查壳:UPX(-)[modified] 脱壳
![UPX(-)[modified] 脱壳_技术](https://s2.51cto.com/images/blog/202108/25/1310b29782ef555dbeca1efa2a1832f8.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184)
入口点,经典pushad指令,可以根据esp定律跟oep,这里直接搜索popad指令
![UPX(-)[modified] 脱壳_技术_02](https://s2.51cto.com/images/blog/202108/25/c7d1c4c4a4d69b4986ec3d30735cd609.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184)
ctrl+f --popad,搜到2条
![UPX(-)[modified] 脱壳_技术_03](https://s2.51cto.com/images/blog/202108/25/a77f4a8512ab69eb28a4ad5b227c5dc2.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184)
第一条popad下断,f9运行
![UPX(-)[modified] 脱壳_搜索_04](https://s2.51cto.com/images/blog/202108/25/6021581a7c227609f0e9c022247389df.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184)
跳过循环,jmp处下断,f9运行
![UPX(-)[modified] 脱壳_搜索_05](https://s2.51cto.com/images/blog/202108/25/4bf8499b43f750b19f1f4a9305391730.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184)
f7步进来到OEP
![UPX(-)[modified] 脱壳_技术_06](https://s2.51cto.com/images/blog/202108/25/583b1118aee8af13202b53ab5ee4a9ee.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184)
使用scylla插件dump
![UPX(-)[modified] 脱壳_技术_07](https://s2.51cto.com/images/blog/202108/25/d81d63e8b671d44c6e1e8d84f4570a9e.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184)
发现一条无效IAT,先delete,dump保存,f9运行,暂停,在无效地址处设置运行点,f8单步,发现最后调用user32.CallNextHookEx
![UPX(-)[modified] 脱壳_技术_08](https://s2.51cto.com/images/blog/202108/25/777fc31c0edc8dad1d55e2712f221d21.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184)
修改此IAT
![UPX(-)[modified] 脱壳_搜索_09](https://s2.51cto.com/images/blog/202108/25/3a6a796720bd4557c78d4396dd448edf.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184)
![UPX(-)[modified] 脱壳_技术_10](https://s2.51cto.com/images/blog/202108/25/5b452720360c37eefb8edd3bc740a6cf.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184)
FIX
![UPX(-)[modified] 脱壳_技术_11](https://s2.51cto.com/images/blog/202108/25/d26d9a028ad368c9f363718f0fe3e20f.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184)
再次查壳
![UPX(-)[modified] 脱壳_技术_12](https://s2.51cto.com/images/blog/202108/25/fda557b59352b571d5f1b71ed9d88662.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184)
运行
![UPX(-)[modified] 脱壳_技术_13](https://s2.51cto.com/images/blog/202108/25/95a7f01eec77f11c3969b244f4bdef2a.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_30,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=/resize,m_fixed,w_1184)
ps:那个无效IAT可能是模拟某api,不跟啦,简单测试了下程序,主体正常;
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
