|
幻影之旅――[DBPE 2.x -> Ding Boy & zer0]流程攻略
补上IAT-part7 & 地址表part8 |
|
|
|
|
|
|
|
|
|
幻影之旅――[DBPE 2.x -> Ding Boy & zer0]流程攻略
在5楼贴上part 5 |
|
EncryptPE是病毒?这里有没有反病毒公司的人啊?
最初由 辉仔Yock 发布 Borland无耻的包上了VCL的缘故吧:D |
|
|
|
幻影之旅――[DBPE 2.x -> Ding Boy & zer0]流程攻略
[最后的战役]:) ; ------------------------------------------------------最后的战役 003B174E 8B85 DBCE4100 mov eax, dword ptr ss:[ebp+41CEDB] ; kernel32.CreateFileA 003B1759 8985 A0FA4100 mov dword ptr ss:[ebp+41FAA0], eax ; kernel32.CreateFileA 003B177B 8B85 CFCE4100 mov eax, dword ptr ss:[ebp+41CECF] ; kernel32.ReadFile 003B1786 8985 A4FA4100 mov dword ptr ss:[ebp+41FAA4], eax ; kernel32.ReadFile 003B1796 8B85 DFCE4100 mov eax, dword ptr ss:[ebp+41CEDF] ; kernel32.WriteFile 003B17A1 8985 A8FA4100 mov dword ptr ss:[ebp+41FAA8], eax ; kernel32.WriteFile 003B17D9 8B85 CBCE4100 mov eax, dword ptr ss:[ebp+41CECB] ; kernel32.SetFilePointer 003B17F6 8985 ACFA4100 mov dword ptr ss:[ebp+41FAAC], eax ; kernel32.SetFilePointer 003B182E 8B85 E3CE4100 mov eax, dword ptr ss:[ebp+41CEE3] ; kernel32.CloseHandle 003B184B 8985 B0FA4100 mov dword ptr ss:[ebp+41FAB0], eax ; kernel32.CloseHandle 003B1895 8B85 EFCE4100 mov eax, dword ptr ss:[ebp+41CEEF] ; kernel32.DeleteFileA 003B18A0 8985 B4FA4100 mov dword ptr ss:[ebp+41FAB4], eax ; kernel32.DeleteFileA 003B18F4 8D85 DC5C4000 lea eax, dword ptr ss:[ebp+405CDC] ; 最后来个int3,还原中断向量 003B1949 60 pushad 003B194F B8 534E5552 mov eax, 52554E53 003B1959 BB 0ECA4100 mov ebx, 41CA0E 003B1975 03DD add ebx, ebp 003B197C CC int3; 收尾 003B1982 61 popad 003B198D 80BD F0344200 0>cmp byte ptr ss:[ebp+4234F0], 1 ; NT? 释放驱动,我们用来夺取ring0的嘛 003B1994 /0F85 93010000 jnz 003B1B2D 003B19C7 8D85 E35C4000 lea eax, dword ptr ss:[ebp+405CE3]; 垃圾 003B1A37 FFB5 546C4000 push dword ptr ss:[ebp+406C54] ; 驱动句柄 003B1A3D FF95 50724000 call dword ptr ss:[ebp+407250] ; kernel32.CloseHandle 003B1A89 FFB5 586C4000 push dword ptr ss:[ebp+406C58] ; 服务 003B1A8F FF95 DD724000 call dword ptr ss:[ebp+4072DD] ; advapi32.CloseServiceHandle 003B1AEF FFB5 3A6C4000 push dword ptr ss:[ebp+406C3A] 003B1AF5 FF95 DD724000 call dword ptr ss:[ebp+4072DD] ; advapi32.CloseServiceHandle ; 解密OEP~~~ 003B1B5F 8B85 F8D54100 mov eax, dword ptr ss:[ebp+41D5F8] 003B1B81 53 push ebx ; Try.00418000 003B1BAF 51 push ecx ; advapi32.77DA214E 003B1BC7 52 push edx 003B1BC8 33D2 xor edx, edx 003B1BCF B9 20000000 mov ecx, 20 003B1BD4 33DB xor ebx, ebx ; Try.00418000 003B1BD6 D1F8 sar eax, 1 003B1BDD 0F92C3 setb bl 003B1BE0 D3E3 shl ebx, cl 003B1BE7 03D3 add edx, ebx 003B1BE9 ^\E2 E9 loopd short 003B1BD4 003B1BEB 8BC2 mov eax, edx 003B1C04 5A pop edx 003B1C05 59 pop ecx 003B1C0B 5B pop ebx ; Try.00418000 003B1C43 8B9D DCD34100 mov ebx, dword ptr ss:[ebp+41D3DC] ; Try.00400000 003B1C76 03C3 add eax, ebx ; Try.00400000 ; now eax is 0040E2FD, the OEP :),可以直接Dump修正...我们走完吧 003B1C7D 8985 3BD64100 mov dword ptr ss:[ebp+41D63B], eax ; Try.0040E2FD 003B1CD1 80BD 24D64100 0>cmp byte ptr ss:[ebp+41D624], 1 003B1CD8 0F85 04010000 jnz 003B1DE2 ; 跳了,不知道跳过什么冬冬 003B1DF9 /E9 C4000000 jmp 003B1EC2 003B1EE3 8D85 E45C4000 lea eax, dword ptr ss:[ebp+405CE4] 003B1F0B C785 55384200 0>mov dword ptr ss:[ebp+423855], 0 003B1F1A 8BC5 mov eax, ebp 003B1F21 5B pop ebx 003B1F22 59 pop ecx 003B1F23 5A pop edx 003B1F24 5E pop esi 003B1F25 5F pop edi 003B1F26 5D pop ebp 003B1F3E 9D popfd 003B1F6D FFB0 3BD64100 push dword ptr ds:[eax+41D63B] 003B1F78 C780 3BD64100 0>mov dword ptr ds:[eax+41D63B], 0 003B1FAF /E9 CE620000 jmp 003B8282 003B8287 56 push esi ; ntdll.77F57D70 003B82B5 51 push ecx 003B82BB BE CD584000 mov esi, 4058CD 003B82C5 03F0 add esi, eax 003B82CC B9 82820100 mov