├── CPeParser.cpp
├── CPeParser.h
├── README.md
├── decode.asm
├── decode.obj
├── hello15pb.exe
├── hello15pb_pb.exe
├── unpack02.cpp
├── unpack02.sln
├── unpack02.vcxproj
└── unpack02.vcxproj.user
/CPeParser.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lantie/unpack02/21d3a4c22a2115030f8100947bd913e5028c1f5c/CPeParser.cpp
--------------------------------------------------------------------------------
/CPeParser.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lantie/unpack02/21d3a4c22a2115030f8100947bd913e5028c1f5c/CPeParser.h
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # unpack02
2 | upx静态脱壳机源码
3 |
4 | # 说明
5 | 本代码是15pb的一个小项目,Upx静态脱壳机的源码,通过分析upx壳代码,我们可以完成这个项目。
6 | 代码思路:
7 | ① 读取文件到内存
8 | 映射PE头到内存
9 | 映射每一个区段到内存
10 | ② 解密内存中的代码和数据
11 | 计算src和dest
12 | 调用解压缩函数
13 | ③ 在内存中获取IAT,获取导入表相关信息,还原导入表
14 | 找到原PE文件的导入表结构
15 | 修复导入表结构、IAT
16 | ④ dump内存
17 | 修正区段、oep,保存文件
18 |
19 | # 广告
20 | 逆向最有趣的就是突破自己,如果你也想突破自己,来15PB吧,学习真正的信息安全技术! http://www.15pb.com.cn/
21 |
--------------------------------------------------------------------------------
/decode.asm:
--------------------------------------------------------------------------------
1 | .386
2 | .model flat, stdcall ;32 bit memory model
3 | option casemap :none ;case sensitive
4 |
5 | include windows.inc
6 | include kernel32.inc
7 | include user32.inc
8 | include shell32.inc
9 | include msvcrt.inc
10 |
11 | includelib kernel32.lib
12 | includelib user32.lib
13 | includelib shell32.lib
14 | includelib msvcrt.lib
15 |
16 | decompress PROTO :DWORD,:DWORD
17 |
18 |
19 | .data?
20 |
21 | hInstance dd ?
22 |
23 | .code
24 |
25 | ;FixIAT proc codeBaseAddr:DWORD,iatAddr:DWORD
26 | ;
27 | ; pushad
28 | ; esi
29 | ;
30 | ; lea edi, [esi+37000h]
31 | ;
32 | ;loc_43ADDC: ; CODE XREF: UPX1:0043ADFE�j
33 | ; mov eax, [edi]
34 | ; or eax, eax
35 | ; jz short loc_43AE27
36 | ; mov ebx, [edi+4]
37 | ; add ebx, esi
38 | ; push eax
39 | ; add edi, 8
40 | ; call LoadLibraryA
41 | ; xchg eax, ebp
42 | ;
43 | ;loc_43ADF9: ; CODE XREF: UPX1:0043AE1F�j
44 | ; mov al, [edi]
45 | ; inc edi
46 | ; or al, al
47 | ; jz short loc_43ADDC
48 | ; mov ecx, edi
49 | ; jns short near ptr loc_43AE0A+1
50 | ; movzx eax, word ptr [edi]
51 | ; inc edi
52 | ; push eax
53 | ; inc edi
54 | ;
55 | ;loc_43AE0A: ; CODE XREF: UPX1:0043AE02�j
56 | ; mov ecx, 0AEF24857h
57 | ; push ebp
58 | ; call GetProcAddress
59 | ; or eax, eax
60 | ; jz short loc_43AE21
61 | ; mov [ebx], eax
62 | ; add ebx, 4
63 | ; jmp short loc_43ADF9
64 | ;; ---------------------------------------------------------------------------
65 | ;
66 | ;FixIAT endp
67 |
68 |
69 | decompress proc src:DWORD,dest:DWORD
70 |
71 | start:
72 | pushad
73 | mov esi, src
74 | mov edi, dest
75 | push edi
76 | or ebp, 0FFFFFFFFh
77 | jmp short loc_43ACF2
78 | ; ---------------------------------------------------------------------------
79 | ;align 8
80 |
81 | loc_43ACE8: ; CODE XREF: UPX1:loc_43ACF9�j
82 | mov al, [esi]
83 | inc esi
84 | mov [edi], al
85 | inc edi
86 |
87 | loc_43ACEE: ; CODE XREF: UPX1:0043AD86�j
88 | ; UPX1:0043AD9D�j
89 | add ebx, ebx
90 | jnz short loc_43ACF9
91 |
92 | loc_43ACF2: ; CODE XREF: UPX1:0043ACE0�j
93 | mov ebx, [esi]
94 | sub esi, 0FFFFFFFCh
95 | adc ebx, ebx
96 |
97 | loc_43ACF9: ; CODE XREF: UPX1:0043ACF0�j
98 | jb short loc_43ACE8
99 | mov eax, 1
100 |
101 | loc_43AD00: ; CODE XREF: UPX1:0043AD0F�j
