Nspack3.5 main program shelling analysis (Aspr SKE 2.X)

Introduction to nspack 3.5 main program shelling
Xp sp2
Flyodbg
Aspr SKE 2.X

Focus on analysis once again when there is no need
Come on lets go

A PEiD is not needed, but LordPE must be loaded first.
There are three segments in the. rsrc segment without names, but it can be guessed that the. text,. rdata, And. data segments are VC programs.

2. Check if it can run under OD.
ODPS loads nspack.exe, ignores all exceptions, clears all breakpoints, and adds the IsDebuggerPresent plug-in.
F9 running gogogo ~
Normally, you can run it. alt + e: Check the loaded dll. msvcrt. dll is displayed, and no dll of mfc is found.
So it is normal VC or MFC static
I guess

3. View oep
Re-launch, OD intercept, ignore all... clear... add... plug-in
Retn disconnection at the end of GetVersion
 
7C8114AB kernel32.GetVersion 64: A1 18000000 mov eax, dword ptr fs: [18]
7C8114B1 8B48 30 mov ecx, dword ptr ds: [eax + 30]
7C8114B4 8B81 B0000000 mov eax, dword ptr ds: [ecx + B0]
7C8114BA 0FB791 AC000000 movzx edx, word ptr ds: [ecx + AC]
7C8114C1 83F0 FE xor eax, FFFFFFFE
7C8114C4 C1E0 0E shl eax, 0E
7C8114C7 0BC2 or eax, edx
7C8114C9 C1E0 08 shl eax, 8
7C8114CC 0B81 A8000000 or eax, dword ptr ds: [ecx + A8]
7C8114D2 C1E0 08 shl eax, 8
7C8114D5 0B81 A4000000 or eax, dword ptr ds: [ecx + A4]
7C8114DB C3 retn // disconnected here

F9 running, disconnected, F8 returned, look up, see oep

00486C68 55 push ebp
00486C69 8BEC mov ebp, esp
00486C6B 6A FF push-1
00486C6D 68 38FB4A00 push nSpack.004AFB38
00486C72 68 50554800 push nSpack.00485550
00486C77 64: A1 00000000 mov eax, dword ptr fs: [0]
00486C7D 50 push eax
00486C7E 64: 8925 00000000 mov dword ptr fs: [0], esp
00486C85 83EC 58 sub esp, 58
00486C88 53 push ebx
00486C89 56 push esi
00486C8A 57 push edi
00486C8B 8965 E8 mov dword ptr ss: [ebp-18], esp
00486C8E FF15 6C724A00 call dword ptr ds: [4a0000c]; kernel32.GetVersion
00486C94 33D2 xor edx, edx & nbs