ecx, 18282 003B8330 C606 00 mov byte ptr ds:[esi], 0 ; erase the loader 003B8338 46 inc esi 003B833E 49 dec ecx 003B8356 83F9 00 cmp ecx, 0 003B8359 ^ 75 A8 jnz short 003B8303 003B839F 59 pop ecx ; 0012FFB0 003B83B7 5E pop esi 003B83CF /E9 81390000 jmp 003BBD55 003BBD55 60 pushad 003BBD56 8BF0 mov esi, eax 003BBD58 B8 4A344200 mov eax, 42344A 003BBD5D 03C6 add eax, esi 003BBD5F BB 59384200 mov ebx, 423859 003BBD64 03DE add ebx, esi 003BBD66 803B 00 cmp byte ptr ds:[ebx], 0 003BBD69 74 0C je short 003BBD77 003BBD6B 6A 00 push 0 003BBD6D 50 push eax 003BBD6E 53 push ebx 003BBD6F 6A 00 push 0 003BBD71 FF96 55384200 call dword ptr ds:[esi+423855] 003BBD77 61 popad 003BBD78 58 pop eax 003BBD79 83F8 FF cmp eax, -1 003BBD7C 75 05 jnz short 003BBD83 003BBD7E 33C0 xor eax, eax 003BBD80 C2 0C00 retn 0C 003BBD83 FFE0 jmp eax ; 飞向光明之巅!!! 0040E2FD 55 push ebp ; Dump & Fix Dump .优化一下即可 0040E2FE 8BEC mov ebp, esp 0040E300 6A FF push -1 0040E302 68 F83A4100 push Try.00413AF8 0040E307 68 84E44000 push Try.0040E484 ; jmp to msvcrt._except_handler3 0040E30C 64:A1 00000000 mov eax, dword ptr fs:[0] ......... ; 这是IAT,ImportRec可以全部找到,因为修改了Magic Jump,所以都有效。 OEP: 0000E2FD IATRVA: 00011000 IATSize: 000003B8 FThunk: 00011000 NbFunc: 00000005 1 00011000 advapi32.dll 01CD RegCreateKeyExA 1 00011004 advapi32.dll 01E2 RegOpenKeyExA 1 00011008 advapi32.dll 01D9 RegEnumValueA 1 0001100C advapi32.dll 01F9 RegSetValueExA 1 00011010 advapi32.dll 01C9 RegCloseKey FThunk: 00011018 NbFunc: 00000003 1 00011018 gdi32.dll 0196 GetObjectA 1 0001101C gdi32.dll 002E CreateCompatibleDC 1 00011020 gdi32.dll 0013 BitBlt FThunk: 00011028 NbFunc: 00000017 1 00011028 kernel32.dll 0385 WriteFile 1 0001102C kernel32.dll 0374 WaitForSingleObject 1 00011030 kernel32.dll 0185 GetOverlappedResult 1 00011034 kernel32.dll 004A CreateEventA 1 00011038 kernel32.dll 0030 CloseHandle 1 0001103C kernel32.dll 004E CreateFileA 1 00011040 kernel32.dll 0162 GetLastError 1 00011044 kernel32.dll 00AF EscapeCommFunction 1 00011048 kernel32.dll 0101 GetCommState 1 0001104C kernel32.dll 0284 PurgeComm 1 00011050 kernel32.dll 02CB SetCommMask 1 00011054 kernel32.dll 02CC SetCommState 1 00011058 kernel32.dll 02CD SetCommTimeouts 1 0001105C kernel32.dll 0334 SetupComm 1 00011060 kernel32.dll 0084 DeviceIoControl 1 00011064 kernel32.dll 01D5 GetVersionExA 1 00011068 kernel32.dll 016D GetModuleFileNameA 1 0001106C kernel32.dll 016F GetModuleHandleA 1 00011070 kernel32.dll 01D7 GetVolumeInformationA 1 00011074 kernel32.dll 01B5 GetSystemTime 1 00011078 kernel32.dll 01A6 GetStartupInfoA 1 0001107C kernel32.dll 002E ClearCommError 1 00011080 kernel32.dll 029D ReadFile FThunk: 00011088 NbFunc: 0000009D 1 00011088 mfc42.dll 0BA9 1 0001108C mfc42.dll 0BA6 1 00011090 mfc42.dll 13C9 1 00011094 mfc42.dll 06BF 1 00011098 mfc42.dll 148D 1 0001109C mfc42.dll 098E 1 000110A0 mfc42.dll 084C 1 000110A4 mfc42.dll 1479 1 000110A8 mfc42.dll 0BA6 1 000110AC mfc42.dll 0BA6 1 000110B0 mfc42.dll 0BA6 1 000110B4 mfc42.dll 06F0 1 000110B8 mfc42.dll 0C40 1 000110BC mfc42.dll 0807 1 000110C0 mfc42.dll 18E8 1 000110C4 mfc42.dll 0C09 1 000110C8 mfc42.dll 0BA0 1 000110CC mfc42.dll 0EF6 1 000110D0 mfc42.dll 0EF1 1 000110D4 mfc42.dll 0EF1 1 000110D8 mfc42.dll 0BA6 1 000110DC mfc42.dll 0FF0 1 000110E0 mfc42.dll 1213 1 000110E4 mfc42.dll 1149 1 000110E8 mfc42.dll 0E0D 1 000110EC mfc42.dll 0144 1 000110F0 mfc42.dll 0281 1 000110F4 mfc42.dll 108A 1 000110F8 mfc42.dll 0CBE 1 000110FC mfc42.dll 08F1 1 00011100 mfc42.dll 1021 1 00011104 mfc42.dll 03AB 1 00011108 mfc42.dll 0B02 1 0001110C mfc42.dll 0A36 1 00011110 mfc42.dll 0490 1 00011114 mfc42.dll 