【文章标题】: tElock 0.98b1IAT修复
【文章作者】: pao
【作者邮箱】: paohum@126.com
【软件名称】: 一个用tElock 0.98b1加壳的记事本
【操作平台】: 盗版xp_sp2
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
先说说加密流程
先Bp GetModuleHandleA,中断后返回
01011236 /0F84 EE030000 JE NOTEPAD_.0101162A 是否填写完,是整个处理流程的出口
0101123C |03C2 ADD EAX,EDX
0101123E |8BD8 MOV EBX,EAX
01011240 |50 PUSH EAX
01011241 |FF95 D0D24000 CALL DWORD PTR SS:[EBP+40D2D0] ; GetModuleHandleA 获取dll基址
01011247 |85C0 TEST EAX,EAX 是否获取成功?
01011249 |0F85 BA000000 JNZ NOTEPAD_.01011309 成功就跳走
0101124F |53 PUSH EBX 不成功就把DLL名压栈
01011250 |FF95 E4BA4000 CALL DWORD PTR SS:[EBP+40BAE4] ; LoadLibraryA 加载Dll
01011256 |85C0 TEST EAX,EAX 是否加载成功
01011258 |0F85 AB000000 JNZ NOTEPAD_.01011309 成功就跳走
0101125E |8B95 62D34000 MOV EDX,DWORD PTR SS:[EBP+40D362]
01011264 |0195 2AD34000 ADD DWORD PTR SS:[EBP+40D32A],EDX
0101126A |0195 36D34000 ADD DWORD PTR SS:[EBP+40D336],EDX
01011270 |6A 30 PUSH 30
01011272 |53 PUSH EBX
01011273 |FFB5 36D34000 PUSH DWORD PTR SS:[EBP+40D336]
01011279 |EB 53 JMP SHORT NOTEPAD_.010112CE
0101127B |8B95 62D34000 MOV EDX,DWORD PTR SS:[EBP+40D362]
01011281 |0195 2AD34000 ADD DWORD PTR SS:[EBP+40D32A],EDX
01011287 |0195 2ED34000 ADD DWORD PTR SS:[EBP+40D32E],EDX
0101128D |0195 3ED34000 ADD DWORD PTR SS:[EBP+40D33E],EDX
01011293 |0195 42D34000 ADD DWORD PTR SS:[EBP+40D342],EDX
01011299 |0195 46D34000 ADD DWORD PTR SS:[EBP+40D346],EDX
0101129F |6A 30 PUSH 30
010112A1 |FFB5 2AD34000 PUSH DWORD PTR SS:[EBP+40D32A]
010112A7 |48 DEC EAX
010112A8 |75 08 JNZ SHORT NOTEPAD_.010112B2
010112AA |FFB5 46D34000 PUSH DWORD PTR SS:[EBP+40D346]
010112B0 |EB 1C JMP SHORT NOTEPAD_.010112CE
010112B2 |40 INC EAX
010112B3 |75 08 JNZ SHORT NOTEPAD_.010112BD
010112B5 |FFB5 2ED34000 PUSH DWORD PTR SS:[EBP+40D32E]
010112BB |EB 11 JMP SHORT NOTEPAD_.010112CE
010112BD |40 INC EAX
010112BE |75 08 JNZ SHORT NOTEPAD_.010112C8
010112C0 |FFB5 3ED34000 PUSH DWORD PTR SS:[EBP+40D33E]
010112C6 |EB 06 JMP SHORT NOTEPAD_.010112CE
010112C8 |FFB5 42D34000 PUSH DWORD PTR SS:[EBP+40D342]
010112CE |6A 00 PUSH 0
010112D0 |FF95 D8D24000 CALL DWORD PTR SS:[EBP+40D2D8]
010112D6 |8B85 E8BA4000 MOV EAX,DWORD PTR SS:[EBP+40BAE8]
010112DC |894424 FC MOV DWORD PTR SS:[ESP-4],EAX
010112E0 |61 POPAD
010112E1 |6A 00 PUSH 0
010112E3 |FF5424 E0 CALL DWORD PTR SS:[ESP-20]
