- 关 键 词:
- word
WinKawaks 1.45脱壳笔记
最近有朋友问UPX + cryptor的壳怎么脱,我还真以为是UPX + cryptor的壳呢,结果下载了一看fi2.5显示为UPX + cryptor,但是我要说这次FI错了,因为我从来没有遇到UPX + cryptor里面有int3的.
后来有朋友说是老王的NC?(什么东东?)加的壳?,我如在云里雾里.不管它,先脱着试试.
0187:00732060 50 PUSH EAX //载入后停在这里
0187:00732061 51 PUSH ECX
0187:00732062 52 PUSH EDX
0187:00732063 53 PUSH EBX
0187:00732064 54 PUSH ESP
0187:00732065 55 PUSH EBP
0187:00732066 56 PUSH ESI
0187:00732067 57 PUSH EDI
0187:00732068 E800000000 CALL 0073206D //这里进去,然后就一路F10
0187:0073206D 5D POP EBP
0187:0073206E 81ED1E1C4000 SUB EBP,00401C1E
0187:00732074 B97B090000 MOV ECX,097B
0187:00732079 8DBD661C4000 LEA EDI,[EBP+00401C66]
0187:0073207F 8BF7 MOV ESI,EDI
0187:00732081 AC LODSB
......
0187:007320B3 E2CC LOOP 00732081 //这里g 007320B5
0187:007320B5 8B6901 MOV EBP,[ECX+01]
0187:007320B8 FFA37D9888F6 JMP NEAR [EBX+F688987D]
0187:007320BE 1BFA SBB EDI,EDX
0187:007320C0 E195 LOOPE 00732057
0187:007320C2 94 XCHG EAX,ESP
0187:007320C3 15D494AA74 ADC EAX,74AA94D4
0187:007320C8 0FB65F0F MOVZX EBX,BYTE [EDI+0F]
0187:007320CC 18F1 SBB CL,DH
0187:007320CE D20E ROR BYTE [ESI],CL
0187:007320D0 CDA7 INT A7
0187:007320D2 B0A0 MOV AL,A0
......
0187:00732113 CC INT3 //在这里下断 bpx 0073277C
0187:00732114 8BEF MOV EBP,EDI
0187:00732116 33DB XOR EBX,EBX
0187:00732118 648F03 POP DWORD [FS:EBX]
0187:0073211B 83C404 ADD ESP,BYTE +04
0187:0073211E 3C04 CMP AL,04
0187:00732120 7405 JZ 00732127
0187:00732122 EB01 JMP SHORT 00732125
0187:00732124 E961C38B85 JMP 85FEE48A
0187:00732129 8F DB 8F
0187:0073212A 234000 AND EAX,[EAX+00]
0187:0073212D 03403C ADD EAX,[EAX+3C]
0187:00732130 0580000000 ADD EAX,80
0187:00732135 8B08 MOV ECX,[EAX]
0187:00732137 038D8F234000 ADD ECX,[EBP+0040238F]
......
0187:0073277C 55 PUSH EBP //ok,断下了,再F10吧!
0187:0073277D 8BEC MOV EBP,ESP
0187:0073277F 57 PUSH EDI
0187:00732780 8B4510 MOV EAX,[EBP+10]
0187:00732783 8BB89C000000 MOV EDI,[EAX+9C]
0187:00732789 FFB717254000 PUSH DWORD [EDI+00402517]
0187:0073278F 8F80B8000000 POP DWORD [EAX+B8]
0187:00732795 89B8B4000000 MOV [EAX+B4],EDI
0187:0073279B C780B00000000400+MOV DWORD [EAX+B0],04
0187:007327A5 B800000000 MOV EAX,00
0187:007327AA 5F POP EDI
0187:007327AB C9 LEAVE
0187:007327AC C3 RET //最后到00732114
0187:007327AD 55 PUSH EBP
......
0187:00732112 FFCC DEC ESP
0187:00732114 8BEF MOV EBP,EDI //停在这里(简单的办法,载入后输入i3here on;g,就可以直接停在这里)
0187:00732116 33DB XOR EBX,EBX
0187:00732118 648F03 POP DWORD [FS:EBX]
0187:0073211B 83C404 ADD ESP,BYTE +04
0187:0073211E 3C04 CMP AL,04
0187:00732120 7405 JZ 00732127
0187:00732122 EB01 JMP SHORT 00732125
0187:00732124 E961C38B85 JMP 85FEE48A
0187:00732129 8F DB 8F
0187:0073212A 234000 AND EAX,[EAX+00]
0187:0073212D 03403C ADD EAX,[EAX+3C]
0187:00732130 0580000000 ADD EAX,80
0187:00732135 8B08 MOV ECX,[EAX]
0187:00732137 038D8F234000 ADD ECX,[EBP+0040238F]
......
