 JE notepad.01010384
010102E2 F7C3 00000080 TEST EBX,80000000
010102E8 75 04 JNZ SHORT notepad.010102EE
010102EA 03DA ADD EBX,EDX
010102EC 43 INC EBX
010102ED 43 INC EBX
010102EE 53 PUSH EBX
010102EF 81E3 FFFFFF7F AND EBX,7FFFFFFF
010102F5 53 PUSH EBX
010102F6 FFB5 45050000 PUSH DWORD PTR SS:[EBP+545]
010102FC FF95 490F0000 CALL DWORD PTR SS:[EBP+F49]
01010302 85C0 TEST EAX,EAX
01010304 5B POP EBX
01010305 75 6F JNZ SHORT notepad.01010376
01010307 F7C3 00000080 TEST EBX,80000000
0101030D 75 19 JNZ SHORT notepad.01010328
0101030F 57 PUSH EDI
01010310 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C]
01010313 0385 22040000 ADD EAX,DWORD PTR SS:[EBP+422]
01010319 50 PUSH EAX
0101031A 53 PUSH EBX
0101031B 8D85 75040000 LEA EAX,DWORD PTR SS:[EBP+475]
01010321 50 PUSH EAX
01010322 57 PUSH EDI
01010323 E9 98000000 JMP notepad.010103C0
01010328 81E3 FFFFFF7F AND EBX,7FFFFFFF
0101032E 8B85 26040000 MOV EAX,DWORD PTR SS:[EBP+426]
01010334 3985 45050000 CMP DWORD PTR SS:[EBP+545],EAX
0101033A 75 24 JNZ SHORT notepad.01010360
0101033C 57 PUSH EDI
0101033D 8BD3 MOV EDX,EBX
0101033F 4A DEC EDX
01010340 C1E2 02 SHL EDX,2
01010343 8B9D 45050000 MOV EBX,DWORD PTR SS:[EBP+545]
01010349 8B7B 3C MOV EDI,DWORD PTR DS:[EBX+3C]
0101034C 8B7C3B 78 MOV EDI,DWORD PTR DS:[EBX+EDI+78]
01010350 035C3B 1C ADD EBX,DWORD PTR DS:[EBX+EDI+1C]
01010354 8B0413 MOV EAX,DWORD PTR DS:[EBX+EDX]
01010357 0385 45050000 ADD EAX,DWORD PTR SS:[EBP+545]
0101035D 5F POP EDI
0101035E EB 16 JMP SHORT notepad.01010376
01010360 57 PUSH EDI
01010361 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C]
01010364 0385 22040000 ADD EAX,DWORD PTR SS:[EBP+422]
0101036A 50 PUSH EAX
0101036B 53 PUSH EBX
0101036C 8D85 C6040000 LEA EAX,DWORD PTR SS:[EBP+4C6]
01010372 50 PUSH EAX
01010373 57 PUSH EDI
01010374 EB 4A JMP SHORT notepad.010103C0
01010376 8907 MOV DWORD PTR DS:[EDI],EAX
01010378 8385 49050000 0>ADD DWORD PTR SS:[EBP+549],4
0101037F ^ E9 32FFFFFF JMP notepad.010102B6 ; 到这里观察,回跳
01010384 8906 MOV DWORD PTR DS:[ESI],EAX
01010386 8946 0C MOV DWORD PTR DS:[ESI+C],EAX
01010389 8946 10 MOV DWORD PTR DS:[ESI+10],EAX
0101038C 83C6 14 ADD ESI,14
0101038F 8B95 22040000 MOV EDX,DWORD PTR SS:[EBP+422]
01010395 ^ E9 EBFEFFFF JMP notepad.01010285 ; 又是回跳
0101039A B8 20640000 MOV EAX,6420 ; 所以下断,F9 run过来
0101039F 50 PUSH EAX
010103A0 0385 22040000 ADD EAX,DWORD PTR SS:[EBP+422]
010103A6 59 POP ECX
010103A7 0BC9 OR ECX,ECX
010103A9 8985 A8030000 MOV DWORD PTR SS:[EBP+3A8],EAX
010103AF 61 POPAD ; 到这里已经有点曙光了
010103B0 /75 08 JNZ SHORT notepad.010103BA
010103BA 68 20640001 PUSH notepad.01006420
010103BF C3 RETN ; 跳
01006420 . 55 PUSH EBP ; 跳到这里,一看,显然是
; oep了一切ok,dump下来
01006421 . 8BEC MOV EBP,ESP
01006423 . 6A FF PUSH -1
01006425 . 68 88180001 PUSH notepad.01001888
0100642A . 68 D0650001 PUSH notepad.010065D0
0100642F . 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
01006435 . 50 PUSH EAX
01006436 . 64:8925 00000>MOV DWORD PTR FS:[0],ESP
0100643D . 83C4 98 ADD ESP,-68
01006440 . 53 PUSH EBX
01006441 . 56 PUSH ESI
01006442 . 57 PUSH EDI
01006443 . 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
.