010112E7 |8B95 62D34000 MOV EDX,DWORD PTR SS:[EBP+40D362]
010112ED |0195 2AD34000 ADD DWORD PTR SS:[EBP+40D32A],EDX
010112F3 |0195 3AD34000 ADD DWORD PTR SS:[EBP+40D33A],EDX
010112F9 |6A 30 PUSH 30
010112FB |FFB5 2AD34000 PUSH DWORD PTR SS:[EBP+40D32A]
01011301 |FFB5 3AD34000 PUSH DWORD PTR SS:[EBP+40D33A]
01011307 ^|EB C5 JMP SHORT NOTEPAD_.010112CE
01011309 |8985 4AD34000 MOV DWORD PTR SS:[EBP+40D34A],EAX
0101130F |8D85 28CC4000 LEA EAX,DWORD PTR SS:[EBP+40CC28]
01011315 |60 PUSHAD
01011316 |33C9 XOR ECX,ECX
01011318 |2AF6 SUB DH,DH
0101131A |8A13 MOV DL,BYTE PTR DS:[EBX]
0101131C |F6C2 40 TEST DL,40
0101131F |74 03 JE SHORT NOTEPAD_.01011324
01011321 |80E2 5F AND DL,5F
01011324 |0AD2 OR DL,DL
01011326 |74 1E JE SHORT NOTEPAD_.01011346
01011328 |43 INC EBX
01011329 |FEC6 INC DH
0101132B |41 INC ECX
0101132C |3A5408 FF CMP DL,BYTE PTR DS:[EAX+ECX-1]
01011330 ^|74 E8 JE SHORT NOTEPAD_.0101131A
01011332 |3A5408 08 CMP DL,BYTE PTR DS:[EAX+ECX+8]
01011336 ^|74 E2 JE SHORT NOTEPAD_.0101131A
01011338 |3A5408 12 CMP DL,BYTE PTR DS:[EAX+ECX+12]
0101133C ^|74 DC JE SHORT NOTEPAD_.0101131A
0101133E |3A5408 1D CMP DL,BYTE PTR DS:[EAX+ECX+1D]
01011342 ^|74 D6 JE SHORT NOTEPAD_.0101131A
01011344 ^|EB D0 JMP SHORT NOTEPAD_.01011316
01011346 |0AF6 OR DH,DH
01011348 |895424 1C MOV DWORD PTR SS:[ESP+1C],EDX
0101134C |61 POPAD
0101134D |C685 D7CC4000 0>MOV BYTE PTR SS:[EBP+40CCD7],0 ; ?
01011354 |74 24 JE SHORT NOTEPAD_.0101137A
01011356 |80EC 08 SUB AH,8
01011359 |B0 01 MOV AL,1
0101135B |FECC DEC AH
0101135D |74 04 JE SHORT NOTEPAD_.01011363
0101135F |D0E0 SHL AL,1
01011361 ^|EB F8 JMP SHORT NOTEPAD_.0101135B
01011363 |8AA5 52CC4000 MOV AH,BYTE PTR SS:[EBP+40CC52]
01011369 |0885 52CC4000 OR BYTE PTR SS:[EBP+40CC52],AL
0101136F |84C4 TEST AH,AL
01011371 |75 07 JNZ SHORT NOTEPAD_.0101137A
01011373 |808D D7CC4000 0>OR BYTE PTR SS:[EBP+40CCD7],1
0101137A |33C0 XOR EAX,EAX
0101137C |8803 MOV BYTE PTR DS:[EBX],AL ; 清除函数名
0101137E |43 INC EBX
0101137F |3803 CMP BYTE PTR DS:[EBX],AL
01011381 ^|75 F7 JNZ SHORT NOTEPAD_.0101137A
01011383 |83A5 4ED34000 0>AND DWORD PTR SS:[EBP+40D34E],0
0101138A |8B95 62D34000 MOV EDX,DWORD PTR SS:[EBP+40D362]
01011390 |8B06 MOV EAX,DWORD PTR DS:[ESI]
01011392 |85C0 TEST EAX,EAX
01011394 |75 0B JNZ SHORT NOTEPAD_.010113A1
01011396 |8B46 10 MOV EAX,DWORD PTR DS:[ESI+10]