0219 1 00011118 mfc42.dll 0486 1 0001111C mfc42.dll 03AD 1 00011120 mfc42.dll 1613 1 00011124 mfc42.dll 0C37 1 00011128 mfc42.dll 0E20 1 0001112C mfc42.dll 0299 1 00011130 mfc42.dll 07BB 1 00011134 mfc42.dll 18F1 1 00011138 mfc42.dll 1442 1 0001113C mfc42.dll 015E 1 00011140 mfc42.dll 0162 1 00011144 mfc42.dll 04B0 1 00011148 mfc42.dll 18BE 1 0001114C mfc42.dll 16E0 1 00011150 mfc42.dll 0A52 1 00011154 mfc42.dll 175D 1 00011158 mfc42.dll 0C14 1 0001115C mfc42.dll 1542 1 00011160 mfc42.dll 1837 1 00011164 mfc42.dll 1A7A 1 00011168 mfc42.dll 188B 1 0001116C mfc42.dll 19F8 1 00011170 mfc42.dll 0942 1 00011174 mfc42.dll 12E5 1 00011178 mfc42.dll 10B2 1 0001117C mfc42.dll 18E7 1 00011180 mfc42.dll 1186 1 00011184 mfc42.dll 1159 1 00011188 mfc42.dll 0A58 1 0001118C mfc42.dll 1663 1 00011190 mfc42.dll 0F52 1 00011194 mfc42.dll 0441 1 00011198 mfc42.dll 144F 1 0001119C mfc42.dll 095C 1 000111A0 mfc42.dll 0D12 1 000111A4 mfc42.dll 14B4 1 000111A8 mfc42.dll 14B6 1 000111AC mfc42.dll 0AA5 1 000111B0 mfc42.dll 0FEF 1 000111B4 mfc42.dll 125A 1 000111B8 mfc42.dll 14BB 1 000111BC mfc42.dll 14A9 1 000111C0 mfc42.dll 1652 1 000111C4 mfc42.dll 120E 1 000111C8 mfc42.dll 1148 1 000111CC mfc42.dll 0E9A 1 000111D0 mfc42.dll 0231 1 000111D4 mfc42.dll 032F 1 000111D8 mfc42.dll 035C 1 000111DC mfc42.dll 0A3D 1 000111E0 mfc42.dll 046E 1 000111E4 mfc42.dll 096B 1 000111E8 mfc42.dll 0BA6 1 000111EC mfc42.dll 06F0 1 000111F0 mfc42.dll 112C 1 000111F4 mfc42.dll 14AA 1 000111F8 mfc42.dll 0D4A 1 000111FC mfc42.dll 0DF6 1 00011200 mfc42.dll 047A 1 00011204 mfc42.dll 0237 1 00011208 mfc42.dll 08FB 1 0001120C mfc42.dll 08FE 1 00011210 mfc42.dll 06F7 1 00011214 mfc42.dll 1040 1 00011218 mfc42.dll 0B2F 1 0001121C mfc42.dll 094B 1 00011220 mfc42.dll 0DF3 1 00011224 mfc42.dll 0E2A 1 00011228 mfc42.dll 096E 1 0001122C mfc42.dll 02F3 1 00011230 mfc42.dll 01D6 1 00011234 mfc42.dll 0280 1 00011238 mfc42.dll 1699 1 0001123C mfc42.dll 0668 1 00011240 mfc42.dll 0143 1 00011244 mfc42.dll 0669 1 00011248 mfc42.dll 0B2B 1 0001124C mfc42.dll 0A5C 1 00011250 mfc42.dll 1631 1 00011254 mfc42.dll 0685 1 00011258 mfc42.dll 0CF6 1 0001125C mfc42.dll 10B5 1 00011260 mfc42.dll 168D 1 00011264 mfc42.dll 039E 1 00011268 mfc42.dll 021C 1 0001126C mfc42.dll 0E4F 1 00011270 mfc42.dll 19AB 1 00011274 mfc42.dll 074F 1 00011278 mfc42.dll 0337 1 0001127C mfc42.dll 0339 1 00011280 mfc42.dll 0320 1 00011284 mfc42.dll 0ED6 1 00011288 mfc42.dll 14A0 1 0001128C mfc42.dll 1101 1 00011290 mfc42.dll 18E6 1 00011294 mfc42.dll 142B 1 00011298 mfc42.dll 0951 1 0001129C mfc42.dll 1479 1 000112A0 mfc42.dll 1137 1 000112A4 mfc42.dll 06EF 1 000112A8 mfc42.dll 0EF1 1 000112AC mfc42.dll 17A4 1 000112B0 mfc42.dll 09D2 1 000112B4 mfc42.dll 1266 1 000112B8 mfc42.dll 0A18 1 000112BC mfc42.dll 12F5 1 000112C0 mfc42.dll 1118 1 000112C4 mfc42.dll 1479 1 000112C8 mfc42.dll 184F 1 000112CC mfc42.dll 10B6 1 000112D0 mfc42.dll 164E 1 000112D4 mfc42.dll 035A 1 000112D8 mfc42.dll 039A 1 000112DC mfc42.dll 0217 1 000112E0 mfc42.dll 106C 1 000112E4 mfc42.dll 09FA 1 000112E8 mfc42.dll 09D0 1 000112EC mfc42.dll 0B67 1 000112F0 mfc42.dll 1241 1 000112F4 mfc42.dll 0261 1 000112F8 mfc42.dll 0628 FThunk: 00011300 NbFunc: 0000001E 1 00011300 msvcrt.dll 00EE _except_handler3 1 00011304 msvcrt.dll 009A __set_app_type 1 00011308 msvcrt.dll 0087 __p__fmode 1 0001130C msvcrt.dll 0082 __p__commode 1 00011310 msvcrt.dll 00B7 _adjust_fdiv 1 00011314 msvcrt.dll 009C __setusermatherr 1 00011318 msvcrt.dll 013B _initterm 1 0001131C msvcrt.dll 006F __getmainargs 1 00011320 msvcrt.dll 00A9 _acmdln 1 00011324 msvcrt.dll 0290 exit 1 00011328 msvcrt.dll 0050 _XcptFilter 1 0001132C msvcrt.dll 00F7 _exit 1 00011330 msvcrt.dll 01B4 _onexit 1 00011334 msvcrt.dll 006C __dllonexit 1 00011338 msvcrt.dll 0284 atoi 1 0001133C msvcrt.dll 018C _mbsicmp 1 00011340 msvcrt.dll 02FB srand 1 00011344 msvcrt.dll 02ED rand 1 00011348 msvcrt.dll 02D8 malloc 1 0001134C msvcrt.dll 02A5 free 1 00011350 msvcrt.dll 00D7 _controlfp 1 00011354 msvcrt.dll 0317 time 1 00011358 msvcrt.dll 0307 strncmp 1 0001135C msvcrt.dll 0160 _itoa 1 00011360 msvcrt.dll 0054 __CxxFrameHandler 1 00011364 msvcrt.dll 0186 _mbscmp 1 00011368 msvcrt.dll 02F9 sprintf 1 0001136C msvcrt.dll 030A strrchr 1 00011370 msvcrt.dll 0308 strncpy 1 00011374 msvcrt.dll 01DE _setmbcp FThunk: 0001137C NbFunc: 00000001 1 0001137C netapi32.dll 0100 Netbios FThunk: 00011384 NbFunc: 0000000C 1 00011384 user32.dll 010D GetDC 1 00011388 user32.dll 01B6 LoadBitmapA 1 0001138C user32.dll 01A7 IsIconic 1 00011390 user32.dll 0009 AppendMenuA 1 00011394 user32.dll 0100 GetClientRect 1 00011398 user32.dll 00B7 DrawIcon 1 0001139C user32.dll 015D GetSystemMenu 1 000113A0 user32.dll 015E GetSystemMetrics 1 000113A4 user32.dll 0194 InvalidateRect 1 000113A8 user32.dll 01BC LoadIconA 1 000113AC user32.dll 00C5 EnableWindow 1 000113B0 user32.dll 023C SendMessageA |
|
幻影之旅――[DBPE 2.x -> Ding Boy & zer0]流程攻略
[part 8]:D ; --------------------------- 不明飞行物 ----------------------------------- 003B0FD3 8D85 DA5C4000 lea eax, dword ptr ss:[ebp+405CDA] 003B1011 E8 96200000 call 003B30AC ; 没看懂 ; *************************************************************************** ; 处 理 调 用 表 & 跳 转 表 ( 还 原 指 针 ) ; *************************************************************************** 003B105F 8D85 DB5C4000 lea eax, dword ptr ss:[ebp+405CDB] ; fly 写的文章里提到,但没有说为什么,这里详细说明一下 ; ---------------call dword ptr ds:[xxxxxxxx],其中xxxxxxxx是80xxxxxxxx---------------- 003B108C 60 pushad 003B10A4 8B9D 08D64100 mov ebx, dword ptr ss:[ebp+41D608] 003B10AF 039D DCD34100 add ebx, dword ptr ss:[ebp+41D3DC] ; 还是Imagebase 003B110F BE E4D34100 mov esi, 41D3E4 ; 块表 003B1119 03F5 add esi, ebp 003B1120 8B9D DCD34100 mov ebx, dword ptr ss:[ebp+41D3DC] ; Try.00400000 003B112B 031E add ebx, dword ptr ds:[esi] ; ebx -> a section,应该是代码段 003B1132 8BFB mov edi, ebx ; Try.00401000 003B1139 8B4E 08 mov ecx, dword ptr ds:[esi+8] ; VSize 003B1141 83F9 00 cmp ecx, 0 003B115B /0F84 93050000 je 003B16F4 ; 0?不玩了 003B1178 D1E9 shr ecx, 1 ; ecx/2 003B11A7 49 dec ecx 003B11AD 66:B8 FF15 mov ax, 15FF ; call dword ptr ds:[xxxxxxxx] 003B11CD BE 31354200 mov esi, 423531 003B11FF 03F5 add esi, ebp 003B124A F2:66:AF repne scas word ptr es:[edi] ; 寻找call dword ptr ds:[xxxxxxxx] ; forgot:如果没有就……不好玩了,看Ding Boy怎么收场 ; edi -> xxxxxxxx,而不是call dword ptr 003B1264 8B1F mov ebx, dword ptr ds:[edi]; 要call的地址->Ebx 003B127D 81E3 00000080 and ebx, 80000000 ; 取高位 003B129A 81FB 00000080 cmp ebx, 80000000 ; 是80xxxxxxx的形势? 003B12A0 /0F85 13010000 jnz 003B13B9 ; 不是算了 003B12AB 8B1F mov ebx, dword ptr ds:[edi]; 加密过的指针 003B12B2 81E3 FFFFFF7F and ebx, 7FFFFFFF ; 去掉31st bit,还原指针 003B12BD 3B9D 33D64100 cmp ebx, dword ptr ss:[ebp+41D633] 003B12C3 0F82 C3000000 jb 003B138C ; 判断地址范围 003B12CE 3B9D 2FD64100 cmp ebx, dword ptr ss:[ebp+41D62F] ; Try.0041F01B 003B12D4 /0F87 AD000000 ja 003B1387 003B12DF 833E FF cmp dword ptr ds:[esi], -1 ; ??? 