eXPressor v1.1 脱壳技术

OllyDbg 载入，  

00438019 > $Content$nbsp;/E9 15130000   jmp     00439333
0043801E   . |E9 F0120000   jmp     00439313
00438023   . |E9 58120000   jmp     00439280
00438028   $Content$nbsp;|E9 AF0C0000   jmp     00438CDC
0043802D   $Content$nbsp;|E9 AE020000   jmp     004382E0
00438032   $Content$nbsp;|E9 B40B0000   jmp     00438BEB
00438037   $Content$nbsp;|E9 E00C0000   jmp     00438D1C

运行起来有个 NAG，拦截 MessageBoxA 试试：

77D5050B >  8BFF            mov     edi, edi
77D5050D    55              push    ebp
77D5050E    8BEC            mov     ebp, esp
77D50510    833D 1C04D777 0>cmp     dword ptr [77D7041C], 0
77D50517    74 24           je      short 77D5053D
77D50519    64:A1 18000000  mov     eax, fs:[18]
77D5051F    6A 00           push    0
77D50521    FF70 24         push    dword ptr [eax+24]
77D50524    68 F40AD777     push    77D70AF4
77D50529    FF15 1812D177   call    [<&KERNEL32.InterlockedCompareEx>; kernel32.InterlockedCompareExchange
77D5052F    85C0            test    eax, eax
77D50531    75 0A           jnz     short 77D5053D
77D50533    C705 F00AD777 0>mov     dword ptr [77D70AF0], 1
77D5053D    6A 00           push    0
77D5053F    FF75 14         push    dword ptr [ebp+14]
77D50542    FF75 10         push    dword ptr [ebp+10]
77D50545    FF75 0C         push    dword ptr [ebp+C]
77D50548    FF75 08         push    dword ptr [ebp+8]
77D5054B    E8 2D000000     call    MessageBoxExA
77D50550    5D              pop     ebp
77D50551    C2 1000         retn    10                               ; Breakpoint

在 retn 上设置一个断点，运行程序，出现：

---------------------------
Nfo
---------------------------
This program was packed with a demo version of eXPressor
---------------------------
确定    
---------------------------

关闭 NAG，返回到程序领空：


004393A8   > /8B85 34FEFFFF mov     eax, [ebp-1CC]
004393AE   . |0FBE08        movsx   ecx, byte ptr [eax]
004393B1   . |83F9 5C       cmp     ecx, 5C
004393B4   . |74 11         je      short 004393C7
004393B6   . |8B95 34FEFFFF mov     edx, [ebp-1CC]

为了找到处理输入表的地方，拦截 LoadLibraryA ，然后 Alt+F9 返回程序：

004396A5   .  8985 58FEFFFF mov     [ebp-1A8], eax                   ;  comdlg32.76320000
004396AB   >  83BD 58FEFFFF>cmp     dword ptr [ebp-1A8], 0
004396B2   .  75 37         jnz     short 004396EB
004396B4   .  8B4D F8       mov     ecx, [ebp-8]
004396B7   .  51            push    ecx                              ; /<%hs>
004396B8   .  68 78814300   push    00438178                         ; |Format = "A required .DLL file, %hs, was not found."
004396BD   .  8D95 60FEFFFF lea     edx, [ebp-1A0]                   ; |
004396C3   .  52            push    edx                              ; |s
004396C4   .  FF15 2CE14300 call    [<&USER32.wsprintfA>]            ; \wsprintfA

明显开始装载引入表了，向上回溯：

00439636   .  8B95 ECFEFFFF mov     edx, [ebp-114]
0043963C   .  0315 88F04300 add     edx, [43F088]
00439642   .  8995 38FEFFFF mov     [ebp-1C8], edx
00439648   >  8B85 38FEFFFF mov     eax, [ebp-1C8]
0043964E   .  8378 0C 00    cmp     dword ptr [eax+C], 0
00439652   .  0F84 65020000 je      004398BD

[ebp-1C8] 应该就是引入表了，运行到这里可能已经修改，重新来，直达 00439642；

在命令行输入 dd edx，看看引入表 IID 有多大：

004231F8  00023350
004231FC  00000000
00423200  00000000
00423204  00023EDC
00423208  0001F0B8

0042320C  00023520
00423210  00000000
00423214  00000000
00423218  000245FC
0042321C  0001F288

00423220  000232B4
00423224  00000000
00423228  00000000
0042322C  0002482E
00423230  0001F01C

00423234  00023710
00423238  00000000
0042323C  00000000
00423240  0002485C
00423244  0001F478

00423248  00023700
0042324C  00000000
00423250  00000000
00423254  000248A0
00423258  0001F468

0042325C  00023298
00423260  00000000
00423264  00000000
00423268  000248F0
0042326C  0001F000

00423270  000232AC
00423274  00000000
00423278  00000000
0042327C  0002490A
00423280  0001F014

00423284  00000000
00423288  00000000
0042328C  00000000
00423290  00000000
00423294  00000000