.
.
打开importREC选择该进程->oep填写为6420->点iat autosearch->get import,指针全部有效->点fix dump修正dump下来的文件.
搞定.
得到脱壳文件
dump_notepad.exe
运行,证明没有问题。
学习概要:
1 基本操作:下断和如何使用F7 F8 F9
2 回跳的处理方式:在下一句F4 run过去
下载地址:
notepad.exe
我们用PEiD打开看
看到壳子是ASPack 2.12 -> Alexey Solodovnikov的
这个也是很基础的了
用Ollydbg打开程序,忽略全部异常
01010001 60 PUSHAD
01010002 E8 03000000 CALL notepad.0101000A ; 走
01010008 EB 04 JMP SHORT notepad.0101000E ; 跳
0101000E E8 01000000 CALL notepad.01010014 ; F7跳
01010014 5D POP EBP ; 跳到这里了
01010015 BB EDFFFFFF MOV EBX,-13
0101001A 03DD ADD EBX,EBP
0101001C 81EB 00000100 SUB EBX,10000
01010022 83BD 22040000 CMP DWORD PTR SS:[EBP+422],0
01010029 899D 22040000 MOV DWORD PTR SS:[EBP+422],EBX
0101002F 0F85 65030000 JNZ notepad.0101039A ; 第一次没有成立
01010035 8D85 2E040000 LEA EAX,DWORD PTR SS:[EBP+42E]
0101003B 50 PUSH EAX
0101003C FF95 4D0F0000 CALL DWORD PTR SS:[EBP+F4D] ; 一路的call都是f8直接走
01010042 8985 26040000 MOV DWORD PTR SS:[EBP+426],EAX
01010048 8BF8 MOV EDI,EAX
0101004A 8D5D 5E LEA EBX,DWORD PTR SS:[EBP+5E]
0101004D 53 PUSH EBX
0101004E 50 PUSH EAX
0101004F FF95 490F0000 CALL DWORD PTR SS:[EBP+F49]
01010055 8985 4D050000 MOV DWORD PTR SS:[EBP+54D],EAX
0101005B 8D5D 6B LEA EBX,DWORD PTR SS:[EBP+6B]
0101005E 53 PUSH EBX
0101005F 57 PUSH EDI
01010060 FF95 490F0000 CALL DWORD PTR SS:[EBP+F49]
01010066 8985 51050000 MOV DWORD PTR SS:[EBP+551],EAX
0101006C 8D45 77 LEA EAX,DWORD PTR SS:[EBP+77]
0101006F FFE0 JMP EAX ; 这里跳
0101008A 8B9D 31050000 MOV EBX,DWORD PTR SS:[EBP+531] ; 跳到这里
01010090 0BDB OR EBX,EBX
01010092 74 0A JE SHORT notepad.0101009E ; 成立了,跳
0101009E 8DB5 69050000 LEA ESI,DWORD PTR SS:[EBP+569] ; 跳到这里
010100A4 833E 00 CMP DWORD PTR DS:[ESI],0
010100A7 0F84 21010000 JE notepad.010101CE ; 没成立
010100AD 6A 04 PUSH 4
010100AF 68 00100000 PUSH 1000
010100B4 68 00180000 PUSH 1800
010100B9 6A 00 PUSH 0
010100BB FF95 4D050000 CALL DWORD PTR SS:[EBP+54D] ; 一路f8走
010100C1 8985 56010000 MOV DWORD PTR SS:[EBP+156],EAX
010100C7 8B46 04 MOV EAX,DWORD PTR DS:[ESI+4]
010100CA 05 0E010000 ADD EAX,10E
010100CF 6A 04 PUSH 4
010100D1 68 00100000 PUSH 1000
010100D6 50 PUSH EAX
010100D7 6A 00 PUSH 0
010100D9 FF95 4D050000 CALL DWORD PTR SS:[EBP+54D]
010100DF 8985 52010000 MOV DWORD PTR SS:[EBP+152],EAX
010100E5 56 PUSH ESI
010100E6 8B1E MOV EBX,DWORD PTR DS:[ESI]
010100E8 039D 22040000 ADD EBX,DWORD PTR SS:[EBP+422]