003B130F /0F84 DF030000 je 003B16F4 003B131A 8B1B mov ebx, dword ptr ds:[ebx] ; 把指针指向的内容读出来 003B1321 891E mov dword ptr ds:[esi], ebx ; 写到esi 003B1350 8937 mov dword ptr ds:[edi], esi ; 地址重定位,nop掉,下同 003B1357 83C6 04 add esi, 4 ; 移动指针 003B13BE 83F9 00 cmp ecx, 0 003B13C1 ^ 0F85 56FEFFFF jnz 003B121D ; 循环直到所有都搞定 ; ----------------------- jmp dword ptr ds:[xxxxxxxx]---------------------------------- ; 方法如出一辙,不多解释 003B140B 56 push esi;剩下的buffer 003B1416 8B9D 08D64100 mov ebx, dword ptr ss:[ebp+41D608] 003B1449 039D DCD34100 add ebx, dword ptr ss:[ebp+41D3DC] ; Try.00400000 003B1459 BE E4D34100 mov esi, 41D3E4 003B148B 03F5 add esi, ebp 003B1492 8B9D DCD34100 mov ebx, dword ptr ss:[ebp+41D3DC] ; Try.00400000 003B149D 031E add ebx, dword ptr ds:[esi] 003B14A4 8BFB mov edi, ebx ; Try.00401000 003B14AB 8B4E 08 mov ecx, dword ptr ds:[esi+8] 003B14C5 D1E9 shr ecx, 1 003B14DE 49 dec ecx 003B150C 66:B8 FF25 mov ax, 25FF ; jmp dword ptr ds:[xxxxxxxx] 003B151A 5E pop esi 003B152A F2:66:AF repne scas word ptr es:[edi] 003B1532 8B1F mov ebx, dword ptr ds:[edi] 003B1539 81E3 00000080 and ebx, 80000000 003B1556 81FB 00000080 cmp ebx, 80000000 003B155C /0F85 5B010000 jnz 003B16BD 003B158F 8B1F mov ebx, dword ptr ds:[edi] 003B15BE 81E3 FFFFFF7F and ebx, 7FFFFFFF 003B15F1 3B9D 33D64100 cmp ebx, dword ptr ss:[ebp+41D633] ; Try.00411000 003B15F7 /0F82 A9000000 jb 003B16A6 003B1614 3B9D 2FD64100 cmp ebx, dword ptr ss:[ebp+41D62F] ; Try.0041F01B 003B161A /77 5D ja short 003B1679 003B1621 833E FF cmp dword ptr ds:[esi], -1 003B1629 /0F84 C5000000 je 003B16F4 003B1634 8B1B mov ebx, dword ptr ds:[ebx] 003B163B 891E mov dword ptr ds:[esi], ebx 003B166A 8937 mov dword ptr ds:[edi], esi 003B166A 8937 mov dword ptr ds:[edi], esi 003B16D4 83F9 00 cmp ecx, 0 003B16D7 ^ 0F85 48FEFFFF jnz 003B1525 ; 循环处理所有 003B170B 61 popad ; 文革结束啦:D |
|
幻影之旅――[DBPE 2.x -> Ding Boy & zer0]流程攻略
[part 7]输入表处理 ; *********************************************************************************** ; 阿 赖 耶 识 ―― 输 入 表 处 理 觉 醒 ; *********************************************************************************** 003B0FC4 E8 34140000 call 003B23FD ; 当然要进去了 003B242F 60 pushad 003B2474 FF95 1BCF4100 call dword ptr ss:[ebp+41CF1B] ; kernel32.GetCurrentProcessId 003B24A8 8985 20FA4100 mov dword ptr ss:[ebp+41FA20], eax ; save process Id 003B24B3 8B85 1BCF4100 mov eax, dword ptr ss:[ebp+41CF1B] ; kernel32.GetCurrentProcessId 003B24D0 8985 24FA4100 mov dword ptr ss:[ebp+41FA24], eax ; kernel32.GetCurrentProcessId ; 不知道搞什么名堂 003B2508 B8 B8FA4100 mov eax, 41FAB8 003B2512 03C5 add eax, ebp 003B2519 8985 ACDC4100 mov dword ptr ss:[ebp+41DCAC], eax 003B254C 8B9D 08D64100 mov ebx, dword ptr ss:[ebp+41D608] ; Import Table RVA ------------------- 0041F023 78750000 0041F027 00000000 0041F02B 00000000 0041F02F 82750000 0041F033 7D910000 0041F037 25350000 ............ ------------------- 003B2557 83FB 00 cmp ebx, 0 ; 没有import么? 003B2587 /0F84 1F0A0000 je 003B2FAC ; 当然有,不跳 003B25D1 039D DCD34100 add ebx, dword ptr ss:[ebp+41D3DC] ; +ImageBase,得到IT VA ; ebx -> IID(s) 003B25E6 8B43 0C mov eax, dword ptr ds:[ebx+C] ;pointer to DLL asciz name 003B25EE 83F8 00 cmp eax, 0 003B25F6 /0F84 B0090000 je 003B2FAC ; Game Over? 003B2601 53 push ebx ; Try.0041F023 003B262F 51 push ecx 003B2647 52 push edx 003B2648 33D2 xor edx, edx 003B264F B9 20000000 mov ecx, 20 003B2654 33DB xor ebx, ebx ; Try.0041F023 003B2656 D1F8 sar eax, 1 003B265D 0F92C3 setb bl 003B2660 D3E3 shl ebx, cl 003B2667 03D3 add edx, ebx 003B2669 ^\E2 E9 loopd short 003B2654 ; DLL Name 的RVA解码,结果在edx输出 003B266B 8BC2 mov eax, edx ; eax = edx = dll name rva 003B2684 5A pop edx 003B2685 59 pop ecx 003B268B 5B pop ebx 003B2696 0385 DCD34100 add eax, dword ptr ss:[ebp+41D3DC] ; +ImageBase = VA 003B26C9 8BF0 mov esi, eax 003B26D5 C685 78894100 0>mov byte ptr ss:[ebp+418978], 0 ; -------------- 是否是特殊 DLL, 包括 Windows Kernel32 & User32, 与 VB 的MSVB ------------------------ 003B2709 50 push eax 