能力值:
( LV2,RANK:10 )
|
-
-
2 楼
10130FF pushad
1013100 push 01013054 在此 ESP 定律可快速脱壳
1013105 mov eax,<&KERNEL32.GetModuleHandleA>
101310A call dword ptr ds:[eax]
101310C push 010130B3
1013111 push eax
1013112 mov eax,<&KERNEL32.GetProcAddress>
1013117 call dword ptr ds:[eax]
1013119 push 7800
101311E push 40
1013120 call eax 这里 F7 进入 (也可直接在下一个 CALL 1013138 call 010131AA ) F4
F7 进入 1013120 call eax 后到此:
7C80FDCD push 1C F7 进入 1013120 call eax 后到此 (Ctrl+F9) 到段尾
7C80FDCF push 7C80FEC8
7C80FDD4 call 7C8024D6
7C80FDD9 mov eax,dword ptr ss:[ebp+8]
7C80FDDC test eax,FFFF808D
7C80FDE1 jnz 7C840037
7C80FDE7 xor edi,edi
7C80FDE9 mov dword ptr ss:[ebp-1C],edi
7C80FDEC test al,40
7C80FDEE jnz 7C80FED4
7C80FDF4 test al,2
7C80FDF6 je 7C80FEE0
7C80FDFC mov dword ptr ss:[ebp-20],edi
7C80FDFF push dword ptr ds:[7C8853A4]
7C80FE05 call dword ptr ds:[<&ntdll.RtlLockHeap>]
7C80FE0B or word ptr ss:[ebp-1C],301
7C80FE11 mov dword ptr ss:[ebp-4],edi
7C80FE14 push edi
7C80FE15 mov ebx,7C8850E0
7C80FE1A push ebx
7C80FE1B call dword ptr ds:[<&ntdll.RtlAllocateHandle>]
7C80FE21 mov esi,eax
7C80FE23 mov dword ptr ss:[ebp-24],esi
7C80FE26 test esi,esi
7C80FE28 je 7C8355C6
7C80FE2E lea eax,dword ptr ds:[esi+4]
7C80FE31 mov dword ptr ss:[ebp-28],eax
7C80FE34 cmp dword ptr ss:[ebp+C],0
7C80FE38 je short 7C80FE76
7C80FE3A push dword ptr ss:[ebp+C]
7C80FE3D mov eax,dword ptr ds:[7C8856D4]
7C80FE42 add eax,100000
7C80FE47 or eax,dword ptr ss:[ebp-1C]
7C80FE4A push eax
7C80FE4B push dword ptr ds:[7C8853A4]
7C80FE51 call dword ptr ds:[<&ntdll.RtlAllocateHeap>]
7C80FE57 mov edi,eax
7C80FE59 mov dword ptr ss:[ebp-20],edi
7C80FE5C test edi,edi
7C80FE5E je 7C840059
7C80FE64 push dword ptr ss:[ebp-28]
7C80FE67 push edi
7C80FE68 push 1
7C80FE6A push dword ptr ds:[7C8853A4]
7C80FE70 call dword ptr ds:[<&ntdll.RtlSetUserValueHeap>]
7C80FE76 or dword ptr ss:[ebp-4],FFFFFFFF
7C80FE7A push dword ptr ds:[7C8853A4]
7C80FE80 call dword ptr ds:[<&ntdll.RtlUnlockHeap>]
7C80FE86 test esi,esi
7C80FE88 je short 7C80FEBE
7C80FE8A mov dword ptr ds:[esi+4],edi
7C80FE8D xor eax,eax
7C80FE8F test edi,edi
7C80FE91 sete al
7C80FE94 lea eax,dword ptr ds:[eax*8+1]
7C80FE9B mov word ptr ds:[esi],ax
7C80FE9E test byte ptr ss:[ebp+9],1
7C80FEA2 jnz 7C8355BE
7C80FEA8 test byte ptr ss:[ebp+8],2
7C80FEAC je short 7C80FEB1
7C80FEAE or byte ptr ds:[esi],2
7C80FEB1 test byte ptr ss:[ebp+9],20
