ASPack 2.x 脱壳
脱壳作者 manbug
使用工具 OllyDBG ,LordPE,ImportREC,PEiD
脱壳平台 WinXP SP2
软件名称 Bigman's Crackme6(看雪2007精华里面的)
软件大小 7K
加壳方式 ASPack 2.x (without poly) -> Alexey Solodovnikov [Overlay]
虽然现在的脱壳机很多,我是初学者,为了煅炼一下自己的手动能力,所以将自己脱壳的过程写下来与大家分享,不对之处请指正.
用OD载入程序:
00405001 > E8 03000000 call crackme6.00405009 ; 加载后停在这里,按F7
00405007 /EB 04 jmp short crackme6.0040500D
00405009 |5D pop ebp
0040500A |45 inc ebp
0040500B |55 push ebp
0040500C |C3 retn
0040500D \90 nop
0040500E E8 01000000 call crackme6.00405014 ; F7跟进
..........
00405014 5D pop ebp ; 以下按F8单步走,如有向上跳转用F4打断
00405015 BB EDFFFFFF mov ebx, -13
0040501A 03DD add ebx, ebp
0040501C 81EB 00500000 sub ebx, 5000
00405022 83BD 22040000 0>cmp dword ptr [ebp+422], 0
00405029 899D 22040000 mov dword ptr [ebp+422], ebx
0040502F 0F85 65030000 jnz crackme6.0040539A
00405035 8D85 2E040000 lea eax, dword ptr [ebp+42E]
0040503B 50 push eax
0040503C FF95 4D0F0000 call near dword ptr [ebp+F4D]
00405042 8985 26040000 mov dword ptr [ebp+426], eax
00405048 8BF8 mov edi, eax
0040504A 8D5D 5E lea ebx, dword ptr [ebp+5E]
..........
0040513A 3C E9 cmp al, 0E9
0040513C 74 04 je short crackme6.00405142
0040513E 43 inc ebx
0040513F 49 dec ecx
00405140 ^ EB EB jmp short crackme6.0040512D
00405142 8B06 mov eax, dword ptr [esi] ; F4 打断向上跳转
00405144 EB 00 jmp short crackme6.00405146
00405146 803E 00 cmp byte ptr [esi], 0
00405149 ^ 75 F3 jnz short crackme6.0040513E
0040514B 24 00 and al, 0
0040514D C1C0 18 rol eax, 18
00405150 2BC3 sub eax, ebx
00405152 8906 mov dword ptr [esi], eax
00405154 83C3 05 add ebx, 5
00405157 83C6 04 add esi, 4
0040515A 83E9 05 sub ecx, 5
0040515D ^ EB CE jmp short crackme6.0040512D
0040515F 5B pop ebx ; F4 打断向上跳转
00405160 5E pop esi
00405161 59 pop ecx
.............
0040519D 83C6 08 add esi, 8
004051A0 833E 00 cmp dword ptr [esi], 0
004051A3 ^ 0F85 1EFFFFFF jnz crackme6.004050C7
004051A9 68 00800000 push 8000 ; F4 打断向上跳转
004051AE 6A 00 push 0
.............
00405376 8907 mov dword ptr [edi], eax
00405378 8385 49050000 0>add dword ptr [ebp+549], 4
0040537F ^ E9 32FFFFFF jmp crackme6.004052B6
00405384 8906 mov dword ptr [esi], eax ; F4 打断向上跳转
00405386 8946 0C mov dword ptr [esi+C], eax
00405389 8946 10 mov dword ptr [esi+10], eax
0040538C 83C6 14 add esi, 14
0040538F 8B95 22040000 mov edx, dword ptr [ebp+422]
00405395 ^ E9 EBFEFFFF jmp crackme6.00405285
0040539A B8 CB110000 mov eax, 11CB ; F4 打断向上跳转
0040539F 50 push eax
004053A0 0385 22040000 add eax, dword ptr [ebp+422]
004053A6 59 pop ecx
004053A7 0BC9 or ecx, ecx
004053A9 8985 A8030000 mov dword ptr [ebp+3A8], eax
004053AF 61 popad ; 关键句了,嘿嘿
004053B0 75 08 jnz short crackme6.004053BA
004053B2 B8 01000000 mov eax, 1
004053B7 C2 0C00 retn 0C
004053BA 68 CB114000 push crackme6.004011CB ; 入口点就是004011CB了啊
004053BF C3 retn ; F8单步返回就是入口点了
.........
004011CB . 64:A1 0100000>mov eax, dword ptr fs:[1] ; SFX 代码真正入口点,停在这里脱壳
004011D1 /. 55 push ebp
004011D2 |. 89E5 mov ebp, esp
004011D4 |. 6A FF push -1
004011D6 |. 68 1C204000 push crackme6.0040201C
004011DB |. 68 9A104000 push crackme6.0040109A
004011E0 |. 50 push eax
用lordpe进步脱壳啦,这个大家都会吧,呵呵
脱壳之后用Import REC修正,在OEP中填11CB,点AutoSearch,点Get Imports,发现只有6个导入函数,肯定不对啦,那就要手动找一下输入表了.看自动找到输入表的RVA为03138,加上基址400000就是403138,在OD 的数据窗口中转到403138的地址处,向上翻,果然还有数据,起地址为4030A4,止地址为4032BE,大小为21A,于是将Import REC中的 IAT RVA填入30A4,Size填21A,再点Get Imports就可以找到很多导入函数了,不过还有一些无效的,不要紧,点击show Invalid 将无效的函数CUT掉,然后FIX DUMP你的脱壳文件就行了,一切搞定,脱壳运行正常
当然找这个壳的入口点还有一种简单的方法,就是在OD中忽略所有异常,在SFX选项中选中字节方式跟踪真正入口点处,然后载入程序,过一会就可以停在真正的入口点了.