01011399 |85C0 TEST EAX,EAX
0101139B ^|0F84 46FFFFFF JE NOTEPAD_.010112E7
010113A1 |03C2 ADD EAX,EDX
010113A3 |0385 4ED34000 ADD EAX,DWORD PTR SS:[EBP+40D34E]
010113A9 |8B18 MOV EBX,DWORD PTR DS:[EAX]
010113AB |F7C3 00000080 TEST EBX,80000000
010113B1 |74 06 JE SHORT NOTEPAD_.010113B9
010113B3 |8120 00000080 AND DWORD PTR DS:[EAX],80000000
010113B9 |8B7E 10 MOV EDI,DWORD PTR DS:[ESI+10]
010113BC |03FA ADD EDI,EDX
010113BE |80A5 D6CC4000 F>AND BYTE PTR SS:[EBP+40CCD6],0FF
010113C5 |0F84 30010000 JE NOTEPAD_.010114FB ; magic jmp
010113CB |80A5 D7CC4000 F>AND BYTE PTR SS:[EBP+40CCD7],0FF
010113D2 |0F84 23010000 JE NOTEPAD_.010114FB ; magic jmp
010113D8 |89BD 5AD44000 MOV DWORD PTR SS:[EBP+40D45A],EDI
010113DE |8B85 52D44000 MOV EAX,DWORD PTR SS:[EBP+40D452]
010113E4 |40 INC EAX
010113E5 |0F84 10010000 JE NOTEPAD_.010114FB ; magic jmp
010113EB |48 DEC EAX
010113EC |0F85 B2000000 JNZ NOTEPAD_.010114A4
010113F2 |60 PUSHAD ; 下面的代码开始加密IAT
010113F3 |8BF7 MOV ESI,EDI ; 准备填写的IAT
010113F5 |2BC0 SUB EAX,EAX ; 清空eax
010113F7 |40 INC EAX ; 初始化eax,eax做计数器
010113F8 |833F 00 CMP DWORD PTR DS:[EDI],0 ; 比较当前的edi指针是否指向Dll之间的dword 0
010113FB |8D7F 04 LEA EDI,DWORD PTR DS:[EDI+4] ; 获取下一个指针
010113FE ^|75 F7 JNZ SHORT NOTEPAD_.010113F7 ; 如果没到dword 0 就继续
01011400 |48 DEC EAX ; 计算器减一,得到真实需要填写的api个数
01011401 |0F84 EC000000 JE NOTEPAD_.010114F3 ; 是否有需要填写的IAT
01011407 |8BD8 MOV EBX,EAX ; 把需要填写IAT的个数给ebx
01011409 |6BC0 31 IMUL EAX,EAX,31
0101140C |6A 04 PUSH 4
0101140E |68 00100000 PUSH 1000
01011413 |50 PUSH EAX
01011414 |6A 00 PUSH 0
01011416 |FF95 ECBA4000 CALL DWORD PTR SS:[EBP+40BAEC] ; VirtualAlloc申请空间用于IAT加密
0101141C |85C0 TEST EAX,EAX ; 是否申请成功
0101141E |0F84 CF000000 JE NOTEPAD_.010114F3 ; 不成功就跳走
01011424 |8BFE MOV EDI,ESI ; 需要填写的IAT
01011426 |8BCB MOV ECX,EBX ; 个数
01011428 |8BF8 MOV EDI,EAX ; 放置加密IAT的起始地址
0101142A |8985 56D44000 MOV DWORD PTR SS:[EBP+40D456],EAX
01011430 |8BCB MOV ECX,EBX
01011432 |6BDB 29 IMUL EBX,EBX,29
01011435 |03DF ADD EBX,EDI
01011437 |891C24 MOV DWORD PTR SS:[ESP],EBX ; 把IAT填写的地址改为壳申请的内存
0101143A |B0 B8 MOV AL,0B8
0101143C |6A 00 PUSH 0
0101143E |50 PUSH EAX ; 连接代码的起始地址
0101143F |53 PUSH EBX ; 把IAT填写的地址改为壳申请的内存
01011440 |0FB74424 08 MOVZX EAX,WORD PTR SS:[ESP+8]
01011445 |50 PUSH EAX
01011446 |8D85 14BB4000 LEA EAX,DWORD PTR SS:[EBP+40BB14]
0101144C |0FB618 MOVZX EBX,BYTE PTR DS:[EAX]