7C80FEB5 jnz 7C80C009
7C80FEBB mov edi,dword ptr ss:[ebp-28]
7C80FEBE mov eax,edi
7C80FEC0 call 7C802511
7C80FEC5 retn 8 这里返回程式领空
返回到此处:
1013122 mov dword ptr ds:[10130CA],eax 返回到此处
1013128 mov edi,eax
101312A mov esi,01001000
101312F pushad
1013130 cld
1013131 mov dl,80
1013133 xor ebx,ebx
1013135 movs byte ptr es:[edi],byte ptr ds:[esi]
1013136 mov bl,2
1013138 call 010131AA
101313D jnb short 01013135
101313F xor ecx,ecx
1013141 call 010131AA
1013146 jnb short 01013164
1013148 xor eax,eax
101314A call 010131AA
101314F jnb short 01013174
1013151 mov bl,2
1013153 inc ecx
1013154 mov al,10
1013156 call 010131AA
101315B adc al,al
101315D jnb short 01013156
101315F jnz short 010131A0
1013161 stos byte ptr es:[edi]
1013162 jmp short 01013138
1013164 call 010131B6
1013169 sub ecx,ebx
101316B jnz short 0101317D
101316D call 010131B4
1013172 jmp short 0101319C
1013174 lods byte ptr ds:[esi]
1013175 shr eax,1
1013177 je short 010131C6 这里 Enter 键 跟随
1013179 adc ecx,ecx
101317B jmp short 01013199
101317D xchg eax,ecx
101317E dec eax
101317F shl eax,8
跟随到此
10131C6 popad
10131C7 mov ecx,77FC
10131CC mov ebx,dword ptr ds:[eax+ecx]
10131CF mov dword ptr ds:[ecx+1001000],ebx
10131D5 loopd short 010131CC
10131D7 nop
10131D8 nop
10131D9 mov edx,01000000
10131DE mov esi,7604
10131E3 add esi,edx
10131E5 mov eax,dword ptr ds:[esi+C]
10131E8 test eax,eax
10131EA je 01013277 这里 Enter 键 跟随
10131F0 add eax,edx
10131F2 mov ebx,eax
10131F4 push eax
跟随到此
1013277 push 01013054
101327C mov eax,<&KERNEL32.GetModuleHandleA>
1013281 call dword ptr ds:[eax]
1013283 push 010130BF
1013288 push eax
1013289 mov eax,<&KERNEL32.GetProcAddress>
101328E call dword ptr ds:[eax]
1013290 mov edx,dword ptr ds:[10130CA]
1013296 push edx
1013297 call eax
1013299 popad
101329A mov eax,0100739D
101329F mov edx,0EA
10132A4 mov ecx,0E015
10132A9 add ecx,edx
10132AB xchg edx,ecx
10132AD xor ebx,ebx
10132AF nop
10132B0 add ebx,eax
10132B2 nop
10132B3 xor eax,eax
10132B5 nop
10132B6 add eax,edx
10132B8 nop
10132B9 push eax
10132BA xor eax,eax
10132BC add eax,ebx
10132BE xor ecx,ecx
10132C0 add ecx,esp
10132C2 xor edx,edx
10132C4 add edx,eax
10132C6 xor edx,20
10132C9 xor eax,eax
10132CB cmp eax,edx
10132CD je short 010132DB
10132CF jmp short 010132D8
10132D1 retn
10132D2 jmp short 010132D8
10132D4 retn
10132D5 jmp short 010132D8
10132D7 retn
10132D8 inc eax
10132D9 jmp short 010132CB