010100EE FFB5 56010000 PUSH DWORD PTR SS:[EBP+156]
010100F4 FF76 04 PUSH DWORD PTR DS:[ESI+4]
010100F7 50 PUSH EAX
010100F8 53 PUSH EBX
010100F9 E8 6E050000 CALL notepad.0101066C
010100FE B3 01 MOV BL,1
01010100 80FB 00 CMP BL,0
01010103 75 5E JNZ SHORT notepad.01010163
01010105 FE85 EC000000 INC BYTE PTR SS:[EBP+EC]
0101010B 8B3E MOV EDI,DWORD PTR DS:[ESI]
0101010D 03BD 22040000 ADD EDI,DWORD PTR SS:[EBP+422]
01010113 FF37 PUSH DWORD PTR DS:[EDI]
01010115 C607 C3 MOV BYTE PTR DS:[EDI],0C3
01010118 FFD7 CALL EDI
0101011A 8F07 POP DWORD PTR DS:[EDI]
0101011C 50 PUSH EAX
0101011D 51 PUSH ECX
0101011E 56 PUSH ESI
0101011F 53 PUSH EBX
01010120 8BC8 MOV ECX,EAX
01010122 83E9 06 SUB ECX,6
01010125 8BB5 52010000 MOV ESI,DWORD PTR SS:[EBP+152]
0101012B 33DB XOR EBX,EBX
0101012D 0BC9 OR ECX,ECX
0101012F 74 2E JE SHORT notepad.0101015F ; 没成立
01010131 78 2C JS SHORT notepad.0101015F
01010133 AC LODS BYTE PTR DS:[ESI]
01010134 3C E8 CMP AL,0E8
01010136 74 0A JE SHORT notepad.01010142
01010138 EB 00 JMP SHORT notepad.0101013A ; 这里跳了
0101013A 3C E9 CMP AL,0E9 ; 跳到这里
0101013C 74 04 JE SHORT notepad.01010142 ; 没成立
0101013E 43 INC EBX
0101013F 49 DEC ECX
01010140 ^ EB EB JMP SHORT notepad.0101012D ; 这里回跳,所以直接在没
; 成立的0101012F处回车
0101015F 5B POP EBX ; F4 run过来
01010160 5E POP ESI
01010161 59 POP ECX
01010162 58 POP EAX
01010163 EB 08 JMP SHORT notepad.0101016D ; 跳走
0101016D 8BC8 MOV ECX,EAX ; 到这里,一路F8走
0101016F 8B3E MOV EDI,DWORD PTR DS:[ESI]
01010171 03BD 22040000 ADD EDI,DWORD PTR SS:[EBP+422]
01010177 8BB5 52010000 MOV ESI,DWORD PTR SS:[EBP+152]
0101017D C1F9 02 SAR ECX,2
01010180 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
01010182 8BC8 MOV ECX,EAX
01010184 83E1 03 AND ECX,3
01010187 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
01010189 5E POP ESI
0101018A 68 00800000 PUSH 8000
0101018F 6A 00 PUSH 0
01010191 FFB5 52010000 PUSH DWORD PTR SS:[EBP+152]
01010197 FF95 51050000 CALL DWORD PTR SS:[EBP+551]
0101019D 83C6 08 ADD ESI,8
010101A0 833E 00 CMP DWORD PTR DS:[ESI],0
010101A3 ^ 0F85 1EFFFFFF JNZ notepad.010100C7 ; 又是回跳
010101A9 68 00800000 PUSH 8000 ; 所以下断,F9 run过来
010101AE 6A 00 PUSH 0
010101B0 FFB5 56010000 PUSH DWORD PTR SS:[EBP+156]
010101B6 FF95 51050000 CALL DWORD PTR SS:[EBP+551]
010101BC 8B9D 31050000 MOV EBX,DWORD PTR SS:[EBP+531]
010101C2 0BDB OR EBX,EBX
010101C4 74 08 JE SHORT notepad.010101CE ; 跳
