|
|
 OllyDbg配合ollyDump脱壳 |
|
|
| |
工具:ollydbg1.09B,插件ollyDump V2.11.108
基本操作:F8-单步执行,遇到call不进入。F7-单步执行,遇到call进入。F4-执行到光标所在行。F2-设断
手动脱壳要把握两点:
1、单步往前走,不要回头。
2、观察。注意poshad、poshfd,popad、popfd等,注意地址发生大的变化。
程序用PECompact V1.40-45加的壳,没见过的,在这里只好手动脱壳。
0054DC00 > /EB 06 JMP SHORT wb86.0054DC08
0054DC02 |68 84370000PUSH 3784
0054DC07 |C3RETN
0054DC08 \9CPUSHFD
0054DC0960PUSHAD
0054DC0AE8 02000000CALL wb86.0054DC11=>单步走到这里,F8过的话程序就运行,所以要F7跟入
-------------------------------------------------------------------------------
0054DC118BC4MOV EAX,ESP =>F7后来到这,继续单步运行
0054DC1383C0 04ADD EAX,4
0054DC1693XCHG EAX,EBX
0054DC178BE3MOV ESP,EBX
0054DC198B5B FCMOV EBX,DWORD PTR DS:[EBX-4]
0054DC1C81EB 0FA04000 SUB EBX,wb86.0040A00F
0054DC2287DDXCHG EBP,EBX
0054DC248B85 A6A04000 MOV EAX,DWORD PTR SS:[EBP+40A0A6]
0054DC2A0185 03A04000 ADD DWORD PTR SS:[EBP+40A003],EAX
0054DC3066:C785 00A0400>MOV WORD PTR SS:[EBP+40A000],9090
0054DC390185 9EA04000 ADD DWORD PTR SS:[EBP+40A09E],EAX
0054DC3FBB C3110000MOV EBX,11C3
0054DC44039D AAA04000 ADD EBX,DWORD PTR SS:[EBP+40A0AA]
0054DC4A039D A6A04000 ADD EBX,DWORD PTR SS:[EBP+40A0A6]
0054DC5053PUSH EBX
0054DC5153PUSH EBX
...............(一直往前走,省略).....................
0054F25E57PUSH EDI
0054F25FADLODS DWORD PTR DS:[ESI]
0054F2600BC0OR EAX,EAX
0054F26274 6C JE SHORT wb86.0054F2D0
0054F2648BD0MOV EDX,EAX
0054F2660395 A6A04000 ADD EDX,DWORD PTR SS:[EBP+40A0A6]
0054F26CADLODS DWORD PTR DS:[ESI]
0054F26D56PUSH ESI
0054F26E8BC8MOV ECX,EAX
0054F27057PUSH EDI
0054F27152PUSH EDX
0054F2728BF2MOV ESI,EDX
0054F2748B85 15A64000 MOV EAX,DWORD PTR SS:[EBP+40A615]
0054F27A8B9D 19A64000 MOV EBX,DWORD PTR SS:[EBP+40A619]
0054F280E8 910A0000CALL wb86.0054FD16
0054F2855APOP EDX
0054F2865FPOP EDI
0054F28752PUSH EDX
0054F28857PUSH EDI
0054F289FF95 9EA04000 CALL DWORD PTR SS:[EBP+40A09E]
0054F28F0BC0OR EAX,EAX
0054F29174 07 JE SHORT wb86.0054F29A
0054F2938BC8MOV ECX,EAX
0054F2955EPOP ESI
0054F2965FPOP EDI
0054F297 ^ EB C5 JMP SHORT wb86.0054F25E ==>走到这里会跳到前面,把光标移动到下一
行,F4跳过时程序会直接运行,所以还得单步运行,走到上面的0054F262处会跳到后面去了
0054F299B9 8D9D97A5MOV ECX,A5979D8D
0054F29E40INC EAX
0054F29F0053 FFADD BYTE PTR DS:[EBX-1],DL
0054F2A295XCHG EAX,EBP
0054F2A315 A640008DADC EAX,8D0040A6
0054F2A89DPOPFD
...............(一直往前走,省略).....................
0054F2CF24 58 AND AL,58 ==>从上面跳到这,继续单步走
0054F2D18DB5 C3A64000 LEA ESI,DWORD PTR SS:[EBP+40A6C3]
0054F2D7ADLODS DWORD PTR DS:[ESI]
0054F2D80BC0OR EAX,EAX
0054F2DA74 74 JE SHORT wb86.0054F350
0054F2DC0385 A6A04000 ADD EAX,DWORD PTR SS:[EBP+40A0A6]
...............(一直往前走,省略).....................
0054F36E /74 72 JE SHORT wb86.0054F3E2
0054F36D49DEC ECX
0054F36E74 72 JE SHORT wb86.0054F3E2
0054F37078 70 JS SHORT wb86.0054F3E2
0054F37266:8B07MOV AX,WORD PTR DS:[EDI]
0054F3752C E8 SUB AL,0E8
0054F3773C 01 CMP AL,1
0054F37976 38 JBE SHORT wb86.0054F3B3
0054F37B66:3D 1725 CMP AX,2517
0054F37F74 51 JE SHORT wb86.0054F3D2
0054F3813C 27 CMP AL,27
0054F38375 0A JNZ SHORT wb86.0054F38F
0054F38580FC 80CMP AH,80
0054F38872 05 JB SHORT wb86.0054F38F
0054F38A80FC 8FCMP AH,8F
0054F38D76 05 JBE SHORT wb86.0054F394
0054F38F47INC EDI
0054F39043INC EBX
0054F391 ^ EB DA JMP SHORT wb86.0054F36D ==>这里又跳到前面,看一下前面那一句会跳到
后面的,是JE SHORT 0054F3E2,JS SHORT 0054F3E2,JBE SHORT wb86.0054F3B3,JE SHORT 0054F3D2,依次
在其跳往的地方设断。F9运行,会在设断的地方停,最后确定0054F3E2才是正确的设断地方
0054F393B8 8B47023CMOV EAX,3C02478B
...............(一直往前走,省略).....................
0054F4768BB5 15A64000MOV ESI,DWORD PTR SS:[EBP+40A615]
0054F47C8BBD 19A64000MOV EDI,DWORD PTR SS:[EBP+40A619]
0054F482E8 8F0C0000 CALL wb86.00550116
0054F48761POPAD ==>看到希望了,继续单步走
0054F4889DPOPFD
0054F48950PUSH EAX
0054F48A68 84374000 PUSH wb86.00403784
0054F48FC2 0400RETN 4 ==>走过这里,地址会有很大变化,可以确定,壳已脱完了。
0054F4928BB5 37A64000MOV ESI,DWORD PTR SS:[EBP+40A637]
00403781 00 DB 00
00403782 >0000 ADD BYTE PTR DS:[EAX],AL
00403784 .68 94FF4300PUSH wb86.0043FF94 ===>由0054F48F处跳来,在这里运行ollyDump把
程序dump下来。到此手动脱壳结束。
00403789 E8 DB E8
0040378A EE DB EE
0040378B FF DB FF
0040378C FF DB FF
0040378D FF DB FF
0040378E 00 DB 00
0040378F 00 DB 00
00403790 00 DB 00
00403791 00 DB 00
00403792 00 DB 00
脱完后可以用侦壳工具看,是用VB写的。其它壳(如Aspack等)都可以用此法配合OLLYDUMP来手动脱壳
---------------------------- |
|
| 发布日期:2019/11/23 |
| 宜昌打印机维修 复印机 一体机上门维修热线:13677173728 邢师傅 0717-6736581 |
|