0101144F |FF0C24 DEC DWORD PTR SS:[ESP]
01011452 |7E 09 JLE SHORT NOTEPAD_.0101145D
01011454 |40 INC EAX
01011455 |03C3 ADD EAX,EBX
01011457 ^|EB F3 JMP SHORT NOTEPAD_.0101144C
01011459 |0000 ADD BYTE PTR DS:[EAX],AL
0101145B |0000 ADD BYTE PTR DS:[EAX],AL
0101145D |40 INC EAX ; 开始解压连接代码到申请的内存
0101145E |8A38 MOV BH,BYTE PTR DS:[EAX]
01011460 |883F MOV BYTE PTR DS:[EDI],BH
01011462 |47 INC EDI
01011463 |FECB DEC BL
01011465 ^|7F F6 JG SHORT NOTEPAD_.0101145D
01011467 |5B POP EBX
01011468 |5B POP EBX
01011469 |58 POP EAX
0101146A |AA STOS BYTE PTR ES:[EDI]
0101146B |FF0424 INC DWORD PTR SS:[ESP]
0101146E |832424 0F AND DWORD PTR SS:[ESP],0F
01011472 |4B DEC EBX
01011473 |891F MOV DWORD PTR DS:[EDI],EBX
01011475 |43 INC EBX
01011476 |83C3 04 ADD EBX,4
01011479 |83C7 04 ADD EDI,4
0101147C |B8 40FF30C3 MOV EAX,C330FF40
01011481 |AB STOS DWORD PTR ES:[EDI]
01011482 |B0 B8 MOV AL,0B8
01011484 |49 DEC ECX
01011485 ^|7F B7 JG SHORT NOTEPAD_.0101143E
01011487 |AA STOS BYTE PTR ES:[EDI]
01011488 |E8 00000000 CALL NOTEPAD_.0101148D
0101148D |58 POP EAX
0101148E |AB STOS DWORD PTR ES:[EDI]
0101148F |B8 90FF30C3 MOV EAX,C330FF90
01011494 |AB STOS DWORD PTR ES:[EDI]
01011495 |58 POP EAX
01011496 |61 POPAD
01011497 |83A5 FBCA4000 0>AND DWORD PTR SS:[EBP+40CAFB],0
0101149E |89BD 52D44000 MOV DWORD PTR SS:[EBP+40D452],EDI
010114A4 |8D85 14BB4000 LEA EAX,DWORD PTR SS:[EBP+40BB14]
010114AA |FFB5 FBCA4000 PUSH DWORD PTR SS:[EBP+40CAFB]
010114B0 |0FB608 MOVZX ECX,BYTE PTR DS:[EAX]
010114B3 |FF0C24 DEC DWORD PTR SS:[ESP]
010114B6 |7E 05 JLE SHORT NOTEPAD_.010114BD
010114B8 |40 INC EAX
010114B9 |03C1 ADD EAX,ECX
010114BB ^|EB F3 JMP SHORT NOTEPAD_.010114B0
010114BD |890C24 MOV DWORD PTR SS:[ESP],ECX
010114C0 |FF85 FBCA4000 INC DWORD PTR SS:[EBP+40CAFB]
010114C6 |83A5 FBCA4000 0>AND DWORD PTR SS:[EBP+40CAFB],0F
010114CD |8BBD 52D44000 MOV EDI,DWORD PTR SS:[EBP+40D452]
010114D3 |8B85 5AD44000 MOV EAX,DWORD PTR SS:[EBP+40D45A]
010114D9 |0385 4ED34000 ADD EAX,DWORD PTR SS:[EBP+40D34E]
010114DF |8B8D 56D44000 MOV ECX,DWORD PTR SS:[EBP+40D456]
010114E5 |8908 MOV DWORD PTR DS:[EAX],ECX
010114E7 |58 POP EAX
010114E8 |83C0 09 ADD EAX,9
010114EB |0185 56D44000 ADD DWORD PTR SS:[EBP+40D456],EAX
010114F1 |EB 08 JMP SHORT NOTEPAD_.010114FB
010114F3 |838D 52D44000 F>OR DWORD PTR SS:[EBP+40D452],FFFFFFFF