003B270F 8B00 mov eax, dword ptr ds:[eax]; 取dll name开头4个字节 003B2716 25 DFDFDFDF and eax, DFDFDFDF; 转换为大写 003B2720 3D 4B45524E cmp eax, 4E52454B ; KERN**** 003B2725 74 07 je short 003B272E 003B2727 3D 55534552 cmp eax, 52455355 ; USER**** 003B272C 75 11 jnz short 003B273F 003B2733 C685 78894100 0>mov byte ptr ss:[ebp+418978], 1 ; 特殊dll标记 003B2744 58 pop eax 003B2777 50 push eax ; Try.00415C82 003B277D 8B00 mov eax, dword ptr ds:[eax] 003B2784 25 DFDFDFDF and eax, DFDFDFDF 003B278E 3D 4D535642 cmp eax, 4256534D ; MSVB**** 003B2793 75 11 jnz short 003B27A6 003B279A C685 78894100 0>mov byte ptr ss:[ebp+418978], 1 ; 特殊dll标记 003B27D3 58 pop eax ; Try.00415C82 ; 为何不一起判断? D.boy大概写到这里喝多了:0 ; ---------------------------------------------------------------------------------------------------- 003B27DE 50 push eax 003B27DF FF95 C13D4200 call dword ptr ss:[ebp+423DC1] ; kernel32.LoadLibraryA ; 载入dll 003B27EA 8985 7FCC4100 mov dword ptr ss:[ebp+41CC7F], eax ; 保存dll module base 003B2822 33C0 xor eax, eax 003B2851 8703 xchg dword ptr ds:[ebx], eax ; 清掉IID的OriginalFirstThunk,然后把它读到eax ; 如果改为mov eax, dword ptr [ebx]可以避免...我偷懒,不改了,下面也是这样 003B2858 53 push ebx 003B2886 51 push ecx 003B289E 52 push edx 003B289F 33D2 xor edx, edx 003B28A6 B9 20000000 mov ecx, 20 003B28AB 33DB xor ebx, ebx 003B28AD D1F8 sar eax, 1 003B28B4 0F92C3 setb bl 003B28B7 D3E3 shl ebx, cl 003B28BE 03D3 add edx, ebx 003B28C0 ^\E2 E9 loopd short 003B28AB 003B28C2 8BC2 mov eax, edx 003B28DB 5A pop edx 003B28DC 59 pop ecx 003B28E2 5B pop ebx 003B28E8 8BF0 mov esi, eax ; OriginalFirstThunk解码 -> esi 003B292E 33C0 xor eax, eax 003B295D 8743 10 xchg dword ptr ds:[ebx+10], eax ; eax -> FirstThunk, & erase rva 003B2965 53 push ebx 003B2993 51 push ecx 003B29AB 52 push edx 003B29AC 33D2 xor edx, edx 003B29B3 B9 20000000 mov ecx, 20 003B29B8 33DB xor ebx, ebx 003B29BA D1F8 sar eax, 1 003B29C1 0F92C3 setb bl 003B29C4 D3E3 shl ebx, cl 003B29CB 03D3 add edx, ebx 003B29CD ^\E2 E9 loopd short 003B29B8 003B29CF 8BC2 mov eax, edx 003B29E8 5A pop edx 003B29E9 59 pop ecx 003B29EF 5B pop ebx 003B29F5 8BF8 mov edi, eax ; FirstThunk解码 -> edi 003B2A01 83FE 00 cmp esi, 0 ; OriginalFirstThunk不能用? 003B2A04 /75 34 jnz short 003B2A3A; 能就走 003B2A33 8BF7 mov esi, edi ; 它不行就使用第二个表 FirstThunk 003B2A67 03B5 DCD34100 add esi, dword ptr ss:[ebp+41D3DC] ; +ImageBase,Get VA 003B2A72 03BD DCD34100 add edi, dword ptr ss:[ebp+41D3DC] ; +ImageBase,Get VA ; offset to function name ( and hint) 003B2A99 8B06 mov eax, dword ptr ds:[esi]; 要do hint... 003B2AA0 83F8 00 cmp eax, 0 003B2AA3 /75 29 jnz short 003B2ACE ; 未完? 003B2ABC 83C3 14 add ebx, 14 003B2AC4 ^\E9 13FBFFFF jmp 003B25DC ; 下一个IID 003B2B00 807E 03 80 cmp byte ptr ds:[esi+3], 80 ; is imported by ordinal? 003B2B04 75 6C jnz short 003B2B72 ; ord... 003B2B0B 33C0 xor eax, eax 003B2B12 66:8706 xchg word ptr ds:[esi], ax 003B2B42 50 push eax 003B2B43 FFB5 7FCC4100 push dword ptr ss:[ebp+41CC7F] 003B2B49 FF95 C53D4200 call dword ptr ss:[ebp+423DC5] 003B2B54 8BC8 mov ecx, eax 003B2B6D /E9 84000000 jmp 003B2BF6 ; str... 003B2B77 33C0 xor eax, eax 003B2B7E 8706 xchg dword ptr ds:[esi], eax 003B2B85 0385 DCD34100 add eax, dword ptr ss:[ebp+41D3DC] ; +ImageBase,这句话打过无数次了,累!!! 003B2BA2 83C0 02 add eax, 2 ; 跳过hint值(sizeof word == 2) 003B2BD2 50 push eax 003B2BD3 FFB5 7FCC4100 push dword ptr ss:[ebp+41CC7F] 003B2BD9 FF95 C53D4200 call dword ptr ss:[ebp+423DC5] ; kernel32.GetProcAddress 003B2C00 80BD 78894100 0>cmp byte ptr ss:[ebp+418978], 1 ; 特殊函数? 003B2C07 /0F85 87020000 jnz 003B2E94 ; magic jump...