Armadillo 4.05 (Public Build) 脱文-外文翻译-看雪-安全社区|安全招聘|kanxue.com

Armadillo 4.05 (Public Build) 脱文

发表于: 2005-2-21 14:49 10091

Armadillo 4.05 (Public Build) 脱文

鸡蛋壳

2005-2-21 14:49

10091

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@ Armadillo 4.05 (Public Build) manually unpacking @@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

See tutor with notepad,Font Fixedsys Regular size 9.

Well,sometimez in the life of a reverser comes a great day.Well this is
one of them.I introcude U the manuall unpacking tutorial for Armadillo
for latest version at that time 4.05.Well here is startz...

Toolz Used: Olly v1.10,commandline Plug,HideOlly Plug,Ollydump Plug,
      LordPE and NO IMPREC.

Yes,as U heared.No Import Rebuilding using ImpRec or other toolz.The
way we will do it is manually and extremelly easy and can be done for
ALL packerz at that time.Well,I packed a crackme with a downloaded
version of armadillo.The thing is that it is a demo version,but
all features that I checked as protections in options work just fine.
So,the only difference from the registered version using the options I
choosen (and I will say later who are these options) is just a nug
screen when the protected file starts.

Well if U go in Dillo'z menu Protection->Edit Project U will see the
protection options.I 've chosen those:

Protection options:Standard Protection only,Enable import elimination,
   Enable strategic code splicing,enable memory patching
   protections.

All otherz options as they are when U open Dillo for first time.

In the zip U will find a packed and a clean version of the exe.Well open
the packed version of the exe and load it in Olly.Then make sure that U
have placed NO breakpoints of any kind and U have only checked in Debugging
Options the Ignore memory Access Violations in KERNEL32.Well,these options
in Dillo I set give two anti-debugging protections.The first is the usual
call at IsDebuggerPresent API but becasue of the HideOlly plug we don't have
a problem.The second is a call at OutPutDebugString API which prints a string
in a debugger,if he is running.The thing is that Olly v1.10 has a format stack buffer
overflow (bug) and if U give as a string something like %x this will trigger the
overflow and will make Olly crash (check article at http://www.securiteam.com/windowsntfocus/5ZP0N00DFE.html)

We will defeat this using this trick:In Olly code window,right click and Search for
Name in all modules.Find OutPutDebugString and double click on it and U are at the
memory location where the code of that API starts.Do not place a breakpoint of
any kind there,because Dillo'z enable memory patching protection will find it(and
other optionz maybe).So U should be here at start of OutPutDebugString:

77E949B7 > 68 2C020000    PUSH 22C
77E949BC 68 8853E977    PUSH kernel32.77E95388
77E949C1 E8 1259FEFF    CALL kernel32.77E7A2D8
77E949C6 8365 FC 00    AND DWORD PTR SS:[EBP-4],0
77E949CA 8B4D 08       MOV ECX,DWORD PTR SS:[EBP+8]
77E949CD 8BC1          MOV EAX,ECX
77E949CF 8D70 01       LEA ESI,DWORD PTR DS:[EAX+1]
77E949D2 8A10          MOV DL,BYTE PTR DS:[EAX]
77E949D4 40             INC EAX
77E949D5 84D2          TEST DL,DL
77E949D7  ^75 F9          JNZ SHORT kernel32.77E949D2
77E949D9 2BC6          SUB EAX,ESI
77E949DB 40             INC EAX
77E949DC 8945 E0       MOV DWORD PTR SS:[EBP-20],EAX
77E949DF 894D E4       MOV DWORD PTR SS:[EBP-1C],ECX
77E949E2 8D45 E0       LEA EAX,DWORD PTR SS:[EBP-20]
77E949E5 50             PUSH EAX
77E949E6 6A 02          PUSH 2
77E949E8 6A 00          PUSH 0
77E949EA 68 06000140    PUSH 40010006
77E949EF E8 43EEFDFF    CALL kernel32.RaiseException
77E949F4 834D FC FF    OR DWORD PTR SS:[EBP-4],FFFFFFFF
77E949F8 E8 A259FEFF    CALL kernel32.77E7A39F
77E949FD C2 0400       RETN 4

