ASPack 2.12 -> Alexey Solodovnikov 脱壳分析
第一 查壳-脱壳用PEID查为ASPack 2.12 -> Alexey Solodovnikov
用OD载入
出现异常
按shift+f8跳过,我这里是用ANTI-WDASM先调试找到基地址为015D7001
然后BP 015D7001
到达壳入口
Pushad
Call 0157005
重定位+陷阱
F7进入
找到扫描码
015D73A6 59 pop ecx
015D73A7 0BC9 or ecx,ecx
015D73A9 8985 A8030000 mov dword ptr ss:,eax
015D73AF 61 popad
下次就用这个了;
到达esp
00B95B0B 6A 60 push 60
00B95B0D 68 084A1801 push khan.01184A08
00B95B12 E8 4D650000 call khan.00B9C064
00B95B17 BF 94000000 mov edi,94
00B95B1C 8BC7 mov eax,edi
00B95B1E E8 5DE0FFFF call khan.00B93B80
00B95B23 8965 E8 mov dword ptr ss:,esp
00B95B26 8BF4 mov esi,esp
00B95B28 893E mov dword ptr ds:,edi
00B95B2A 56 push esi
00B95B2B FF15 C0100101 call dword ptr ds: ; kernel32.GetVersionExA
呵呵一看就是VC7
脱壳
Loadpe 存为khan1.exe
importREC修复
B95B0B-400000=795b0b
这个壳没有加密IAT,偷代码,幸运,
最后脱壳文件为
khan1_.exe
第二去对话框
运行脱壳程序,出现必须从引导程序运行,想办法去掉;
OD载入脱壳程序
网上找的参照
004021D4 |.E8 E48F7300 call khan.00B3B1BD
004021D9 |.83C4 04 add esp,4
004021DC |>39BD E4FCFFFF cmp ,edi
004021E2 |.8B85 D0FCFFFF mov eax,
004021E8 |.73 06 jnb short khan.004021F0
004021EA |.8D85 D0FCFFFF lea eax,
004021F0 |>50 push eax
004021F1 |.68 C885F800 push khan.00F885C8 ;ASCII "KHan.exe"
004021F6 |.B9 34154701 mov ecx,khan.01471534
004021FB |.E8 606F7100 call khan.00B19160 ;这个函数里面会弹出错误提示
00402200 |.83F8 03 cmp eax,3
00402203 |.75 16 jnz short khan.0040221B
00402205 |.8B95 C8FCFFFF mov edx,
0040220B |.53 push ebx ; /lParam
0040220C |.68 00104000 push khan.00401000 ; |DlgProc = khan.00401000
00402211 |.53 push ebx ; |hOwner
00402212 |.6A 66 push 66 ; |pTemplate = 66
00402214 |.52 push edx ; |hInst
00402215 |.FF15 D883F800 call dword ptr ds:[<&user32.DialogBoxParamA>]; \DialogBoxParamA
0040221B |>39BD E4FCFFFF cmp ,edi
00402221 |.72 0F jb short khan.00402232
你搜索这段函数的特征码,找到之后在这个函数头下断点。往下跟,改一个跳转或者是NOP掉这个跳转就OK了,我这段时间没有搞这个游戏了,所以客户端没有更新,至于那个跳转在哪个地址还是你自己找吧
然后我自己
在OD下段bpx DialogBoxParamA
找到两处
1.004020DB 和00402277
进入地址发现00402277和上面的一样
00402252 50 push eax
00402253 68 EC150101 push khan.010115EC ; ASCII "KHan.exe"
00402258 B9 80255301 mov ecx,khan.01532580
0040225D E8 EECD7400 call khan.00B4F050
00402262 83F8 03 cmp eax,3
00402265 75 16 jnz short khan.0040227D
00402267 8B95 C8FCFFFF mov edx,dword ptr ss:
0040226D 53 push ebx
0040226E 68 00104000 push khan.00401000
00402273 53 push ebx
00402274 6A 66 push 66
00402276 52 push edx
00402277 FF15 E4130101 call dword ptr ds: ; USER32.DialogBoxParamA
0040227D 39BD E4FCFFFF cmp dword ptr ss:,edi
00402283 72 0F jb short khan.00402294
00402285 8B85 D0FCFFFF mov eax,dword ptr ss:
0040228B 50 push eax
0040228C E8 FC097900 call khan.00B92C8D
00402291 83C4 04 add esp,4
然后BP 0040225D
0B4F161 E8 2A160000 call khan2.00B50790
00B4F166 85C0 test eax,eax
00B4F168 74 19 jne short khan2.00B4F183
00B4F16A 50 push eax
00B4F16B 68 FC150101 push khan2.010115FC
00B4F170 68 60A10401 push khan2.0104A160 ; ASCII "10005"
00B4F175 50 push eax
00B4F176 FF15 E8130101 call dword ptr ds:; USER32.MessageBoxA
00B4F17C 6A 00 push 0
00B4F17E E8 99360400 call khan2.00B9281C
00B4F183 8B15 B8CC5101 mov edx,dword ptr ds:
郁闷:还出现两个错误对话框,先分析这里……
页:
[1]