前辈的脱文修订加录像版
谢谢他指导我成功脱掉了arm!
修订作者:vro
欢迎大家与我讨论 qq 277729596 (请注明来历)
邮箱: unpack@265.com
录像从dump完成后开始(获取iat)
我用的程序
Arm 3.x CopyMem-ll +Debug-Blocker 的脱壳
前天偶在DFCG中看到有一Arm壳的软件,其加密方式为CopyMem-ll +Debug-Blocker,脱后略有所得,故分享之,还请高手指正
程序相关页面:
教程中的程序附件:cr.part1.rar
附件:cr.part3.rar
附件:cr.part2.rar
(里面有原程序和我脱好后的程序)
首先要dump出程序
用OD载入后设断:BP WaitForDebugEvent
运行中断在后,此时堆栈窗口中:
0012DAEC 005658E6 /CALL 到 WaitForDebugEvent
0012DAF0 0012EB9C |pDebugEvent = 0012EB9C 右键转随跟随
0012DAF4 000003E8 \Timeout = 1000. ms
0012EB9C C4 EB CA 00 04 EC 12 00 碾.?.
0012EBA4 1C 00 00 00 B8 FE 12 00 ...羹.
0012EBAC 9C 00 00 00 00 F0 FD 7F ?...瘕
0012EBB4 00 00 00 00 00 ED 12 00 .....?.
0012EBBC 4F DE E5 77 F8 EC 12 00 O掊w?.
取消WaitForDebugEvent断点,再 Bp WriteProcessMemory, shift+F9运行中断后转存窗口中:
0012EB9C 01 00 00 00 8C 06 00 00 ...?..
0012EBA4 DC 02 00 00 01 00 00 80 ?....?
0012EBAC 00 00 00 00 00 00 00 00 ........
0012EBB4 CA 14 40 00 02 00 00 00 ?@....
0012EBBC 00 00 00 00 94 14 40 00 ....?@.
因此OEP: 4014Ac
堆栈窗口中:
0012D98C 00569421 /CALL 到 WriteProcessMemory 来自 MLEx.0056941B
0012D990 00000050 |hProcess = 00000050 (window)
0012D994 00401000 |Address = 401000
0012D998 003D6640 |Buffer = 003D6640 (第一次定入内存地址)
0012D99C 00001000 |BytesToWrite = 1000 (4096.)
0012D9A0 0012DAA8 \pBytesWritten = 0012DAA8
0012D9A4 00000003
0012D9A8 00000003
0012D9AC 0012F5A4
0012D9B0 0000003A
0012D9B4 00000000
0012D9B8 00000000
0012D9BC 0055AC48 MLEx.0055AC48
0012D9C0 0012D10C
0012D9C4 00550608 MLEx.00550608
0012D9C8 0012D354
0012D9CC 77F79005 ntdll.77F79005
0012D9D0 77F6D5F0 ntdll.77F6D5F0
0012D9D4 FFFFFFFF
0012D9D8 77F52013 返回到 ntdll.77F52013
0012D9DC 77F5201C 返回到 ntdll.77F5201C 来自 ntdll.77F78C4E
0012D9E0 0012D480
0012D9E4 00020024
0012D9E8 7FFDEC00 UNICODE "DILLOOEP"
0012D9EC 0000000A
0012D9F0 0012D649
0012D9F4 0012D173
0012D9F8 0012D1B4
0012D9FC 004A8B28 MLEx.004A8B28
0012DA00 0000000A
0012DA04 00000000
0012DA08 00000024
0012DA0C 004BB1D9 MLEx.004BB1D9
0012DA10 00000069
0012DA14 77010909
0012DA18 77F53CB3 返回到 ntdll.77F53CB3 来自 ntdll.77F78C4E
0012DA1C 00000000
0012DA20 00000208
0012DA24 0055AC48 MLEx.0055AC48
0012DA28 0012D2A8
0012DA2C 00000024
0012DA30 0012D728
0012DA34 0012D1AC
0012DA38 004A53B8 MLEx.004A53B8
0012DA3C 0012D838
0012DA40 0012D1E0
0012DA44 0000000B
0012DA48 004BB1DB MLEx.004BB1DB
0012DA4C 0012D1E0
0012DA50 0012D1C8
0012DA54 004A55D7 MLEx.004A55D7
0012DA58 0012D1E0
0012DA5C 0000000B
0012DA60 0012D728
0012DA64 00000001
0012DA68 77F52013 返回到 ntdll.77F52013
0012DA6C 77F5201C 返回到 ntdll.77F5201C 来自 ntdll.77F78C4E
0012DA70 0012D510
0012DA74 00020024
0012DA78 0055FA70 MLEx.0055FA70
0012DA7C 00010011
0012DA80 00000002
0012DA84 F28BF0DC
0012DA88 003D7640
0012DA8C 003D7640
0012DA90 00000044
0012DA94 0012D288
0012DA98 00000020
0012DA9C 00401000 MLEx.00401000
0012DAA0 00000020
0012DAA4 003D7640
0012DAA8 00001000
0012DAAC 003D7640
0012DAB0 /0012DAE4
0012DAB4 |0056812E 返回到 MLEx.0056812E 来自 MLEx.00568475
