experiment : EXE使用UPX加殼後, 用OD查詢OEP
阿新 • • 發佈:2019-02-12
可以看出, UPX解壓完成的標誌是POPAD, 加一句跨段跳轉, 跑到OEP.004079CC .^\E2 D9 loopd short 004079A7 004079CE . 8DBE 00500000 lea edi, dword ptr [esi+5000] ; F4 004079D4 > 8B07 mov eax, dword ptr [edi] 004079D6 . 09C0 or eax, eax 004079D8 . 74 3C je short 00407A16 ; 解壓完成後, 跳出 004079DA . 8B5F 04 mov ebx, dword ptr [edi+4] 004079DD . 8D8430 B47200>lea eax, dword ptr [eax+esi+72B4] 004079E4 . 01F3 add ebx, esi 004079E6 . 50 push eax 004079E7 . 83C7 08 add edi, 8 004079EA . FF96 F0720000 call dword ptr [esi+72F0] 004079F0 . 95 xchg eax, ebp 004079F1 > 8A07 mov al, byte ptr [edi] 004079F3 . 47 inc edi 004079F4 . 08C0 or al, al 004079F6 .^ 74 DC je short 004079D4 004079F8 . 89F9 mov ecx, edi 004079FA . 57 push edi 004079FB . 48 dec eax 004079FC . F2:AE repne scas byte ptr es:[edi] 004079FE . 55 push ebp 004079FF . FF96 F4720000 call dword ptr [esi+72F4] 00407A05 . 09C0 or eax, eax 00407A07 . 74 07 je short 00407A10 00407A09 . 8903 mov dword ptr [ebx], eax 00407A0B . 83C3 04 add ebx, 4 00407A0E .^ EB E1 jmp short 004079F1 ; 最後一輪解壓迴圈 00407A10 > FF96 04730000 call dword ptr [esi+7304] 00407A16 > 8BAE F8720000 mov ebp, dword ptr [esi+72F8] ; 解壓完成 00407A1C . 8DBE 00F0FFFF lea edi, dword ptr [esi-1000] 00407A22 . BB 00100000 mov ebx, 1000 00407A27 . 50 push eax 00407A28 . 54 push esp 00407A29 . 6A 04 push 4 00407A2B . 53 push ebx 00407A2C . 57 push edi 00407A2D . FFD5 call ebp 00407A2F . 8D87 07020000 lea eax, dword ptr [edi+207] 00407A35 . 8020 7F and byte ptr [eax], 7F 00407A38 . 8060 28 7F and byte ptr [eax+28], 7F 00407A3C . 58 pop eax 00407A3D . 50 push eax 00407A3E . 54 push esp 00407A3F . 50 push eax 00407A40 . 53 push ebx 00407A41 . 57 push edi 00407A42 . FFD5 call ebp 00407A44 . 58 pop eax 00407A45 . 61 popad ; 解壓完成後的 POPAD 00407A46 . 8D4424 80 lea eax, dword ptr [esp-80] 00407A4A > 6A 00 push 0 00407A4C . 39C4 cmp esp, eax 00407A4E .^ 75 FA jnz short 00407A4A ; 調整堆疊呢 00407A50 . 83EC 80 sub esp, -80 00407A53 .- E9 8498FFFF jmp 004012DC ; 解壓完成後, POPAD後的跨段跳轉