102 | ; UPX1:0043AD1A�j
103 | add ebx, ebx
104 | jnz short loc_43AD0B
105 | mov ebx, [esi]
106 | sub esi, 0FFFFFFFCh
107 | adc ebx, ebx
108 |
109 | loc_43AD0B: ; CODE XREF: UPX1:0043AD02�j
110 | adc eax, eax
111 | add ebx, ebx
112 | jnb short loc_43AD00
113 | jnz short loc_43AD1C
114 | mov ebx, [esi]
115 | sub esi, 0FFFFFFFCh
116 | adc ebx, ebx
117 | jnb short loc_43AD00
118 |
119 | loc_43AD1C: ; CODE XREF: UPX1:0043AD11�j
120 | xor ecx, ecx
121 | sub eax, 3
122 | jb short loc_43AD30
123 | shl eax, 8
124 | mov al, [esi]
125 | inc esi
126 | xor eax, 0FFFFFFFFh
127 | jz short loc_43ADA2
128 | mov ebp, eax
129 |
130 | loc_43AD30: ; CODE XREF: UPX1:0043AD21�j
131 | add ebx, ebx
132 | jnz short loc_43AD3B
133 | mov ebx, [esi]
134 | sub esi, 0FFFFFFFCh
135 | adc ebx, ebx
136 |
137 | loc_43AD3B: ; CODE XREF: UPX1:0043AD32�j
138 | adc ecx, ecx
139 | add ebx, ebx
140 | jnz short loc_43AD48
141 | mov ebx, [esi]
142 | sub esi, 0FFFFFFFCh
143 | adc ebx, ebx
144 |
145 | loc_43AD48: ; CODE XREF: UPX1:0043AD3F�j
146 | adc ecx, ecx
147 | jnz short loc_43AD6C
148 | inc ecx
149 |
150 | loc_43AD4D: ; CODE XREF: UPX1:0043AD5C�j
151 | ; UPX1:0043AD67�j
152 | add ebx, ebx
153 | jnz short loc_43AD58
154 | mov ebx, [esi]
155 | sub esi, 0FFFFFFFCh
156 | adc ebx, ebx
157 |
158 | loc_43AD58: ; CODE XREF: UPX1:0043AD4F�j
159 | adc ecx, ecx
160 | add ebx, ebx
161 | jnb short loc_43AD4D
162 | jnz short loc_43AD69
163 | mov ebx, [esi]
164 | sub esi, 0FFFFFFFCh
165 | adc ebx, ebx
166 | jnb short loc_43AD4D
167 |
168 | loc_43AD69: ; CODE XREF: UPX1:0043AD5E�j
169 | add ecx, 2
170 |
171 | loc_43AD6C: ; CODE XREF: UPX1:0043AD4A�j
172 | cmp ebp, 0FFFFF300h
173 | adc ecx, 1
174 | lea edx, [edi+ebp]
175 | cmp ebp, 0FFFFFFFCh
176 | jbe short loc_43AD8C
177 |
178 | loc_43AD7D: ; CODE XREF: UPX1:0043AD84�j
179 | mov al, [edx]
180 | inc edx
181 | mov [edi], al
182 | inc edi
183 | dec ecx
184 | jnz short loc_43AD7D
185 | jmp loc_43ACEE
186 | ; ---------------------------------------------------------------------------
187 | align 4
188 |
189 | loc_43AD8C: ; CODE XREF: UPX1:0043AD7B�j
190 | ; UPX1:0043AD99�j
191 | mov eax, [edx]
192 | add edx, 4
193 | mov [edi], eax
194 | add edi, 4
195 | sub ecx, 4
196 | ja short loc_43AD8C
197 | add edi, ecx
198 | jmp loc_43ACEE
199 | ; ---------------------------------------------------------------------------
200 |
201 | loc_43ADA2: ; CODE XREF: UPX1:0043AD2C�j
202 | pop esi
203 | mov edi, esi
204 | mov ecx, 0C0Fh
205 |
206 | loc_43ADAA: ; CODE XREF: UPX1:0043ADB1�j
207 | ; UPX1:0043ADB6�j
208 | mov al, [edi]
209 | inc edi
210 | sub al, 0E8h
211 |
212 | loc_43ADAF: ; CODE XREF: UPX1:0043ADD4�j
213 | cmp al, 1
214 | ja short loc_43ADAA
215 | cmp byte ptr [edi], 11h
216 | jnz short loc_43ADAA
217 | mov eax, [edi]
218 | mov bl, [edi+4]
219 | shr ax, 8
220 | rol eax, 10h
221 | xchg al, ah
222 | sub eax, edi
223 | sub bl, 0E8h
224 | add eax, esi
225 | mov [edi], eax
226 | add edi, 5
227 | mov al, bl
228 | loop loc_43ADAF
229 | popad
230 |
231 | ret
232 |
233 | decompress endp
234 |
235 |
236 | end
237 |
--------------------------------------------------------------------------------
/decode.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lantie/unpack02/21d3a4c22a2115030f8100947bd913e5028c1f5c/decode.obj
--------------------------------------------------------------------------------