在汇编窗口中CTRL+G,输入 3D6640+0494 来到程序在缓存区的地址代码处
003D6AD4 /EB 10 JMP SHORT 003D6AE6 (原程序第一行代码)
003D6AD6 |66:623A BOUND DI,DWORD PTR DS:[EDX]
003D6AD9 |43 INC EBX
003D6ADA |2B2B SUB EBP,DWORD PTR DS:[EBX]
003D6ADC |48 DEC EAX
003D6ADD |4F DEC EDI
003D6ADE |4F DEC EDI
003D6ADF |4B DEC EBX
003D6AE0 |90 NOP
003D6AE1 -|E9 98D04F00 JMP 008D3B7E
003D6AE6 \A1 8BD04F00 MOV EAX,DWORD PTR DS:[4FD08B]
003D6AEB C1E0 02 SHL EAX,2
003D6AEE A3 8FD04F00 MOV DWORD PTR DS:[4FD08F],EAX
003D6AF3 52 PUSH EDX
003D6AF4 6A 00 PUSH 0
003D6AF6 E8 9DA80F00 CALL MLEx.004D1398
003D6AFB 8BD0 MOV EDX,EAX
003D6AFD E8 92D20E00 CALL MLEx.004C3D94
003D6B02 5A POP EDX
003D6B03 E8 F0D10E00 CALL MLEx.004C3CF8
003D6B08 E8 C7D20E00 CALL MLEx.004C3DD4
可见原程序是BC++程序
修改3D6AD4 处的代码,改为 jmp 3D6AD4 ,就是为了让程序死循环好让LordPE dump出程序
Arm在将原程序代码解压到内存区后又解了密,所以我们必须将此加密模块nop掉
0012DAB4 |0056812E 返回到 MLEx.0056812E 来自 MLEx.00568475 ---->(加密call)反汇编跟随
00568125 . 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
00568128 . 52 PUSH EDX
00568129 . E8 47030000 CALL 00568475 解码call,按回车进入
0056812E > 83C4 0C ADD ESP,0C 停在这里
00568131 . 25 FF000000 AND EAX,0FF
00568136 . 85C0 TEST EAX,EAX
00568475 $ 55 PUSH EBP 有两处调用:568129和5683e4
00568476 . 8BEC MOV EBP,ESP
00568478 . 81EC 00010000 SUB ESP,100
0056847E . 53 PUSH EBX
0056847F . 56 PUSH ESI
00568480 . 57 PUSH EDI
00568481 . 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00568484 . C1E0 0C SHL EAX,0C
00568487 . 8B0D D40A5900 MOV ECX,DWORD PTR DS:[590AD4] ; MLEx.00401000
0056848D . 03C8 ADD ECX,EAX
0056848F . 894D EC MOV DWORD PTR SS:[EBP-14],ECX
00568492 > 8B15 F00A5900 MOV EDX,DWORD PTR DS:[590AF0]
00568498 . 8955 FC MOV DWORD PTR SS:[EBP-4],EDX
0056849B . A1 F00A5900 MOV EAX,DWORD PTR DS:[590AF0]
005683DA . 8B15 E40A5900 MOV EDX,DWORD PTR DS:[590AE4]
005683E0 . 8B048A MOV EAX,DWORD PTR DS:[EDX+ECX*4]
005683E3 . 50 PUSH EAX
005683E4 . E8 8C000000 CALL 00568475 而这个call 就是加密call,nop 掉
005683E9 . 83C4 0C ADD ESP,0C
005683EC . 9C PUSHFD
005683ED . 60 PUSHAD
005683EE . EB 2B JMP SHORT 0056841B
(下面将用到 jwh51 大虾的插件,将插件放到lordpe相应的目录下)
好了,取消所有断点,shift+f9运行程序,打开lordpe,选择第二进程,选取Armdump引擎,完全dump出程序,这样就得到没有加密的原程序代码
重要!!!:用lordPE将dump出程序入口点改成 oep-imagebase(一般是40000,怎么找?我不会,望大家指教)= 4014ac-400000=14ac
/////////录像开始////////////
接下来就是修复IAT了,重新载入程序
设断:bp DebugActiveProcess
运行中断后
0012DAF0 00565767 /CALL 到 DebugActiveProcess 来自 MLEx.00565761
0012DAF4 00000FF4 \ProcessId = FF4 (第二进程句柄)
打开一个新的OD,附加进程序:FF4(以大家的进程为准),载入后按ALT+F9返回,
0056B379 >- EB FE JMP SHORT <ModuleEntryPoint>
0056B37B EC IN AL,DX ; I/O 命令
0056B37C 6A FF PUSH -1
0056B37E 68 78025900 PUSH 00590278
0056B383 68 60AD5600 PUSH 0056AD60 ; SE handler installation
0056B388 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0056B38E 50 PUSH EAX
0056B38F 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
0056B396 83EC 58 SUB ESP,58
0056B399 53 PUSH EBX
0056B39A 56 PUSH ESI
0056B39B 57 PUSH EDI
0056B39C 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