010114FA |61 POPAD
010114FB |03BD 4ED34000 ADD EDI,DWORD PTR SS:[EBP+40D34E]
01011501 |85DB TEST EBX,EBX
01011503 |0F84 C7000000 JE NOTEPAD_.010115D0
01011509 |F7C3 00000080 TEST EBX,80000000
0101150F |6A 00 PUSH 0
01011511 |75 0F JNZ SHORT NOTEPAD_.01011522
01011513 |8D5C13 02 LEA EBX,DWORD PTR DS:[EBX+EDX+2]
01011517 |803B 00 CMP BYTE PTR DS:[EBX],0
0101151A |0F84 93000000 JE NOTEPAD_.010115B3
01011520 |EB 45 JMP SHORT NOTEPAD_.01011567
01011522 |FF0424 INC DWORD PTR SS:[ESP]
01011525 |66:85DB TEST BX,BX
01011528 |0F84 85000000 JE NOTEPAD_.010115B3
0101152E |8B85 4AD34000 MOV EAX,DWORD PTR SS:[EBP+40D34A]
01011534 |3B85 42D44000 CMP EAX,DWORD PTR SS:[EBP+40D442]
0101153A |75 2B JNZ SHORT NOTEPAD_.01011567
0101153C |81E3 FFFFFF7F AND EBX,7FFFFFFF
01011542 |8BD3 MOV EDX,EBX
01011544 |8D1495 FCFFFFFF LEA EDX,DWORD PTR DS:[EDX*4-4]
0101154B |8B9D 4AD34000 MOV EBX,DWORD PTR SS:[EBP+40D34A]
01011551 |8B43 3C MOV EAX,DWORD PTR DS:[EBX+3C]
01011554 |8B4418 78 MOV EAX,DWORD PTR DS:[EAX+EBX+78]
01011558 |035C18 1C ADD EBX,DWORD PTR DS:[EAX+EBX+1C]
0101155C |8B041A MOV EAX,DWORD PTR DS:[EDX+EBX]
0101155F |0385 4AD34000 ADD EAX,DWORD PTR SS:[EBP+40D34A]
01011565 |EB 13 JMP SHORT NOTEPAD_.0101157A
01011567 |81E3 FFFFFF7F AND EBX,7FFFFFFF
0101156D |53 PUSH EBX
0101156E |FFB5 4AD34000 PUSH DWORD PTR SS:[EBP+40D34A]
01011574 |FF95 E0BA4000 CALL DWORD PTR SS:[EBP+40BAE0] ; GetProcAddress获取API地址
0101157A |40 INC EAX
0101157B |48 DEC EAX
0101157C |75 33 JNZ SHORT NOTEPAD_.010115B1
0101157E |58 POP EAX
0101157F |F9 STC
01011580 ^|0F82 61FDFFFF JB NOTEPAD_.010112E7
01011586 |47 INC EDI
01011587 |44 INC ESP
01011588 |49 DEC ECX
01011589 |3332 XOR ESI,DWORD PTR DS:[EDX]
0101158B |2E:44 INC ESP ; Superfluous prefix
0101158D |4C DEC ESP
0101158E |4C DEC ESP
0101158F |55 PUSH EBP
01011590 |53 PUSH EBX
01011591 |45 INC EBP
01011592 |52 PUSH EDX
01011593 |3332 XOR ESI,DWORD PTR DS:[EDX]
01011595 |2E:44 INC ESP ; Superfluous prefix
01011597 |4C DEC ESP
01011598 |4C DEC ESP
01011599 |53 PUSH EBX
0101159A |48 DEC EAX
0101159B |45 INC EBP
0101159C |4C DEC ESP
0101159D |4C DEC ESP
0101159E |3332 XOR ESI,DWORD PTR DS:[EDX]
010115A0 |2E:44 INC ESP ; Superfluous prefix
010115A2 |4C DEC ESP
010115A3 |4C DEC ESP
010115A4 |4B DEC EBX
010115A5 |45 INC EBP
010115A6 |52 PUSH EDX