/hello15pb.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lantie/unpack02/21d3a4c22a2115030f8100947bd913e5028c1f5c/hello15pb.exe
--------------------------------------------------------------------------------
/hello15pb_pb.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lantie/unpack02/21d3a4c22a2115030f8100947bd913e5028c1f5c/hello15pb_pb.exe
--------------------------------------------------------------------------------
/unpack02.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lantie/unpack02/21d3a4c22a2115030f8100947bd913e5028c1f5c/unpack02.cpp
--------------------------------------------------------------------------------
/unpack02.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 15
4 | VisualStudioVersion = 15.0.27703.2000
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "unpack02", "unpack02.vcxproj", "{88576CD6-AFDD-40FE-A5A9-97AED3629E32}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {88576CD6-AFDD-40FE-A5A9-97AED3629E32}.Debug|x64.ActiveCfg = Debug|x64
17 | {88576CD6-AFDD-40FE-A5A9-97AED3629E32}.Debug|x64.Build.0 = Debug|x64
18 | {88576CD6-AFDD-40FE-A5A9-97AED3629E32}.Debug|x86.ActiveCfg = Debug|Win32
19 | {88576CD6-AFDD-40FE-A5A9-97AED3629E32}.Debug|x86.Build.0 = Debug|Win32
20 | {88576CD6-AFDD-40FE-A5A9-97AED3629E32}.Release|x64.ActiveCfg = Release|x64
21 | {88576CD6-AFDD-40FE-A5A9-97AED3629E32}.Release|x64.Build.0 = Release|x64
22 | {88576CD6-AFDD-40FE-A5A9-97AED3629E32}.Release|x86.ActiveCfg = Release|Win32
23 | {88576CD6-AFDD-40FE-A5A9-97AED3629E32}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {35E21EE3-1F50-47AD-824D-47B563EE8816}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/unpack02.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 15.0
23 | {88576CD6-AFDD-40FE-A5A9-97AED3629E32}
24 | Win32Proj
25 | unpack02
26 | 10.0.17134.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v141
33 | Unicode
34 | Static
35 |
36 |
37 | Application
38 | false
39 | v141
40 | true
41 | Unicode
42 |
43 |
44 | Application
45 | true
46 | v141
47 | Unicode
48 |
49 |
50 | Application
51 | false
52 | v141
53 | true
54 | Unicode
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 | true
76 |
77 |
78 | true
79 |
80 |
81 | false
82 |
83 |
84 | false
85 |
86 |
87 |
88 | NotUsing
89 | Level3
90 | Disabled
91 | true
92 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
93 | true
94 |
95 |
96 | Console
97 | true
98 | /NODEFAULTLIB:library %(AdditionalOptions)
99 | msvcrt.lib
100 |
101 |
102 |
103 |
104 | Use
105 | Level3
106 | Disabled
107 | true
108 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
109 | true
110 |
111 |
112 | Console
113 | true
114 |
115 |
116 |
117 |
118 | Use
119 | Level3
120 | MaxSpeed
121 | true
122 | true
123 | true
124 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
125 | true
126 |
127 |
128 | Console
129 | true
130 | true
131 | true
132 |
133 |
134 |
135 |
136 | Use
137 | Level3
138 | MaxSpeed
139 | true
140 | true
141 | true
142 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
143 | true
144 |
145 |
146 | Console
147 | true
148 | true
149 | true
150 |
151 |
152 |
153 |
154 |
155 |
156 |
157 |
158 |
159 |
160 |
161 |
162 |
163 |
164 |
165 |
--------------------------------------------------------------------------------
/unpack02.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------