0187:0073261A 0F85B4FEFFFF JNZ NEAR 007324D4 (JUMP) //g 00732620
0187:00732620 33C0 XOR EAX,EAX
0187:00732622 40 INC EAX
0187:00732623 83F801 CMP EAX,BYTE +01
0187:00732626 7402 JZ 0073262A
0187:00732628 61 POPA
0187:00732629 C3 RET
0187:0073262A F785972340000200+TEST DWORD [EBP+00402397],02
0187:00732634 7418 JZ 0073264E
0187:00732636 8BBD8F234000 MOV EDI,[EBP+0040238F]
0187:0073263C 037F3C ADD EDI,[EDI+3C]
0187:0073263F 8B4F54 MOV ECX,[EDI+54]
0187:00732642 8BB58F234000 MOV ESI,[EBP+0040238F]
......
0187:00732676 8DBD42224000 LEA EDI,[EBP+00402242]
0187:0073267C 8BF7 MOV ESI,EDI
0187:0073267E B9DF000000 MOV ECX,DF
0187:00732683 33DB XOR EBX,EBX
0187:00732685 AC LODSB
0187:00732686 3479 XOR AL,79
0187:00732688 2AC3 SUB AL,BL
0187:0073268A C0C002 ROL AL,02
0187:0073268D AA STOSB
0187:0073268E 43 INC EBX
0187:0073268F E2F4 LOOP 00732685 //g 00732691
0187:00732691 8D1B LEA EBX,[EBX]
0187:00732693 8C DB 8C
0187:00732694 356D7C637F XOR EAX,7F637C6D
0187:00732699 0C6C OR AL,6C
......
0187:00732752 AA STOSB
0187:00732753 E2FD LOOP 00732752 //g 00732755
0187:00732755 8DBD21234000 LEA EDI,[EBP+00402321]
0187:0073275B B9C0020000 MOV ECX,02C0
0187:00732760 AA STOSB
0187:00732761 E2FD LOOP 00732760 //g 00732763
0187:00732763 61 POPA
0187:00732764 50 PUSH EAX
0187:00732765 33C0 XOR EAX,EAX
0187:00732767 64FF30 PUSH DWORD [FS:EAX]
0187:0073276A 648920 MOV [FS:EAX],ESP
......
0187:0072FAC0 7507 JNZ 0072FAC9
0187:0072FAC2 8B1E MOV EBX,[ESI]
0187:0072FAC4 83EEFC SUB ESI,BYTE -04
0187:0072FAC7 11DB ADC EBX,EBX
0187:0072FAC9 72ED JC 0072FAB8 (JUMP) //g 0072FACB
0187:0072FACB B801000000 MOV EAX,01
0187:0072FAD0 01DB ADD EBX,EBX
0187:0072FAD2 7507 JNZ 0072FADB
0187:0072FAD4 8B1E MOV EBX,[ESI]
0187:0072FAD6 83EEFC SUB ESI,BYTE -04
0187:0072FAD9 11DB ADC EBX,EBX
0187:0072FADB 11C0 ADC EAX,EAX
0187:0072FADD 01DB ADD EBX,EBX
0187:0072FADF 730B JNC 0072FAEC
0187:0072FAE1 7519 JNZ 0072FAFC
......
0187:0072FB68 75F7 JNZ 0072FB61 (JUMP) //g 0072FB6A
0187:0072FB6A E94FFFFFFF JMP 0072FABE
0187:0072FB6F 90 NOP
0187:0072FB70 8B02 MOV EAX,[EDX]
......
0187:0072FAC9 72ED JC 0072FAB8 (JUMP) //g 0072FACB
0187:0072FACB B801000000 MOV EAX,01
0187:0072FAD0 01DB ADD EBX,EBX
0187:0072FAD2 7507 JNZ 0072FADB
0187:0072FAD4 8B1E MOV EBX,[ESI]
0187:0072FAD6 83EEFC SUB ESI,BYTE -04
0187:0072FAD9 11DB ADC EBX,EBX
0187:0072FADB 11C0 ADC EAX,EAX
0187:0072FADD 01DB ADD EBX,EBX转 载:http://www.qqread.com/encrypt/j200185062.html进入讨论组讨论。
最近有朋友问UPX + cryptor的壳怎么脱,我还真以为是UPX + cryptor的壳呢,结果下载了一看fi2.5显示为UPX + cryptor,但是我要说这次FI错了,因为我从来没有遇到UPX + cryptor里面有int3的.
