碰到一个程序,ACProtect加的壳.看了n多教程,看不懂啊.
oep来到这里
0040862F 55 PUSH EBP
00408630 8BEC MOV EBP,ESP
00408632 6A FF PUSH -1
00408634 68 48BA4000 PUSH dumped.0040BA48
00408639 68 42894000 PUSH dumped.00408942
0040863E 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00408644 50 PUSH EAX
00408645 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
0040864C 83EC 10 SUB ESP,10
0040864F 53 PUSH EBX
00408650 56 PUSH ESI
00408651 57 PUSH EDI
00408652 E8 BF7D5C00 CALL dumped.009D0416
00408657 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0040865A 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
0040865D 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
00408660 3B45 10 CMP EAX,DWORD PTR SS:[EBP+10]
00408663 7D 13 JGE SHORT dumped.00408678
00408665 E8 AC7D5C00 CALL dumped.009D0416 //指向壳
0040866A FF55 14 CALL DWORD PTR SS:[EBP+14] //利用壳解压在堆栈的代码执行程序
0040866D 0375 0C ADD ESI,DWORD PTR SS:[EBP+C]
00408670 8975 08 MOV DWORD PTR SS:[EBP+8],ESI
00408673 FF45 E4 INC DWORD PTR SS:[EBP-1C]
输入表比较容易还原,就不说了.
进入壳
009D0416 60 PUSHAD
009D0417 41 INC ECX
009D0418 78 03 JS SHORT WinMain1.009D041D
009D041A 79 01 JNS SHORT WinMain1.009D041D
009D041C ^ 75 F8 JNZ SHORT WinMain1.009D0416
009D041E E8 01000000 CALL WinMain1.009D0424
009D0423 ^ 78 83 JS SHORT WinMain1.009D03A8
***************************************************
省略若干
**************************************************
009D059E 41 INC ECX
009D059F 8135 B9FC9C00 7>XOR DWORD PTR DS:[9CFCB9],534A1175
009D05A9 83EB 01 SUB EBX,1
009D05AC ^ 0F85 6CFFFFFF JNZ WinMain1.009D051E //从这往上是解密下面壳还原代码
009D05B2 EB 01 JMP SHORT WinMain1.009D05B5
009D05B4 7D 0F JGE SHORT WinMain1.009D05C5
009D05B6 8A03 MOV AL,BYTE PTR DS:[EBX]
009D05B8 0000 ADD BYTE PTR DS:[EAX],AL
009D05BA 00C1 ADD CL,AL
009D05BC E6 88 OUT 88,AL ; I/O 命令
009D05BE 71 01 JNO SHORT WinMain1.009D05C1
009D05C0 F9 STC
在009D05B2 行f4,壳代码被还原
009D05B2 /EB 01 JMP SHORT WinMain1.009D05B5
009D05B4 |7D 0F JGE SHORT WinMain1.009D05C5
009D05B6 8A03 MOV AL,BYTE PTR DS:[EBX]
009D05B8 0000 ADD BYTE PTR DS:[EAX],AL
009D05BA 00C1 ADD CL,AL
009D05BC E6 88 OUT 88,AL ; I/O 命令
009D05BE 71 01 JNO SHORT WinMain1.009D05C1
009D05C0 F9 STC
009D05C1 E8 0CEF0000 CALL WinMain1.009DF4D2
009D05C6 8B4424 20 MOV EAX,DWORD PTR SS:[ESP+20] ; 取出返回地址 , 第一次是40866a
009D05CA 33C9 XOR ECX,ECX ; ECX=0
009D05CC 8B9C8D 69324000 MOV EBX,DWORD PTR SS:[EBP+ECX*4+403269] ; 这里放返回地址 RVA
009D05D3 039D 1FFC4000 ADD EBX,DWORD PTR SS:[EBP+40FC1F] ; 这里放返回地址 RVA
009D05D9 3BC3 CMP EAX,EBX ; 匹配吗?
