壳学习二:Aspack 2.12 加壳脱壳
SkyJackerHttp://blog.csdn.net/skyjackerEmail:HeMiaoYu <At> gmail.comQQ:677055172007-2-10
1、加壳过程
自动动手编写一个简单的窗体程序.使用Aspack2.12 加壳(按默认选项),生成已加壳程序NullFormAspack.exe.
原始文件与加壳后文件信息描述:原始文件大小:379 KB (388,096 字节)原始文件占用空间:384 KB (393,216 字节)加壳文件大小:157 KB (161,280 字节)加壳文件占用空间:160 KB (163,840 字节)Aspack2.12 压缩率:41%
2、脱壳过程
使用PEID查壳: ASPack 2.12 -> Alexey SolodovnikovOllyDbg加载,停在程序入口点:
OllyDbg加载,停在程序入口点:00465001 > 60 pushad00465002 E8 03000000 call 0046500A // F7 进入00465007 - E9 EB045D45 jmp 45A354F70046500C 55 push ebp0046500D C3 retn0046500E E8 01000000 call 0046501400465013 EB 5D jmp short 0046507200465015 BB EDFFFFFF mov ebx, -13
call 0046500A0046500A 5D pop ebp ; NullForm.004650070046500B 45 inc ebp // 004650080046500C 55 push ebp // 00465008 入栈。 函数功能:将返回地址加1,即修改了下一条要执行的指令地址0046500D C3 retn
进入46500A时栈信息为:0012FFA0 00465007 返回到 NullForm.00465007 来自 NullForm.0046500A0012FFA4 7C930738 ntdll.7C9307380012FFA8 FFFFFFFF0012FFAC 0012FFF0
retn 之后:EIP=465008
00465008 /EB 04 jmp short 0046500E //已修改EIP := EIP +1 因为指令转换为 jmp short0046500A |5D pop ebp // 来自call 0046500A。隐身法:) 0046500B |45 inc ebp0046500C |55 push ebp0046500D |C3 retn0046500E /E8 01000000 call 00465014 // F7进入。 又执行到了EIP := EIP +1 。单字节进行。00465013 EB 5D jmp short 0046507200465015 BB EDFFFFFF mov ebx, -130046501A 03DD add ebx, ebp0046501C 81EB 00500600 sub ebx, 6500000465022 83BD 22040000 0>cmp dword ptr [ebp+422], 0
call 00465014 00465014 5D pop ebp //返回时EIP修改为:7C930738 ; NullForm.0046501300465015 BB EDFFFFFF mov ebx, -13 //原EBX := 7FFDE000 ,现:EBX:=FFFFFFED0046501A 03DD add ebx, ebp //EBX := FFFFFFED + 00465013 = 00465000 0046501C 81EB 00500600 sub ebx, 65000 //EBX := 400000 MZP00465022 83BD 22040000 0>cmp dword ptr [ebp+422], 000465029 899D 22040000 mov dword ptr [ebp+422], ebx0046502F 0F85 65030000 jnz 0046539A //长跳转,移到此地址,按F400465035 8D85 2E040000 lea eax, dword ptr [ebp+42E]0046503B 50 push eax0046503C FF95 4D0F0000 call dword ptr [ebp+F4D]
进入00465014时栈信息为:0012FFA0 00465013 返回到 NullForm.00465013 来自 NullForm.004650140012FFA4 7C930738 ntdll.7C9307380012FFA8 FFFFFFFF0012FFAC 0012FFF0
jnz 0046539A //长跳转,移到此地址,鼠标点击这一行,按F40046539A B8 84320500 mov eax, 53284 //立即数. 用于生成 OEP0046539F 50 push eax004653A0 0385 22040000 add eax, dword ptr [ebp+422] // EAX := NullForm.00453284004653A6 59 pop ecx004653A7 0BC9 or ecx, ecx004653A9 8985 A8030000 mov dword ptr [ebp+3A8], eax // 动态修改程序指令. //被修改指令的地址:00465013 + 3A8 = 4653BB 004653AF 61 popad004653B0 75 08 jnz short 004653BA 004653B2 B8 01000000 mov eax, 1004653B7 C2 0C00 retn 0C004653BA 68 00000000 push 0 // 被修改的数据为 PUSH 的值 004653BF C3 retn
转到0046539A时,cpu信息为:EAX 00000000ECX 7C939AEB ntdll.7C939AEBEDX 00400000 ASCII "MZP"EBX 00000000ESP 0012FFA4EBP 00465013 NullForm.00465013ESI 004570F0 NullForm.004570F0EDI 004576EC NullForm.004576ECEIP 0046539A NullForm.0046539AC 0 ES 0023 32位 0(FFFFFFFF)P 1 CS 001B 32位 0(FFFFFFFF)A 0 SS 0023 32位 0(FFFFFFFF)Z 1 DS 0023 32位 0(FFFFFFFF)S 0 FS 003B 32位 7FFDF000(FFF)T 0 GS 0000 NULLD 0O 0 LastErr ERROR_NO_IMPERSONATION_TOKEN (0000051D)
堆栈信息为:0012FFA4 7C930738 ntdll.7C9307380012FFA8 FFFFFFFF0012FFAC 0012FFF00012FFB0 0012FFC4
mov dword ptr [ebp+3A8], eax 执行完这行后,下面的指令转为:004653A9 8985 A8030000 mov dword ptr [ebp+3A8], eax004653AF 61 popad004653B0 75 08 jnz short 004653BA004653B2 B8 01000000 mov eax, 1004653B7 C2 0C00 retn 0C004653BA 68 84324500 push 00453284 // OEP 004653BF C3 retn
F8执行,到达目的地:Dump之,OK!00453284 55 db 55 ; CHAR 'U'00453285 8B db 8B00453286 EC db EC00453287 83 db 8300453288 C4 db C400453289 F0 db F00045328A B8 db B80045328B 14 db 140045328C 31 db 31 ; CHAR '1'0045328D 45 db 45 ; CHAR 'E'0045328E 00 db 000045328F E8 db E800453290 80 db 8000453291 33 db 33 ; CHAR '3'00453292 FB db FB00453293 FF db FF00453294 A1 db A100453295 20 db 20 ; CHAR ' '00453296 4F db 4F ; CHAR 'O'00453297 45 db 45 ; CHAR 'E'