010101CE 8B95 22040000 MOV EDX,DWORD PTR SS:[EBP+422] ; 跳到
010101D4 8B85 2D050000 MOV EAX,DWORD PTR SS:[EBP+52D]
010101DA 2BD0 SUB EDX,EAX
010101DC 74 79 JE SHORT notepad.01010257 ; 跳
01010257 8B95 22040000 MOV EDX,DWORD PTR SS:[EBP+422] ; 跳到
0101025D 8BB5 41050000 MOV ESI,DWORD PTR SS:[EBP+541]
01010263 0BF6 OR ESI,ESI
01010265 74 11 JE SHORT notepad.01010278 ; 跳
01010278 BE 50660000 MOV ESI,6650 ; 跳到
0101027D 8B95 22040000 MOV EDX,DWORD PTR SS:[EBP+422]
01010283 03F2 ADD ESI,EDX
01010285 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C]
01010288 85C0 TEST EAX,EAX
0101028A 0F84 0A010000 JE notepad.0101039A
01010290 03C2 ADD EAX,EDX
01010292 8BD8 MOV EBX,EAX
01010294 50 PUSH EAX
01010295 FF95 4D0F0000 CALL DWORD PTR SS:[EBP+F4D]
0101029B 85C0 TEST EAX,EAX
0101029D 75 07 JNZ SHORT notepad.010102A6 ; 跳
010102A6 8985 45050000 MOV DWORD PTR SS:[EBP+545],EAX ; 跳到
010102AC C785 49050000 0>MOV DWORD PTR SS:[EBP+549],0
010102B6 8B95 22040000 MOV EDX,DWORD PTR SS:[EBP+422]
010102BC 8B06 MOV EAX,DWORD PTR DS:[ESI]
010102BE 85C0 TEST EAX,EAX
010102C0 75 03 JNZ SHORT notepad.010102C5 ; 跳
010102C5 03C2 ADD EAX,EDX ; 跳到,后面一律F8走
010102C7 0385 49050000 ADD EAX,DWORD PTR SS:[EBP+549]
010102CD 8B18 MOV EBX,DWORD PTR DS:[EAX]
010102CF 8B7E 10 MOV EDI,DWORD PTR DS:[ESI+10]
010102D2 03FA ADD EDI,EDX
010102D4 03BD 49050000 ADD EDI,DWORD PTR SS:[EBP+549]
010102DA 85DB TEST EBX,EBX
010102DC 0F84 A2000000 JE notepad.01010384
010102E2 F7C3 00000080 TEST EBX,80000000
010102E8 75 04 JNZ SHORT notepad.010102EE
010102EA 03DA ADD EBX,EDX
010102EC 43 INC EBX
010102ED 43 INC EBX
010102EE 53 PUSH EBX
010102EF 81E3 FFFFFF7F AND EBX,7FFFFFFF
010102F5 53 PUSH EBX
010102F6 FFB5 45050000 PUSH DWORD PTR SS:[EBP+545]
010102FC FF95 490F0000 CALL DWORD PTR SS:[EBP+F49]
01010302 85C0 TEST EAX,EAX
01010304 5B POP EBX
01010305 75 6F JNZ SHORT notepad.01010376
01010307 F7C3 00000080 TEST EBX,80000000
0101030D 75 19 JNZ SHORT notepad.01010328
0101030F 57 PUSH EDI
01010310 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C]
01010313 0385 22040000 ADD EAX,DWORD PTR SS:[EBP+422]
01010319 50 PUSH EAX
0101031A 53 PUSH EBX
0101031B 8D85 75040000 LEA EAX,DWORD PTR SS:[EBP+475]
01010321 50 PUSH EAX
01010322 57 PUSH EDI
01010323 E9 98000000 JMP notepad.010103C0
01010328 81E3 FFFFFF7F AND EBX,7FFFFFFF
0101032E 8B85 26040000 MOV EAX,DWORD PTR SS:[EBP+426]