改为jmp吧,省得心烦 ; --------------------------- 加密输入表 ---------------------------------------- ; 具体不说了,跟到这里有点筋疲力尽了 003B2C3F 60 pushad 003B2C45 8BF8 mov edi, eax 003B2C63 8B85 A7DC4100 mov eax, dword ptr ss:[ebp+41DCA7] 003B2C6E 3D F4010000 cmp eax, 1F4 003B2C73 /75 1A jnz short 003B2C8F 003B2C7A 89BD 70894100 mov dword ptr ss:[ebp+418970], edi 003B2C85 /E9 C9010000 jmp 003B2E53 003B2CC1 B9 04000000 mov ecx, 4 003B2CCB 33D2 xor edx, edx 003B2CD2 F7E1 mul ecx 003B2CD9 BE B1DC4100 mov esi, 41DCB1 003B2CE3 03F5 add esi, ebp 003B2CFC 33BD 20FA4100 xor edi, dword ptr ss:[ebp+41FA20] 003B2D07 893C06 mov dword ptr ds:[esi+eax], edi 003B2D26 8B85 A7DC4100 mov eax, dword ptr ss:[ebp+41DCA7] 003B2D31 B9 0B000000 mov ecx, 0B 003B2D3B 33D2 xor edx, edx 003B2D42 F7E1 mul ecx 003B2D49 BF 85E44100 mov edi, 41E485 003B2D7B 03FD add edi, ebp 003B2DAA 03F8 add edi, eax 003B2DB6 89BD 70894100 mov dword ptr ss:[ebp+418970], edi 003B2DEE BE A6DC4100 mov esi, 41DCA6 003B2DF8 03F5 add esi, ebp 003B2E27 B9 0B000000 mov ecx, 0B 003B2E31 F3:A4 rep movs byte ptr es:[edi], byte ptr ds:[esi] 003B2E38 FF85 A7DC4100 inc dword ptr ss:[ebp+41DCA7] ; 计数器,被加密的应该是push count...push address...ret 003B2E43 8BBD 70894100 mov edi, dword ptr ss:[ebp+418970] 003B2E6A 61 popad 003B2E70 8B8D 70894100 mov ecx, dword ptr ss:[ebp+418970] 003B2E92 /EB 1E jmp short 003B2EB2 ; ----------------------------------------------------------------------------- 003B2EAB 8BC8 mov ecx, eax ; NETAPI32.Netbios ; 函数地址 003B2ECE 39BD 33D64100 cmp dword ptr ss:[ebp+41D633], edi 003B2ED4 76 10 jbe short 003B2EE6 ; 不知道,没跳 003B2EDB 89BD 33D64100 mov dword ptr ss:[ebp+41D633], edi 003B2EEB 39BD 2FD64100 cmp dword ptr ss:[ebp+41D62F], edi 003B2EF1 73 10 jnb short 003B2F03; 不知道,还是没跳 003B2EF8 89BD 2FD64100 mov dword ptr ss:[ebp+41D62F], edi 003B2F24 890F mov dword ptr ds:[edi], ecx ; 填充IAT 003B2F3D 83C6 04 add esi, 4 003B2F45 83C7 04 add edi, 4 ; 移动Thunk指针 003B2F4D ^\E9 42FBFFFF jmp 003B2A94; 循环--- ; --------------------------------------------------------------------------------------------------- ; 从老上边的003B25F6 /0F84 B0090000 je 003B2FAC出来,完成patch iat 003B2FB1 E8 16000000 call 003B2FCC ; 取User32.GetClassNameA...居然专门弄个call... 003B2FBB 61 popad ; 解放了 003B2FC1 C3 ret |
|
请问编写一个简单加壳程序需要那些知识?
最初由 AWU 发布 VB没什么作用。Delphi可以,汇编得掌握一些。看雪的新书就会介绍的。 |
|
请问编写一个简单加壳程序需要那些知识?
最初由 random 发布 为何非要熟练VC.... |
|
|
|
幻影之旅――[DBPE 2.x -> Ding Boy & zer0]流程攻略
[part 6 ](区段处理) ; ========================================================================================= ; 返回到 Ch e c k s u m - C h e c k i n g 之后的位置 ; 有个稍微快一点的方法解决注册 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; 003B073A E8 4A2A0000 call 003B3189 ; nop掉然后置eax =1即可 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; 003B076C 66:3D 0100 cmp ax, 1 003B0775 /0F84 E9000000 je 003B0864 ; j,否则Over 003B087B 8D85 D85C4000 lea eax, dword ptr ss:[ebp+405CD8] 003B08F8 BE E4D34100 mov esi, 41D3E4 003B0902 03F5 add esi, ebp ; esi -> 块表 ; esi: ;----------------------- 003B7B17 00001000 ; VOffset 003B7B1B 00006000 ; RSize 003B7B1F 0000F342 ; VSize 003B7B23 E0000021 ; Flags 003B7B27 00017000 ; 一样.... 003B7B2B 00001000 003B7B2F 00000FB8 003B7B33 C0000041 ;----------------------- 003B090E 833E 00 cmp dword ptr ds:[esi], 0 ; 区块解码结束了? 