10132DB xor eax,20
10132DE push ecx
10132DF retn F4 到这里 F8
F8 到这里
6FFC0 jmp eax F8 到 OEP
6FFC2 add byte ptr ds:[eax],al
6FFC4 ja short 00070036
100739D push 70 OEP
100739F push 01001898
10073A4 call 01007568
10073A9 xor ebx,ebx
10073AB push ebx
10073AC mov edi,dword ptr ds:[10010CC]
10073B2 call edi
10073B4 cmp word ptr ds:[eax],5A4D
10073B9 jnz short 010073DA
10073BB mov ecx,dword ptr ds:[eax+3C]
10073BE add ecx,eax
10073C0 cmp dword ptr ds:[ecx],4550
直接使用 OD 插件 脱壳既可
这个壳没压缩资源可 OD 载入程式向下拉到 最后一个 retn (后面全是 00 00 00 00)
在 retn F4 断下 F8 2 次 就到 OEP 了
|
能力值:
( LV6,RANK:80 )
|
-
-
3 楼
[QUOTE=hcg;747393]10130FF pushad
1013100 push 01013054 在此 ESP 定律可快速脱壳
1013105 mov eax,<&KERNEL32.GetModuleHandleA>
101310A call dword ptr ds:[eax]
101310C push 01...[/QUOTE]
我的问题是 在这个call就失败了 如果在1013100用esp定律 直接就走死了:
7C92E506 8DA424 00000000 LEA ESP,DWORD PTR SS:[ESP]
7C92E50D 8D49 00 LEA ECX,DWORD PTR DS:[ECX]
7C92E510 > 8BD4 MOV EDX,ESP
7C92E512 0F34 SYSENTER
7C92E514 > C3 RETN
7C92E515 8DA424 00000000 LEA ESP,DWORD PTR SS:[ESP]
7C92E51C 8D6424 00 LEA ESP,DWORD PTR SS:[ESP]
7C92E520 > 8D5424 08 LEA EDX,DWORD PTR SS:[ESP+8]
直接走到这儿
所以我自己跟了一下,在那个call进入:
7C80FDCD > 6A 1C PUSH 1C
7C80FDCF 68 C8FE807C PUSH kernel32.7C80FEC8
7C80FDD4 E8 FD26FFFF CALL kernel32.7C8024D6
7C80FDD9 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; 把uFlags放入到eax
7C80FDDC A9 8D80FFFF TEST EAX,FFFF808D
7C80FDE1 0F85 50020300 JNZ kernel32.7C840037 ; 这一跳没实现
7C80FDE7 33FF XOR EDI,EDI ;初始化临时变量为0
7C80FDE9 897D E4 MOV DWORD PTR SS:[EBP-1C],EDI
7C80FDEC A8 40 TEST AL,40 ; 因为aL=40 所以下面的跳成立
7C80FDEE 0F85 E0000000 JNZ kernel32.7C80FED4
=============================================
7C80FED4 C745 E4 0800000>MOV DWORD PTR SS:[EBP-1C],8 ; 临时变量放入8
7C80FEDB ^ E9 14FFFFFF JMP kernel32.7C80FDF4 ;跳回去
7C80FEE0 F6C4 20 TEST AH,20
7C80FEE3 0F85 43280200 JNZ kernel32.7C83272C
7C80FEE9 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
7C80FEEC 3BC7 CMP EAX,EDI
7C80FEEE 0F84 51010300 JE kernel32.7C840045
7C80FEF4 50 PUSH EAX
7C80FEF5 A1 D456887C MOV EAX,DWORD PTR DS:[7C8856D4]
7C80FEFA 05 00001000 ADD EAX,100000
7C80FEFF 0B45 E4 OR EAX,DWORD PTR SS:[EBP-1C]
=================================================
7C80FEE0 F6C4 20 TEST AH,20 ; 判断高位
7C80FEE3 0F85 43280200 JNZ kernel32.7C83272C ; 未实现
7C80FEE9 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] ; 这里是压入的第一个参数dwBytes