0056B39F FF15 4CD15800 CALL DWORD PTR DS:[<&KERNEL32.GetVersion>; kernel32.GetVersion
还原代码:
0056B379 > 55 PUSH EBP
0056B37A 8BEC MOV EBP,ESP
0056B37C 6A FF PUSH -1
0056B37E 68 78025900 PUSH 00590278
0056B383 68 60AD5600 PUSH 0056AD60 ; SE handler installation
0056B388 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0056B38E 50 PUSH EAX
0056B38F 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
0056B396 83EC 58 SUB ESP,58
0056B399 53 PUSH EBX
设断:Bp OpenMutexA (用意我就不说了)
0012F5B0 00561DA6 /CALL 到 OpenMutexA 来自 MLEx.00561DA0
0012F5B4 001F0001 |Access = 1F0001
0012F5B8 00000000 |Inheritable = FALSE
0012F5BC 0012FBF0 \MutexName = "FF4:A1375C857" (注意这里)
汇编窗口中ctrl+f9,输入401000
在空白处输入以下代码:
00401000 60 PUSHAD 右键在此新建EIP
00401001 9C PUSHFD
00401002 68 F0FB1200 PUSH 12FBF0 ; ASCII "FF4:A1375C857" 要跟上面一致
00401007 33C0 XOR EAX,EAX
00401009 50 PUSH EAX
0040100A 50 PUSH EAX
0040100B E8 B5A6A577 CALL kernel32.CreateMutexA
00401010 9D POPFD
00401011 61 POPAD
00401012 - E9 7A13A677 JMP kernel32.OpenMutexA
shift+f9执行再处中断在OpenMutexA处,取消断点,再撤消401000处的代码
bp GetModuleHandleA+5 F9 3次(不一定是3次,是有了个大跳转,凭感觉)
ctrl+F9 直到出现类似代码:
00E85B5C /75 03 JNZ SHORT 00E85B61
00E85B5E |8B5D 0C MOV EBX,DWORD PTR SS:[EBP+C]
00E85B61 \57 PUSH EDI
00E85B62 FF15 A450EA00 CALL DWORD PTR DS:[EA50A4] ; kernel32.GetModuleHandleA
00E85B68 3945 08 CMP DWORD PTR SS:[EBP+8],EAX ; MLEx.00400000 返回这里
00E85B6B 75 07 JNZ SHORT 00E85B74
00E85B6D B9 E873EA00 MOV ECX,0EA73E8
00E85B72 EB 52 JMP SHORT 00E85BC6
00E85B74 393D E079EA00 CMP DWORD PTR DS:[EA79E0],EDI
00E85B7A B9 E079EA00 MOV ECX,0EA79E0
00E85B7F 0F84 93000000 JE 00E85C18 传说中的magic jmp,改为jmp
00E85B85 8B35 60D8EA00 MOV ESI,DWORD PTR DS:[EAD860]
00E85B8B A1 E018EB00 MOV EAX,DWORD PTR DS:[EB18E0]
00E85B90 F641 08 01 TEST BYTE PTR DS:[ECX+8],1
00E85B94 74 0E JE SHORT 00E85BA4
00E85B96 8B50 5C MOV EDX,DWORD PTR DS:[EAX+5C]
00E85B99 3350 48 XOR EDX,DWORD PTR DS:[EAX+48]
00E85B9C 3350 1C XOR EDX,DWORD PTR DS:[EAX+1C]
00E85B9F F6C2 80 TEST DL,80
00E85BA2 75 13 JNZ SHORT 00E85BB7
开始寻找起始iat地址(教程中没有)
把入口代码改回来
/////////////////录像中内容//////////////////////////
起始iat地址:53711c-400000=13711c,再去掉末尾 得:137000
长得差不多把~
ita找到了,修复下
/////////////////录像中内容//////////////////////////
shift+f9,虽然程序不能运行,但IAT已经没加密了,打开ImprotREC选取进程
RVA:137000 Size:00001000
得到输入表后cut掉无效的指针,再填入OEP:00001494,fixdump
记住要改回OEP的代码
00401494 /EB 0B JMP SHORT 004014A6
00401496 |66:623A BOUND DI,DWORD PTR DS:[EDX]
00401499 |43 INC EBX
0040149A |2B2B SUB EBP,DWORD PTR DS:[EBX]
0040149C |48 DEC EAX
0040149D |4F DEC EDI
0040149E |4F DEC EDI
0040149F |4B DEC EBX
004014A0 |90 NOP
004014A1 -\E9 98D04F00 JMP 008FE53E
004014A6 A1 8BD04F00 MOV EAX,DWORD PTR DS:[4FD08B]
004014AB C1E0 02 SHL EAX,2
OK,好累啊!感谢前辈们的脱文,同时也感谢你看完本贴
录像:附件:iat.part1.rar
附件:iat.part2.rar
附件:iat.part3.rar
附件:iat.part4.rar
附件:iat.part5.rar
附件:iat.part6.rar
附件:iat.part7.rar
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)