009D05DB 74 07 JE SHORT WinMain1.009D05E4
009D05DD 90 NOP
009D05DE 90 NOP
009D05DF 90 NOP
009D05E0 90 NOP
009D05E1 41 INC ECX
009D05E2 ^ EB E8 JMP SHORT WinMain1.009D05CC
009D05E4 8DB5 49614000 LEA ESI,DWORD PTR SS:[EBP+406149] ; 9d4149 放加密后的代码
009D05EA B8 0A000000 MOV EAX,0A ; 加密代码 A 个字节一段
009D05EF F7E1 MUL ECX
009D05F1 03F0 ADD ESI,EAX ; 9d4149 + A*e = 9d41d5
009D05F3 8DBD EF1B4000 LEA EDI,DWORD PTR SS:[EBP+401BEF]
009D05F9 0FB6840D B12640>MOVZX EAX,BYTE PTR SS:[EBP+ECX+4026B1]
009D0601 FEC0 INC AL
009D0603 88840D B1264000 MOV BYTE PTR SS:[EBP+ECX+4026B1],AL
009D060A 3C 20 CMP AL,20
009D060C 75 13 JNZ SHORT WinMain1.009D0621
009D060E 90 NOP
009D060F 90 NOP
009D0610 90 NOP
009D0611 90 NOP
009D0612 8BBD 23FC4000 MOV EDI,DWORD PTR SS:[EBP+40FC23] ; 代码解密后放到1432f0开始的内存块
009D0618 B8 0A000000 MOV EAX,0A
009D061D F7E1 MUL ECX
009D061F 03F8 ADD EDI,EAX
009D0621 8A9D 06244000 MOV BL,BYTE PTR SS:[EBP+402406]
009D0627 B9 0A000000 MOV ECX,0A
009D062C AC LODS BYTE PTR DS:[ESI]
009D062D 32C3 XOR AL,BL
009D062F AA STOS BYTE PTR ES:[EDI]
009D0630 ^ E2 FA LOOPD SHORT WinMain1.009D062C
009D0632 83EF 0A SUB EDI,0A
009D0635 57 PUSH EDI
009D0636 8DB5 EF1B4000 LEA ESI,DWORD PTR SS:[EBP+401BEF]
009D063C 33F7 XOR ESI,EDI
009D063E 74 19 JE SHORT WinMain1.009D0659
009D0640 90 NOP
009D0641 90 NOP
009D0642 90 NOP
009D0643 90 NOP
009D0644 8B7424 24 MOV ESI,DWORD PTR SS:[ESP+24]
009D0648 83EE 04 SUB ESI,4
009D064B AD LODS DWORD PTR DS:[ESI]
009D064C 81EF 16244000 SUB EDI,WinMain1.00402416
009D0652 2BFD SUB EDI,EBP
009D0654 03C7 ADD EAX,EDI
009D0656 8946 FC MOV DWORD PTR DS:[ESI-4],EAX
009D0659 5F POP EDI
009D065A 57 PUSH EDI
009D065B 33C9 XOR ECX,ECX
009D065D 83F9 08 CMP ECX,8
009D0660 74 0E JE SHORT WinMain1.009D0670
009D0662 90 NOP
009D0663 90 NOP
009D0664 90 NOP
009D0665 90 NOP
009D0666 8B448C 04 MOV EAX,DWORD PTR SS:[ESP+ECX*4+4]
009D066A 89048C MOV DWORD PTR SS:[ESP+ECX*4],EAX
009D066D 41 INC ECX
009D066E ^ EB ED JMP SHORT WinMain1.009D065D
009D0670 893C8C MOV DWORD PTR SS:[ESP+ECX*4],EDI
009D0673 60 PUSHAD //往下是重新加密上面的壳代码
009D0674 E8 00000000 CALL WinMain1.009D0679
009D0679 5E POP ESI
009D067A 83EE 06 SUB ESI,6
009D067D B9 B2000000 MOV ECX,0B2
009D0682 29CE SUB ESI,ECX
009D0684 BA 652946C8 MOV EDX,C8462965
009D0689 C1E9 02 SHR ECX,2
009D068C 83E9 02 SUB ECX,2
009D068F 83F9 00 CMP ECX,0
009D0692 7C 1A JL SHORT WinMain1.009D06AE
009D0694 8B048E MOV EAX,DWORD PTR DS:[ESI+ECX*4]
009D0697 8B5C8E 04 MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]
009D069B 33C3 XOR EAX,EBX
009D069D C1C8 1D ROR EAX,1D
009D06A0 03C2 ADD EAX,EDX
009D06A2 81C2 6687812E ADD EDX,2E818766
009D06A8 89048E MOV DWORD PTR DS:[ESI+ECX*4],EAX
009D06AB 49 DEC ECX
009D06AC ^ EB E1 JMP SHORT WinMain1.009D068F
009D06AE 61 POPAD
009D06AF 61 POPAD
009D06B0 C3 RETN
不知道这是什么版本的ACProtect壳,我找不到jingulong
大虾说得这个跳转.
006D5622 MOV BYTE PTR SS:[EBP+4023FC],BL ;BL中为还原Replace Code的操作数
006D5628 POP ECX
006D5629 POP ESI
006D562A PUSHAD
006D562B MOV EAX,2
006D5630 CALL Acprotect.006E11EA
006D5635 OR EAX,EAX ;
006D5637 JNZ SHORT Acprotect.006D565D ;跳,表示把Replace Code放在原来变形码的位置
006D5639 NOP ; .
006D563A NOP ; .
006D563B NOP ; .
006D563C NOP ; .
006D563D POPAD ; .
006D563E MOV EDI,DWORD PTR SS:[EBP+40D2AE] ;否则放到位于[ebp+40d2ae]的指针指向的位置
006D5644 MOV EAX,0A ;一般情况下该指针指向堆中
把入口改成原壳的入口好像也不能通过这个call.没什么头绪了.各位支个招吧.
另外就是,用importREC修复的时候,如果不添加区段,但是原程序有没有合适的大小,该怎么办?
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