7C80FEEC 3BC7 CMP EAX,EDI ; 注意edi前面被初始化为0
7C80FEEE 0F84 51010300 JE kernel32.7C840045 ; 等于就跳 这里没跳
7C80FEF4 50 PUSH EAX ; 压入dwBytes
7C80FEF5 A1 D456887C MOV EAX,DWORD PTR DS:[7C8856D4] ; DS:[7C8856D4]=00240000
7C80FEFA 05 00001000 ADD EAX,100000
7C80FEFF 0B45 E4 OR EAX,DWORD PTR SS:[EBP-1C] ; 堆栈 SS:[0006FF78]=00000008
7C80FF02 50 PUSH EAX
7C80FF03 FF35 A453887C PUSH DWORD PTR DS:[7C8853A4]
7C80FF03 FF35 A453887C PUSH DWORD PTR DS:[7C8853A4]
7C80FF09 FF15 0C10807C CALL DWORD PTR DS:[<&ntdll.RtlAllocateHe>; F7进去 就是这里开始悲剧的
================================================
5AD5277B 8BFF MOV EDI,EDI
5AD5277D 55 PUSH EBP
5AD5277E 8BEC MOV EBP,ESP
5AD52780 56 PUSH ESI
5AD52781 FF75 10 PUSH DWORD PTR SS:[EBP+10]
5AD52784 FF75 0C PUSH DWORD PTR SS:[EBP+C]
5AD52787 FF75 08 PUSH DWORD PTR SS:[EBP+8]
5AD5278A FF15 1010D55A CALL DWORD PTR DS:[<&ntdll.RtlAllocateHe>; ntdll.RtlAllocateHeap 跟进去
===============================================
7C9300C4 > 68 04020000 PUSH 204
7C9300C9 68 E001937C PUSH ntdll.7C9301E0
7C9300CE E8 F8E7FFFF CALL ntdll.7C92E8CB ; 跟进去(此call没问题)
7C9300D3 8B5D 08 MOV EBX,DWORD PTR SS:[EBP+8] ; 这回返回到这儿 此时都没问题
7C9300D6 895D E4 MOV DWORD PTR SS:[EBP-1C],EBX
7C9300D9 33FF XOR EDI,EDI
7C9300DB 897D D0 MOV DWORD PTR SS:[EBP-30],EDI
7C9300DE C645 E2 00 MOV BYTE PTR SS:[EBP-1E],0
7C9300E2 897D CC MOV DWORD PTR SS:[EBP-34],EDI
7C9300E5 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
7C9300E8 0B43 10 OR EAX,DWORD PTR DS:[EBX+10]
7C9300EB 8945 0C MOV DWORD PTR SS:[EBP+C],EAX
7C9300EE A9 600F037D TEST EAX,7D030F60
7C9300F3 0F85 2C870000 JNZ ntdll.7C938825
7C9300F9 8B55 10 MOV EDX,DWORD PTR SS:[EBP+10]
7C9300FC 81FA 00000080 CMP EDX,80000000
7C930102 0F83 1D870000 JNB ntdll.7C938825
7C930108 80BB 86050000 0>CMP BYTE PTR DS:[EBX+586],2
7C93010F 0F84 9E6C0200 JE ntdll.7C956DB3
7C930115 85FF TEST EDI,EDI
7C930117 0F85 B76C0200 JNZ ntdll.7C956DD4
7C93011D 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
7C930120 85C0 TEST EAX,EAX
7C930122 0F84 83060000 JE ntdll.7C9307AB
7C930128 83C0 0F ADD EAX,0F
7C93012B 83E0 F8 AND EAX,FFFFFFF8
7C93012E 8945 DC MOV DWORD PTR SS:[EBP-24],EAX
7C930131 85FF TEST EDI,EDI
7C930133 0F85 F0760200 JNZ ntdll.7C957829
7C930139 8BF8 MOV EDI,EAX
7C93013B C1EF 03 SHR EDI,3
7C93013E 897D 9C MOV DWORD PTR SS:[EBP-64],EDI
7C930141 33F6 XOR ESI,ESI
7C930143 80BB 86050000 0>CMP BYTE PTR DS:[EBX+586],1
