-
-
[原创]cryxenet0.02unpackme完全分析
-
发表于:
2009-11-5 14:02
9103
-
[原创]cryxenet0.02unpackme完全分析
【文章标题】: cryxenet0.02unpackme完全分析
【文章作者】: 峰回路转
【作者邮箱】: killbug2004@gmail.com
【软件名称】: cryxenet0.02unpackme
【下载地址】: http://www.crackmes.de/users/tfb/cryxenet_0.02_unpackme/
【操作平台】: .net
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教! 如果我的代码你看着很眼熟,那绝对不是偶然^V^
--------------------------------------------------------------------------------
【详细过程】
这个unpackme是作者的.net保护壳保护的,所以继续阅读之前需要对.net原理和.net PE文件结构有一定了解。程序由三个
文件组成,只有unpackme.exe是可以运行的。
一:unpackme.exe的分析
PE工具察看unpackme.exe为.net PE,用.net Reflector载入unpackme进行分析。程序入口函数
main无法以C#等高级语言查看,只能查看il代码,方法开始代码如下:
.method public static void main() cil managed
{
.custom instance void [mscorlib]System.STAThreadAttribute::.ctor()
.entrypoint
.maxstack 4
.locals init (
[0] int64 num,
[1] class [mscorlib]System.IO.FileInfo info,
[2] class [mscorlib]System.Reflection.Assembly 'assembly',
[3] object[] objArray,
[4] string[] strArray,
[5] int64 num2,
[6] int64 num3,
[7] int64 num4,
[8] int64 num5,
[9] int64 num6,
[10] class [mscorlib]System.IO.FileStream stream,
[11] native int ptr,
[12] uint8[] buffer,
[13] class Project1.Program/obfuscation8 obfuscation,
[14] uint8[] buffer2,
[15] int64 num7,
[16] int64 num8,
[17] int64 num9)
L_0000: nop
/*
L_0001: ldc.i4.s 0x63
L_0003: conv.i8
L_0004: stloc.s num2
L_0006: ldc.i4.s 0x4b
L_0008: conv.i8
L_0009: stloc.s num3
L_000b: ldc.i4 0x38d
L_0010: conv.i8
L_0011: stloc.s num4
L_0013: call int64 Project1.Program::IsDebuggerPresent()
L_0018: pop
L_0019: ldloc.s num3
L_001b: br.s L_003d // 无条件跳转,所以reflector无法反编译为高级语言
L_001d: add.ovf
L_001e: stloc.s num2
L_0020: ldloc.s num4
L_0022: ldc.i4.7
L_0023: conv.i8
L_0024: sub.ovf
L_0025: stloc.s num4
L_0027: ldloc.s num4
L_0029: ldloc.s num2
L_002b: add.ovf
L_002c: stloc.s num3
L_002e: ldloc.s num4
L_0030: ldc.i4.7
L_0031: conv.i8
L_0032: add.ovf
L_0033: stloc.s num4
L_0035: call int64 Project1.Program::IsDebuggerPresent()
L_003a: pop
L_003b: ldloc.s num3
L_003d: ldloc.s num4
L_003f: add.ovf
L_0040: stloc.s num2
L_0042: ldloc.s num4
L_0044: ldc.i4.7
L_0045: conv.i8
L_0046: sub.ovf
L_0047: stloc.s num4
L_0049: ldloc.s num4
L_004b: ldloc.s num2
L_004d: add.ovf
L_004e: stloc.s num3
L_0050: ldloc.s num4
L_0052: ldc.i4.7
L_0053: conv.i8
L_0054: add.ovf
L_0055: stloc.s num4
L_0057: call int64 Project1.Program::IsDebuggerPresent()
L_005c: pop
L_005d: ldloc.s num3
L_005f: ldloc.s num4
L_0061: add.ovf
L_0062: stloc.s num2
L_0064: ldloc.s num4
L_0066: ldc.i4.7
L_0067: conv.i8
L_0068: sub.ovf
L_0069: stloc.s num4
L_006b: ldloc.s num4
L_006d: ldloc.s num2
L_006f: add.ovf
L_0070: stloc.s num3
L_0072: ldloc.s num4
L_0074: ldc.i4.7
L_0075: conv.i8
L_0076: add.ovf
L_0077: stloc.s num4
L_0079: ldloc.s num3
L_007b: ldloc.s num4
L_007d: add.ovf
L_007e: stloc.s num2
L_0080: ldloc.s num4
L_0082: ldc.i4.7
L_0083: conv.i8
L_0084: sub.ovf
L_0085: stloc.s num4
L_0087: ldloc.s num4
L_0089: ldloc.s num2
L_008b: add.ovf
L_008c: stloc.s num3
L_008e: ldloc.s num4
L_0090: ldc.i4.7
L_0091: conv.i8
L_0092: add.ovf
L_0093: stloc.s num4
*/
//创建Fileinfo对象,关联"native.dll"
L_0095: ldstr "native.dll" //将"native.dll"压入堆栈
L_009a: newobj instance void [mscorlib]System.IO.FileInfo::.ctor(string)
//创建一个FileInfo对象
L_009f: stloc.1 //将堆栈顶的数据保存到索引为1的局部变量中
//即将FileInfo对象保存到info中
using System;
using System.IO;
using System.Runtime.InteropServices;
using System.Reflection;
namespace Project1
{
class Program
{
private delegate int obfuscation8();
public static void Main()
{
long num6;
FileStream stream = new FileInfo("native.dll").OpenRead();
long length = stream.Length;
byte[] array = new byte[((int)length) + 1];
stream.Read(array, 0, (int)length);
stream.Close();
long num7 = length;
for (num6 = 0L; num6 <= num7; num6 += 1L)
{
array[(int)num6] = (byte)(array[(int)num6] ^ 0x37);
}
IntPtr destination = new IntPtr();
destination = Marshal.AllocCoTaskMem((int)length);
Marshal.Copy(array, 0, destination, (int)length);
obfuscation8 delegateForFunctionPointer = (obfuscation8)Marshal.GetDelegateForFunctionPointer(destination, typeof(obfuscation8));
File.WriteAllBytes("dump.bin", array);
long num = new long();
num = delegateForFunctionPointer();
System.Console.WriteLine(" num = " + num);
stream = new FileInfo("cryxed.dll").OpenRead();
length = stream.Length;
byte[] buffer2 = new byte[((int)length) + 1];
stream.Read(buffer2, 0, (int)length);
stream.Close();
long num8 = length;
for (num6 = 0L; num6 <= num8; num6 += 1L)
{
buffer2[(int)num6] = (byte)(buffer2[(int)num6] ^ 0x37);
}
File.WriteAllBytes("decrypted_assembly.exe", buffer2);
Assembly assembly = Assembly.Load(buffer2);
object[] parameters = new object[1];
string[] strArray = new string[] { "" };
parameters[0] = strArray;
assembly.EntryPoint.Invoke(null, parameters);
}
}
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课