后来有朋友说是老王的NC?(什么东东?)加的壳?,我如在云里雾里.不管它,先脱着试试.
0187:00732060 50 PUSH EAX //载入后停在这里
0187:00732061 51 PUSH ECX
0187:00732062 52 PUSH EDX
0187:00732063 53 PUSH EBX
0187:00732064 54 PUSH ESP
0187:00732065 55 PUSH EBP
0187:00732066 56 PUSH ESI
0187:00732067 57 PUSH EDI
0187:00732068 E800000000 CALL 0073206D //这里进去,然后就一路F10
0187:0073206D 5D POP EBP
0187:0073206E 81ED1E1C4000 SUB EBP,00401C1E
0187:00732074 B97B090000 MOV ECX,097B
0187:00732079 8DBD661C4000 LEA EDI,[EBP+00401C66]
0187:0073207F 8BF7 MOV ESI,EDI
0187:00732081 AC LODSB
......
0187:007320B3 E2CC LOOP 00732081 //这里g 007320B5
0187:007320B5 8B6901 MOV EBP,[ECX+01]
0187:007320B8 FFA37D9888F6 JMP NEAR [EBX+F688987D]
0187:007320BE 1BFA SBB EDI,EDX
0187:007320C0 E195 LOOPE 00732057
0187:007320C2 94 XCHG EAX,ESP
0187:007320C3 15D494AA74 ADC EAX,74AA94D4
0187:007320C8 0FB65F0F MOVZX EBX,BYTE [EDI+0F]
0187:007320CC 18F1 SBB CL,DH
0187:007320CE D20E ROR BYTE [ESI],CL
0187:007320D0 CDA7 INT A7
0187:007320D2 B0A0 MOV AL,A0
......
0187:00732113 CC INT3 //在这里下断 bpx 0073277C
0187:00732114 8BEF MOV EBP,EDI
0187:00732116 33DB XOR EBX,EBX
0187:00732118 648F03 POP DWORD [FS:EBX]
0187:0073211B 83C404 ADD ESP,BYTE +04
0187:0073211E 3C04 CMP AL,04
0187:00732120 7405 JZ 00732127
0187:00732122 EB01 JMP SHORT 00732125
0187:00732124 E961C38B85 JMP 85FEE48A
0187:00732129 8F DB 8F
0187:0073212A 234000 AND EAX,[EAX+00]
0187:0073212D 03403C ADD EAX,[EAX+3C]
0187:00732130 0580000000 ADD EAX,80
0187:00732135 8B08 MOV ECX,[EAX]
0187:00732137 038D8F234000 ADD ECX,[EBP+0040238F]
......
0187:0073277C 55 PUSH EBP //ok,断下了,再F10吧!
0187:0073277D 8BEC MOV EBP,ESP
0187:0073277F 57 PUSH EDI
0187:00732780 8B4510 MOV EAX,[EBP+10]
0187:00732783 8BB89C000000 MOV EDI,[EAX+9C]
0187:00732789 FFB717254000 PUSH DWORD [EDI+00402517]
0187:0073278F 8F80B8000000 POP DWORD [EAX+B8]
0187:00732795 89B8B4000000 MOV [EAX+B4],EDI
0187:0073279B C780B00000000400+MOV DWORD [EAX+B0],04
0187:007327A5 B800000000 MOV EAX,00
0187:007327AA 5F POP EDI
0187:007327AB C9 LEAVE
0187:007327AC C3 RET //最后到00732114
0187:007327AD 55 PUSH EBP
......
0187:00732112 FFCC DEC ESP
0187:00732114 8BEF MOV EBP,EDI //停在这里(简单的办法,载入后输入i3here on;g,就可以直接停在这里)
0187:00732116 33DB XOR EBX,EBX
0187:00732118 648F03 POP DWORD [FS:EBX]
0187:0073211B 83C404 ADD ESP,BYTE +04
0187:0073211E 3C04 CMP AL,04
0187:00732120 7405 JZ 00732127
0187:00732122 EB01 JMP SHORT 00732125
0187:00732124 E961C38B85 JMP 85FEE48A
0187:00732129 8F DB 8F
0187:0073212A 234000 AND EAX,[EAX+00]
0187:0073212D 03403C ADD EAX,[EAX+3C]
0187:00732130 0580000000 ADD EAX,80
0187:00732135 8B08 MOV ECX,[EAX]
0187:00732137 038D8F234000 ADD ECX,[EBP+0040238F]
......