01010334 3985 45050000 CMP DWORD PTR SS:[EBP+545],EAX
0101033A 75 24 JNZ SHORT notepad.01010360
0101033C 57 PUSH EDI
0101033D 8BD3 MOV EDX,EBX
0101033F 4A DEC EDX
01010340 C1E2 02 SHL EDX,2
01010343 8B9D 45050000 MOV EBX,DWORD PTR SS:[EBP+545]
01010349 8B7B 3C MOV EDI,DWORD PTR DS:[EBX+3C]
0101034C 8B7C3B 78 MOV EDI,DWORD PTR DS:[EBX+EDI+78]
01010350 035C3B 1C ADD EBX,DWORD PTR DS:[EBX+EDI+1C]
01010354 8B0413 MOV EAX,DWORD PTR DS:[EBX+EDX]
01010357 0385 45050000 ADD EAX,DWORD PTR SS:[EBP+545]
0101035D 5F POP EDI
0101035E EB 16 JMP SHORT notepad.01010376
01010360 57 PUSH EDI
01010361 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C]
01010364 0385 22040000 ADD EAX,DWORD PTR SS:[EBP+422]
0101036A 50 PUSH EAX
0101036B 53 PUSH EBX
0101036C 8D85 C6040000 LEA EAX,DWORD PTR SS:[EBP+4C6]
01010372 50 PUSH EAX
01010373 57 PUSH EDI
01010374 EB 4A JMP SHORT notepad.010103C0
01010376 8907 MOV DWORD PTR DS:[EDI],EAX
01010378 8385 49050000 0>ADD DWORD PTR SS:[EBP+549],4
0101037F ^ E9 32FFFFFF JMP notepad.010102B6 ; 到这里观察,回跳
01010384 8906 MOV DWORD PTR DS:[ESI],EAX
01010386 8946 0C MOV DWORD PTR DS:[ESI+C],EAX
01010389 8946 10 MOV DWORD PTR DS:[ESI+10],EAX
0101038C 83C6 14 ADD ESI,14
0101038F 8B95 22040000 MOV EDX,DWORD PTR SS:[EBP+422]
01010395 ^ E9 EBFEFFFF JMP notepad.01010285 ; 又是回跳
0101039A B8 20640000 MOV EAX,6420 ; 所以下断,F9 run过来
0101039F 50 PUSH EAX
010103A0 0385 22040000 ADD EAX,DWORD PTR SS:[EBP+422]
010103A6 59 POP ECX
010103A7 0BC9 OR ECX,ECX
010103A9 8985 A8030000 MOV DWORD PTR SS:[EBP+3A8],EAX
010103AF 61 POPAD ; 到这里已经有点曙光了
010103B0 /75 08 JNZ SHORT notepad.010103BA
010103BA 68 20640001 PUSH notepad.01006420
010103BF C3 RETN ; 跳
01006420 . 55 PUSH EBP ; 跳到这里,一看,显然是
; oep了一切ok,dump下来
01006421 . 8BEC MOV EBP,ESP
01006423 . 6A FF PUSH -1
01006425 . 68 88180001 PUSH notepad.01001888
0100642A . 68 D0650001 PUSH notepad.010065D0
0100642F . 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
01006435 . 50 PUSH EAX
01006436 . 64:8925 00000>MOV DWORD PTR FS:[0],ESP
0100643D . 83C4 98 ADD ESP,-68
01006440 . 53 PUSH EBX
01006441 . 56 PUSH ESI
01006442 . 57 PUSH EDI
01006443 . 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
.
.
.
打开importREC选择该进程->oep填写为6420->点iat autosearch->get import,指针全部有效->点fix dump修正dump下来的文件.
搞定.
得到脱壳文件
dump_notepad.exe
运行,证明没有问题。
学习概要:
1 基本操作:下断和如何使用F7 F8 F9
2 回跳的处理方式:在下一句F4 run过去