010115A7 |4E DEC ESI
010115A8 |45 INC EBP
010115A9 |4C DEC ESP
010115AA |3332 XOR ESI,DWORD PTR DS:[EDX]
010115AC |2E:44 INC ESP ; Superfluous prefix
010115AE |4C DEC ESP
010115AF |4C DEC ESP
010115B0 |90 NOP ; 去了一个花指令
010115B1 |8907 MOV DWORD PTR DS:[EDI],EAX ; 填写API地址到IAT或壳申请的地址
010115B3 |58 POP EAX
010115B4 |48 DEC EAX
010115B5 |74 0D JE SHORT NOTEPAD_.010115C4
010115B7 |40 INC EAX
010115B8 |F8 CLC
010115B9 |66:8943 FE MOV WORD PTR DS:[EBX-2],AX
010115BD |8803 MOV BYTE PTR DS:[EBX],AL
010115BF |43 INC EBX
010115C0 |3803 CMP BYTE PTR DS:[EBX],AL
010115C2 ^|75 F9 JNZ SHORT NOTEPAD_.010115BD
010115C4 |8385 4ED34000 0>ADD DWORD PTR SS:[EBP+40D34E],4 ; 处理下一个IAT
010115CB ^|E9 BAFDFFFF JMP NOTEPAD_.0101138A ; 处理下一个APi
010115D0 |83C6 14 ADD ESI,14 ; 指向下一个IID结构
010115D3 |8B95 62D34000 MOV EDX,DWORD PTR SS:[EBP+40D362]
010115D9 ^|E9 48FCFFFF JMP NOTEPAD_.01011226 ; 处理下一个Dll
010115DE |61 POPAD
///////////////////////////////////////////////////////////////////////////////////////////
据分析壳是通过两个变量来控制iat加密的,所以有magic jmp三个随便改一个就能跳过加密,而加密的流程就是先申请空间
然后加压连接代码,连接代码是壳在加壳时已经生成的啦,所以只需要解压,最后把填写api的地址替换成壳申请的空间
我们看看连接代码吧,在01011236处的je 处enter然后下断,在text断下内存访问断点
断下后停在oep
01006420 55 PUSH EBP 程序oep
01006421 8BEC MOV EBP,ESP
01006423 6A FF PUSH -1
01006425 68 88180001 PUSH NOTEPAD_.01001888
0100642A 68 D0650001 PUSH NOTEPAD_.010065D0 ; JMP to msvcrt._except_handler3
0100642F 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
01006435 50 PUSH EAX
01006436 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
vc++的程序,我们查找二进制FF 15
01001000 77DCD5FD advapi32.IsTextUnicode
01001004 77DC8F7D advapi32.RegCreateKeyW
01001008 77DA6FC8 advapi32.RegQueryValueExW
0100100C 77DAD7CC advapi32.RegSetValueExW
01001010 77DA761B advapi32.RegOpenKeyExA
01001014 77DA7883 advapi32.RegQueryValueExA
01001018 77DA6BF0 advapi32.RegCloseKey
0100101C 00000000
01001020 008A0000
01001024 008A0010
01001028 008A0020
0100102C 008A0031
01001030 008A004E
01001034 008A005F
01001038 008A006E
0100103C 008A007D
01001040 008A008E
许多都加密了,我们随便看一下连接代码
008A0000 85E4 TEST ESP,ESP
008A0002 79 03 JNS SHORT 008A0007
008A0004 0F9142 B8 SETNO BYTE PTR DS:[EDX-48]
008A0008 AE SCAS BYTE PTR ES:[EDI]
008A0009 038A 0040FF30 ADD ECX,DWORD PTR DS:[EDX+30FF4000]
008A000F C3 RETN
008A0010 85E4 TEST ESP,ESP
008A0012 79 03 JNS SHORT 008A0017
