由於是演算法直接解密,按道理來講無所謂什麼處理不處理~~~只要是UPX演算法,就能搞定的…
試了幾個都可以正常解密的,解密后的程序,有的可以用,有的用不了,但是OD,全部能LOAD…
正在研究解決中…
寫的亂七八糟的~~~~
貼出來給大家笑話~~~
可能要做其它的事了,么機會再做了.把重要點的代碼貼出來,希望給大家有幫助:
解密代碼端的函數:
BOOL DecryptCode()
{
DWORD dwEBP = 0;
__asm
{
xor edi,edi
je _L2AFA
jmp _LFEND
_L2AFA:
mov edx,0x7D
;cmp byte ptr [esp 0x08], 0x01 ;??臨時註銷
mov esi,pvdUPX1Addr
xor edi,edi
je _L2B1A
jmp _LFEND
_L2B1A:
mov ecx,dwUPX0Size
;lea edi,dword ptr[esi-ecx]
mov edi,esi
sub edi,ecx
xor ecx,ecx
je _L2B2A
jmp _LFEND
_L2B2A:
mov eax,0x7D
cmp edx,eax
not eax
/*-------------------------------------------------------
jnz _L2B79
mov eax,dword ptr fs:[0x30]
test eax,eax
js _L2B67
mov eax,dword ptr [eax 0x0C]
mov eax,dword ptr [eax 0x0C]
mov dword ptr[eax 0x20],0x1000
mov eax,dword ptr fs:[0x18]
mov eax,dword ptr[eax 0x30]
movzx eax,byte ptr[eax 0x02]
test eax,eax
jnz _L2B78
jmp _L2B79
_L2B67:
xor eax,eax
mov al,byte ptr fs:[0x20]
test eax,eax
------------------------------------------------------------*/
jnz _L2B78
jmp _L2B79
_L2B78:
_L2B79:
or dwEBP,0xFFFFFFFF
jmp _L2B8A
nop
_L2B80:
mov al,byte ptr[esi]
mov byte ptr[edi],al
inc esi
inc edi
_L2B86:
add ebx,ebx
jnz _L2B91
_L2B8A:
mov ebx ,dword ptr[esi]
sub esi, -4
adc ebx,ebx
_L2B91:
jb _L2B80
mov eax,0x01
_L2B98:
add ebx,ebx
jnz _L2BA3
mov ebx,dword ptr[esi]
sub esi ,-4
adc ebx,ebx
_L2BA3:
adc eax,eax
add ebx,ebx
jnb _L2B98
jnz _L2BB4
mov ebx,dword ptr[esi]
sub esi,-4
adc ebx,ebx
jnb _L2B98
_L2BB4:
xor ecx,ecx
sub eax,0x03
jb _L2BC8
shl eax,0x08
mov al,byte ptr[esi]
inc esi
xor eax , 0xFFFFFFFF
je _L2C3A
mov dwEBP,eax
_L2BC8:
add ebx,ebx
jnz _L2BD3
mov ebx,dword ptr[esi]
sub esi ,-4
adc ebx,ebx
_L2BD3:
adc ecx,ecx
add ebx,ebx
jnz _L2BE0
mov ebx,dword ptr[esi]
sub esi,-4
adc ebx,ebx
_L2BE0:
adc ecx,ecx
jnz _L2C04
inc ecx
_L2BE5:
add ebx,ebx
jnz _L2BF0
mov ebx,dword ptr[esi]
sub esi ,-4
adc ebx,ebx
_L2BF0:
adc ecx,ecx
add ebx,ebx
jnb _L2BE5
jnz _L2C01
mov ebx,dword ptr[esi]
sub esi,-4
adc ebx,ebx
jnb _L2BE5
_L2C01:
add ecx,0x02
_L2C04:
cmp dwEBP,-0x0D00
adc ecx,0x01
mov edx,dwEBP
lea edx ,dword ptr[edi edx]
cmp dwEBP,-4
jbe _L2C24
_L2C15:
mov al,byte ptr[edx]
mov byte ptr[edi],al
inc edx
inc edi
dec ecx
jnz _L2C15
jmp _L2B86
nop
_L2C24:
mov eax,dword ptr[edx]
mov dword ptr[edi],eax
add edx,0x04
add edi,0x04
sub ecx,0x04
ja _L2C24
add edi,ecx
jmp _L2B86
_L2C3A:
}
return TRUE;
__asm
{
_LFEND:
}
return FALSE;
}
//代碼段解密後會有原始PE頭,只需要加4個位元組就是PE頭,然後按PE頭來處理.
//估計是版本不同E8後面的值隨即改變的.
//-----------------------------------------------------------------------------------
BOOL ModfiyJmpCall()
{
LPBYTE pbyte = (LPBYTE)pvdUPX0Addr;
DWORD dwC = 0x0637;
for(int i = 0x00 ,n = 0 ; i< dwUPX0Size ; i )
{
if( (pbyte[i] - 0xE8) >= 0x00 && (pbyte[i] - 0xE8) <= 0x01 )
{
i ;
if( pbyte[i] == 0x07 || pbyte[i] == 0x03 || pbyte[i] == 0x04 )
{
DWORD dwBuf = *(LPDWORD)(&pbyte[i]);
DWORD dwA = HIWORD(dwBuf);
//高低位互換:
BYTE byah = LOWORD(HIBYTE(dwA));
BYTE byal = LOWORD(LOBYTE(dwA));
dwA = byal *0x0100 byah;
dwA -= (DWORD)&pbyte[i];
dwA = (DWORD)pvdUPX0Addr;
*(LPDWORD)&pbyte[i] = dwA;
txtout(_t("[�d]調用修正[0x�X]: 0x�X <-> 0x�X "),n,(DWORD)&pbyte[i],dwBuf,dwA);
i = 0x03;
n ;
}
}
}
txtout(_t("修正已經順利結束,總計修正[ d <-> 0x�X]處."),n,n);
return TRUE;
}
再說一個就是IAT表的格式為
模塊名稱相對地址 IAT表地址偏移 函數名稱列表
函數名稱前有個標誌01代表是函數名稱,FF代表的是HINT號.
//------------------------------------------------------------------------------------------
00422C6E 8DBE 00000200 lea edi, dword ptr [esi 20000] ; 需要這個值計算IAT和輸入表
00422C74 8B07 mov eax, dword ptr [edi] ; eax = [edi]
00422C76 09C0 or eax, eax
00422C78 74 45 je short 00422CBF ; eax = 0 -> jmp
00422C7A 8B5F 04 mov ebx, dword ptr [edi 4]
00422C7D 8D8430 602B0200 lea eax, dword ptr [eax esi 22B60] ; 需要這個的.
//-------------------------------------------------------------------------------------------
大家有興趣的可以寫了,UPX不算很難的.
我可能需要做其他的事,估計么時間做了.關鍵的地方都貼出來了.
應該大家都能寫出來了.
[火星人
]
深入偽UPX分析之一靜態脫殼機已經有448次圍觀
http://coctec.com/docs/java/show-post-59947.html