0187:0073261A 0F85B4FEFFFF JNZ NEAR 007324D4 (JUMP) //g 00732620
0187:00732620 33C0 XOR EAX,EAX
0187:00732622 40 INC EAX
0187:00732623 83F801 CMP EAX,BYTE +01
0187:00732626 7402 JZ 0073262A
0187:00732628 61 POPA
0187:00732629 C3 RET
0187:0073262A F785972340000200+TEST DWORD [EBP+00402397],02
0187:00732634 7418 JZ 0073264E
0187:00732636 8BBD8F234000 MOV EDI,[EBP+0040238F]
0187:0073263C 037F3C ADD EDI,[EDI+3C]
0187:0073263F 8B4F54 MOV ECX,[EDI+54]
0187:00732642 8BB58F234000 MOV ESI,[EBP+0040238F]
......
0187:00732676 8DBD42224000 LEA EDI,[EBP+00402242]
0187:0073267C 8BF7 MOV ESI,EDI
0187:0073267E B9DF000000 MOV ECX,DF
0187:00732683 33DB XOR EBX,EBX
0187:00732685 AC LODSB
0187:00732686 3479 XOR AL,79
0187:00732688 2AC3 SUB AL,BL
0187:0073268A C0C002 ROL AL,02
0187:0073268D AA STOSB
0187:0073268E 43 INC EBX
0187:0073268F E2F4 LOOP 00732685 //g 00732691
0187:00732691 8D1B LEA EBX,[EBX]
0187:00732693 8C DB 8C
0187:00732694 356D7C637F XOR EAX,7F637C6D
0187:00732699 0C6C OR AL,6C
......
0187:00732752 AA STOSB
0187:00732753 E2FD LOOP 00732752 //g 00732755
0187:00732755 8DBD21234000 LEA EDI,[EBP+00402321]
0187:0073275B B9C0020000 MOV ECX,02C0
0187:00732760 AA STOSB
0187:00732761 E2FD LOOP 00732760 //g 00732763
0187:00732763 61 POPA
0187:00732764 50 PUSH EAX
0187:00732765 33C0 XOR EAX,EAX
0187:00732767 64FF30 PUSH DWORD [FS:EAX]
0187:0073276A 648920 MOV [FS:EAX],ESP
......
0187:0072FAC0 7507 JNZ 0072FAC9
0187:0072FAC2 8B1E MOV EBX,[ESI]
0187:0072FAC4 83EEFC SUB ESI,BYTE -04
0187:0072FAC7 11DB ADC EBX,EBX
0187:0072FAC9 72ED JC 0072FAB8 (JUMP) //g 0072FACB
0187:0072FACB B801000000 MOV EAX,01
0187:0072FAD0 01DB ADD EBX,EBX
0187:0072FAD2 7507 JNZ 0072FADB
0187:0072FAD4 8B1E MOV EBX,[ESI]
0187:0072FAD6 83EEFC SUB ESI,BYTE -04
0187:0072FAD9 11DB ADC EBX,EBX
0187:0072FADB 11C0 ADC EAX,EAX
0187:0072FADD 01DB ADD EBX,EBX
0187:0072FADF 730B JNC 0072FAEC
0187:0072FAE1 7519 JNZ 0072FAFC
......
0187:0072FB68 75F7 JNZ 0072FB61 (JUMP) //g 0072FB6A
0187:0072FB6A E94FFFFFFF JMP 0072FABE
0187:0072FB6F 90 NOP
0187:0072FB70 8B02 MOV EAX,[EDX]
......
0187:0072FAC9 72ED JC 0072FAB8 (JUMP) //g 0072FACB
0187:0072FACB B801000000 MOV EAX,01
0187:0072FAD0 01DB ADD EBX,EBX
0187:0072FAD2 7507 JNZ 0072FADB
0187:0072FAD4 8B1E MOV EBX,[ESI]
0187:0072FAD6 83EEFC SUB ESI,BYTE -04
0187:0072FAD9 11DB ADC EBX,EBX
0187:0072FADB 11C0 ADC EAX,EAX
0187:0072FADD 01DB ADD EBX,EBX转 载:http://www.qqread.com/encrypt/j200185062.html进入讨论组讨论。
相关图文阅读
频道图文推荐
健 康 咨 询
时 尚 咨 询
相关专题
- 常用电脑密码破解实用技巧! (14811次浏览)
- 深入掌握网络加密及解密方法 (9144次浏览)
- 常见电子书格式及其反编译思路 (6502次浏览)
- 数据加密技术 (6242次浏览)
- openssl的man中文文档 (6192次浏览)
- 电脑中的十二种常用密码破解法 (5190次浏览)
- 详解加密技术概念、加密方法以及应用 (4968次浏览)
- 对称加密算法技术概述 (4666次浏览)
- 网络游戏封包基础 (4077次浏览)
- 加密:让你的文件人间蒸发 (4010次浏览)