008A0014 0F9142 B8 SETNO BYTE PTR DS:[EDX-48]
008A0018 B2 03 MOV DL,3
008A001A 8A00 MOV AL,BYTE PTR DS:[EAX]
008A001C 40 INC EAX
008A001D FF30 PUSH DWORD PTR DS:[EAX]
008A001F C3 RETN
008A0020 F9 STC
008A0021 72 02 JB SHORT 008A0025
008A0023 CD 20 INT 20
008A0025 48 DEC EAX
008A0026 33C2 XOR EAX,EDX
008A0028 B8 B6038A00 MOV EAX,8A03B6
008A002D 40 INC EAX
008A002E FF30 PUSH DWORD PTR DS:[EAX]
008A0030 C3 RETN
连接代码代码的前部分的代码都不规则有几种形式,而且还有花指令,单仔细一看发现了一些规律
就是无论如何最后都是以下面的代码跳转到真实api的
mov eax,xxxx 一个地址
INC EAX
PUSH DWORD PTR DS:[EAX]
RETN
不过还有一种是填充到dll之间的dword 0忽悠人的
0089041A B8 8D140101 MOV EAX,101148D
0089041F 90 NOP
00890420 FF30 PUSH DWORD PTR DS:[EAX]
00890422 C3 RETN
知道了规律代码就好写了,下面是我写的修复代码
01010000 60 PUSHAD 保存现场
01010001 B8 00100001 MOV EAX,NOTEPAD_.01001000 IAT起始地址
01010006 8338 00 CMP DWORD PTR DS:[EAX],0 是否为间隔Dll的dword 0
01010009 74 2C JE SHORT NOTEPAD_.01010037是则跳走
0101000B 8078 03 01 CMP BYTE PTR DS:[EAX+3],1 比较是否为未加密的api函数
0101000F 7F 26 JG SHORT NOTEPAD_.01010037 是则跳走
01010011 8B38 MOV EDI,DWORD PTR DS:[EAX] 把需要处理的加密IAT给edi
01010013 803F 30 CMP BYTE PTR DS:[EDI],30 查找push dword ptr ds:[eax]的第二
个字节的机器码
01010016 74 03 JE SHORT NOTEPAD_.0101001B查到就跳走
01010018 47 INC EDI 指向下一个字节
01010019 ^ EB F8 JMP SHORT NOTEPAD_.01010013 没找到就继续
0101001B 807F FF FF CMP BYTE PTR DS:[EDI-1],0FF比较是否push dword ptr ds:[eax]
的第1个字节
0101001F 75 16 JNZ SHORT NOTEPAD_.01010037不是的话就跳走
01010021 83EF 01 SUB EDI,1 向前查找mov eax,xxxx
01010024 803F B8 CMP BYTE PTR DS:[EDI],0B8 是否为mov eax的机器码E8
01010027 ^ 75 F8 JNZ SHORT NOTEPAD_.01010021 没找到就继续
01010029 8B77 01 MOV ESI,DWORD PTR DS:[EDI+1] 把要传送给eax的地址给esi
0101002C 807F 05 40 CMP BYTE PTR DS:[EDI+5],40 看看是否要加1
01010030 75 01 JNZ SHORT NOTEPAD_.01010033 不要就跳走
01010032 46 INC ESI 要加1就拉吧
01010033 8B36 MOV ESI,DWORD PTR DS:[ESI] 把获取到的真确Api地址给esi
01010035 8930 MOV DWORD PTR DS:[EAX],ESI 填写回原IAT
01010037 83C0 04 ADD EAX,4 指向下一个IAT
0101003A 3D F8120001 CMP EAX,NOTEPAD_.010012F8 是否处理完啦?
0101003F ^ 72 C5 JB SHORT NOTEPAD_.01010006 没处理完继续啊
01010041 61 POPAD 干完苦力啦,恢复现场
01010042 68 20640001 PUSH NOTEPAD_.01006420 把oep压栈
01010047 C3 RETN 通过retn返回oep
运行完代码后IAT就修复完了!
The end!
--------------------------------------------------------------------------------
【版权声明】: 没有版权欢迎转载
2010年04月25日 14:05:17
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!