nspack是一种压缩壳,常用于一些病毒的加壳,是VC++编写的。
不同版本的压缩头特征
通用特征是用PEID查看,EP区段显示的是nsp
V1.3
1 2 3 4 |
00432356 > 9C pushfd 00432357 60 pushad 00432358 E8 00000000 call xxxx.0043235D |
V2.4
1 2 |
0040101B > $- E9 82130300 jmp xxx.004323A2 |
单步即可到达:
1 2 3 4 |
00432356 > 9C pushfd 00432357 60 pushad 00432358 E8 00000000 call xxxx.0043235D |
V3.7
1 2 3 4 |
004323A2 > 9C pushfd 004323A3 60 pushad 004323A4 E8 00000000 call xxx.004323A9 |
ESP定律脱壳
开头:
1 2 3 4 5 6 7 |
00432356 9C pushfd 00432357 60 pushad 00432358 E8 00000000 call xxx.0043235D //单步到这,用esp定律到: 00432613 9D popfd 00432614 - E9 BBECFCFF jmp xxx.004012D4 //跳到OEP |
典型VB头:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
004012D4 . 68 54474000 push xxx.00404754 //OEP 004012D9 . E8 F0FFFFFF call xxx004012CE 004012DE . 0000 add byte ptr ds:[eax],al 004012E0 . 0000 add byte ptr ds:[eax],al 004012E2 . 0000 add byte ptr ds:[eax],al 004012E4 . 3000 xor byte ptr ds:[eax],al 004012E6 . 0000 add byte ptr ds:[eax],al 004012E8 . 48 dec eax 004012E9 . 0000 add byte ptr ds:[eax],al 004012EB . 0000 add byte ptr ds:[eax],al 004012ED . 0000 add byte ptr ds:[eax],al 004012EF . 008C4C 4B938D>add byte ptr ss:[esp+ecx*2-0x2A726CB5],c> 004012F6 . B3 45 mov bl,0x45 |
GetVersion特殊法
用at GetVersion
命令适用于北斗3.0前的壳,命令输入at GetVersion
到下列地址段:
1 2 3 4 5 6 7 8 9 10 11 12 13 |
7C81126A > 64:A1 18000000 mov eax,dword ptr fs:[0x18] 7C811270 8B48 30 mov ecx,dword ptr ds:[eax+0x30] 7C811273 8B81 B0000000 mov eax,dword ptr ds:[ecx+0xB0] 7C811279 0FB791 AC000000 movzx edx,word ptr ds:[ecx+0xAC] 7C811280 83F0 FE xor eax,-0x2 7C811283 C1E0 0E shl eax,0xE 7C811286 0BC2 or eax,edx 7C811288 C1E0 08 shl eax,0x8 7C81128B 0B81 A8000000 or eax,dword ptr ds:[ecx+0xA8] 7C811291 C1E0 08 shl eax,0x8 7C811294 0B81 A4000000 or eax,dword ptr ds:[ecx+0xA4] 7C81129A C3 retn //在这下断点,直接F9运行停在这,取消断点,单步运行 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
0042481F /. 55 push ebp //EOP在这 00424820 |. 8BEC mov ebp,esp 00424822 |. 6A FF push -0x1 00424824 |. 68 C8674400 push nspack_1.004467C8 00424829 |. 68 CC3C4200 push nspack_1.00423CCC 0042482E |. 64:A1 0000000>mov eax,dword ptr fs:[0] 00424834 |. 50 push eax 00424835 |. 64:8925 00000>mov dword ptr fs:[0],esp 0042483C |. 83EC 58 sub esp,0x58 0042483F |. 53 push ebx 00424840 |. 56 push esi 00424841 |. 57 push edi 00424842 |. 8965 E8 mov [local.6],esp 00424845 |. FF15 A0224400 call dword ptr ds:[0x4422A0] kernel132.Get Version 0042484B |. 33D2 xor edx,edx //单步会到这里,向上拉就可以看到OEP |