7C93014A 0F85 B4110000 JNZ ntdll.7C931304 ;此处跳走
7C930150 8B83 80050000 MOV EAX,DWORD PTR DS:[EBX+580]
7C930156 3BC6 CMP EAX,ESI ;又跳回来
7C930158 0F84 440C0000 JE ntdll.7C930DA2 ;再次跳走 此时开始悲剧 再也不回来了
7C93015E 66:39B3 8405000>CMP WORD PTR DS:[EBX+584],SI
7C930165 0F85 370C0000 JNZ ntdll.7C930DA2
7C93016B 81FF 80000000 CMP EDI,80
7C930171 0F83 2B0C0000 JNB ntdll.7C930DA2
7C930177 8D0C7F LEA ECX,DWORD PTR DS:[EDI+EDI*2]
7C93017A C1E1 04 SHL ECX,4
7C93017D 8D3401 LEA ESI,DWORD PTR DS:[ECX+EAX]
7C930180 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C]
7C930183 2B46 1C SUB EAX,DWORD PTR DS:[ESI+1C]
7C930186 0FB74E 08 MOVZX ECX,WORD PTR DS:[ESI+8]
7C93018A C1E1 07 SHL ECX,7
7C93018D 3BC1 CMP EAX,ECX
7C93018F 0F8D DF0B0000 JGE ntdll.7C930D74
7C930195 56 PUSH ESI
7C930196 E8 56000000 CALL ntdll.7C9301F1
7C93019B 8BF0 MOV ESI,EAX
7C93019D 8975 D0 MOV DWORD PTR SS:[EBP-30],ESI
7C9301A0 85F6 TEST ESI,ESI
7C9301A2 0F84 1D0F0000 JE ntdll.7C9310C5
7C9301A8 8D7E F8 LEA EDI,DWORD PTR DS:[ESI-8]
7C9301AB 8A45 DC MOV AL,BYTE PTR SS:[EBP-24]
7C9301AE 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10]
7C9301B1 2AC1 SUB AL,CL
7C9301B3 8847 06 MOV BYTE PTR DS:[EDI+6],AL
7C9301B6 8BC7 MOV EAX,EDI
7C9301B8 C1E8 03 SHR EAX,3
7C9301BB 3243 04 XOR AL,BYTE PTR DS:[EBX+4]
7C9301BE 8847 04 MOV BYTE PTR DS:[EDI+4],AL
7C9301C1 F645 0C 08 TEST BYTE PTR SS:[EBP+C],8
7C9301C5 75 6D JNZ SHORT ntdll.7C930234
7C9301C7 F605 F002FE7F 0>TEST BYTE PTR DS:[7FFE02F0],2
7C9301CE 0F85 FFCD0200 JNZ ntdll.7C95CFD3
7C9301D4 8BC6 MOV EAX,ESI
7C9301D6 E8 2BE7FFFF CALL ntdll.7C92E906
7C9301DB C2 0C00 RETN 0C
注意7C930158那个跳,跳走之后就走死了。
总体来看,这个程序运行是没问题的,od调试时候 在这个call就会走死 究竟什么原因?
|
能力值:
( LV2,RANK:10 )
|
-
-
6 楼
010132CD /7>je short AHpack_0.010132DB
010132CF |E>jmp short AHpack_0.010132D8
010132D1 |C>retn
010132D2 |E>jmp short AHpack_0.010132D8
010132D4 |C>retn
010132D5 |E>jmp short AHpack_0.010132D8
010132D7 |C>retn
010132D8 |4>inc eax
010132D9 ^|E>jmp short AHpack_0.010132CB
010132DB \8>xor eax,20
010132DE 5>push ecx
010132DF C>retn
0006FFC0 - F>jmp eax ; AHpack_0.0100739D
0100739D 6>push 70
0100739F 6>push AHpack_0.01001898
010073A4 E>call AHpack_0.01007568
010073A9 3>xor ebx,ebx
010073AB 5>push ebx
010073AC 8>mov edi,dword ptr ds:[10010CC] ; kernel32.GetModuleHandleA
010073B2 F>call edi
010073B4 6>cmp word ptr ds:[eax],5A4D
Microsoft Visual C++ 7.0 Method2 [Debug]
|