003B0916 /0F84 7E060000 je 003B0F9A ; 结束就走人 003B0921 8B9D DCD34100 mov ebx, dword ptr ss:[ebp+41D3DC] ; ImageBase 003B092C 031E add ebx, dword ptr ds:[esi] ; ebx -> 指向一个Section 003B0945 8B4E 04 mov ecx, dword ptr ds:[esi+4] ; ecx -> Size 003B0952 83F9 00 cmp ecx, 0 003B0955 /75 4E jnz short 003B09A5 ; 长度非零,处理---> (((((((((((((((((((((((((((((((((((((((((((((((((((( ; 跳过处理大小为零的Section 003B096E 83C6 10 add esi, 10 003B0976 ^\EB 91 jmp short 003B0909 )))))))))))))))))))))))))))))))))))))))))))))))))))) 003B09EE D1E9 shr ecx, 1 ; ecx /2 003B09F5 66:8B85 2DD6410>mov ax, word ptr ss:[ebp+41D62D] 003B0A01 66:35 2111 xor ax, 1121 003B0A37 66:C1C8 02 ror ax, 2 003B0A40 66:05 1A00 add ax, 1A 003B0A49 66:05 A100 add ax, 0A1 ; 计算key 003B0A84 66:3103 xor word ptr ds:[ebx], ax 003B0A8C 66:48 dec ax 003B0A93 43 inc ebx ; 指向下一byte 003B0A99 43 inc ebx ; 移动指针 003B0AC7 49 dec ecx 003B0ACD 83F9 00 cmp ecx, 0 003B0AD0 ^\75 AD jnz short 003B0A7F ; 循环解码 003B0B09 8B46 0C mov eax, dword ptr ds:[esi+C] ; flag 003B0B11 83E0 01 and eax, 1 ; 隐藏着什么标记呢? 003B0B30 83BD F81D4200 0>cmp dword ptr ss:[ebp+421DF8], 1 003B0B37 /0F85 60030000 jnz 003B0E9D ; 不知道,nj 003B0B6A 83F8 01 cmp eax, 1 003B0B6D 0F85 25030000 jnz 003B0E98; 还是不知道,nj,$$#@%@#$ 003B0C18 60 pushad 003B0C23 8B46 04 mov eax, dword ptr ds:[esi+4]; RSize 003B0C2B 83F8 00 cmp eax, 0 003B0C33 /0F84 03020000 je 003B0E3C ; RSize==0就不分配空间了 003B0C43 8B46 08 mov eax, dword ptr ds:[esi+8] ;VSize 003B0C73 6A 04 push 4 003B0C75 68 00100000 push 1000 003B0C7A 50 push eax 003B0C7B 6A 00 push 0 003B0C7D FF95 13CF4100 call dword ptr ss:[ebp+41CF13] ; 分配空间存放Section 0012FF74 003B0C83 /CALL to VirtualAlloc from 003B0C7D 0012FF78 00000000 |Address = NULL 0012FF7C 0000F342 |Size = F342 (62274.) 0012FF80 00001000 |AllocationType = MEM_COMMIT 0012FF84 00000004 \Protect = PAGE_READWRITE 003B0CC7 8985 E0D34100 mov dword ptr ss:[ebp+41D3E0], eax ; 得到的空间 003B0CFF 56 push esi ; 保存 Section Table Pointer 003B0D32 8B1E mov ebx, dword ptr ds:[esi] ; ebx -> VOffset 003B0D39 039D DCD34100 add ebx, dword ptr ss:[ebp+41D3DC] ; +ImageBase, 得到VA 003B0D44 50 push eax 003B0D45 53 push ebx 003B0D46 E8 AE620000 call 003B6FF9 ; aplib_depack_asm.解压缩到刚才VirtualAlloc得到的空间 003B0D50 83C4 08 add esp, 8 ; 平衡堆栈,大概用的不是stdcall 003B0D5D 8BC8 mov ecx, eax ; 解压出来的长度 003B0D64 8B3E mov edi, dword ptr ds:[esi] ; edi -> VOffset 003B0D93 03BD DCD34100 add edi, dword ptr ss:[ebp+41D3DC] ; +ImageBase, Get VA ; 要把解压得代码传送回去了 003B0DC6 8BB5 E0D34100 mov esi, dword ptr ss:[ebp+41D3E0]; 解压缩后的数据 003B0DE3 F3:A4 rep movs byte ptr es:[edi], byte ptr ds:[esi] ; copy all 003B0DEF 5E pop esi ; 恢复 Section Table Pointer ; 这里有点无聊。根本没有修改esi也没用用它,最后都popad 003B0E0C 8B85 E0D34100 mov eax, dword ptr ss:[ebp+41D3E0] ; 申请到的地址 003B0E29 68 00800000 push 8000 003B0E2E 6A 00 push 0 003B0E30 50 push eax 003B0E31 FF95 17CF4100 call dword ptr ss:[ebp+41CF17] ; kernel32.VirtualFree ; 满门抄斩……55555555 003B0E53 61 popad ; -------- 修正页面访问权限 ---------- 003B0EAC 60 pushad 003B0EB2 8B9D DCD34100 mov ebx, dword ptr ss:[ebp+41D3DC] ; ImageBase 003B0ECF 031E add ebx, dword ptr ds:[esi] ; 块表 VA 003B0EE8 8B4E 04 mov ecx, dword ptr ds:[esi+4] ; 长度 003B0EF5 B8 74894100 mov eax, 418974 003B0EFF 03C5 add eax, ebp ; buffer for VirtualProtect 003B0F2E 50 push eax 003B0F2F 6A 04 push 4 003B0F31 51 push ecx 003B0F32 53 push ebx 003B0F33 FF95 27CF4100 call dword ptr ss:[ebp+41CF27] ; kernel32.VirtualProtect 0012FF74 003B0F39 /CALL to VirtualProtect from 003B0F33 0012FF78 00401000 |Address = Try.00401000 0012FF7C 00006000 |Size = 6000 (24576.) 0012FF80 00000004 |NewProtect = PAGE_READWRITE 0012FF84 003B30A7 \pOldProtect = 003B30A7 003B0F3E 61 popad ; -------------- 移动指针,到下一个Section ------------------ 003B0F83 83C6 10 add esi, 10 003B0F8B ^\E9 79F9FFFF jmp 003B0909 ; 循环直到所有Sections都还原 ; ------------------------------------ ; 循环完成到这里,这里其实可以Dump了: 003B0F9A 90 nop 003B0FAE 8D85 D95C4000 lea eax, dword ptr ss:[ebp+405CD9] ; 这东西很无聊,碰到好几次,猜不出来,大概是buffer :D :D |
|
|
|
EncryptPE是病毒?这里有没有反病毒公司的人啊?
我想是你的Vxxxxxxxx.EPEx在作怪 |
|
|
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值