U see that it ends with a RETN 4.So just enter this opcode as the first at 77E949B7
(your addresses may be different due to different version of Windowz) and this is a memory
patch that Dillo won't catch,because it's in OS memory location.Now start pressing Shift+F9
so many times till the prog executes.How many times was it?In me was 31 times.Now restart Olly
and do the anti-debbuging trick all over,start pressing Shift+f9 so many times as before
minus 2.For me this is 29 times.Don't mind if during this a nug screen apprearz,just press
OK.U should be HeRe:

00ADD266 8900          MOV DWORD PTR DS:[EAX],EAX <- Olly breaks HeRe
00ADD268 90             NOP
00ADD269 E9 57010000    JMP 00ADD3C5
00ADD26E FF75 EC       PUSH DWORD PTR SS:[EBP-14]
00ADD271 E8 34F5FFFF    CALL 00ADC7AA
00ADD276 59             POP ECX
00ADD277 C3             RETN
00ADD278 8B65 E8       MOV ESP,DWORD PTR SS:[EBP-18]
00ADD27B 70 07          JO SHORT 00ADD284
00ADD27D 7C 03          JL SHORT 00ADD282
00ADD27F EB 05          JMP SHORT 00ADD286
00ADD281 E8 74FBEBF9    CALL FA99CDFA
00ADD286 A1 5C4DAF00    MOV EAX,DWORD PTR DS:[AF4D5C]
00ADD28B 85C0          TEST EAX,EAX
00ADD28D 0F84 0C010000 JE 00ADD39F
00ADD293 8B50 04       MOV EDX,DWORD PTR DS:[EAX+4]
00ADD296 8B0D B84DAF00 MOV ECX,DWORD PTR DS:[AF4DB8]          ; packed.00400000
00ADD29C 3BD1          CMP EDX,ECX
00ADD29E 8B1D BC4DAF00 MOV EBX,DWORD PTR DS:[AF4DBC]          ; packed.004A5000

Now,place a memory breakpoint on access at the code section of your program,that U will
see pushing the "M" button in Olly (for me it was located at address 401000 with size of
1000).Now press one more time Shift+F9 and U are at OEP.This should look like this:

00401099 EB 27          JMP SHORT packed.004010C2 <--- Olly Breakz HeRe at OEP.So OEP=00401099
0040109B 33C0          XOR EAX,EAX
0040109D A3 F7204000    MOV DWORD PTR DS:[4020F7],EAX
004010A2 6A 29          PUSH 29
004010A4 68 0E204000    PUSH packed.0040200E
004010A9 6A 65          PUSH 65
004010AB FF75 08       PUSH DWORD PTR SS:[EBP+8]
004010AE E8 D9010000    CALL packed.0040128C                   ; JMP to USER32.GetDlgItemTextA
004010B3 A3 F7204000    MOV DWORD PTR DS:[4020F7],EAX
004010B8 B8 01000000    MOV EAX,1
004010BD E9 89000000    JMP packed.0040114B
004010C2 6A 00          PUSH 0
004010C4 E8 E1010000    CALL packed.004012AA
004010C9 A3 F3204000    MOV DWORD PTR DS:[4020F3],EAX
004010CE C705 C7204000 03>MOV DWORD PTR DS:[4020C7],4003
004010D8 C705 CB204000 89>MOV DWORD PTR DS:[4020CB],packed.0040118>
004010E2 C705 CF204000 00>MOV DWORD PTR DS:[4020CF],0
004010EC C705 D3204000 00>MOV DWORD PTR DS:[4020D3],0
004010F6 A1 F3204000    MOV EAX,DWORD PTR DS:[4020F3]
004010FB A3 D7204000    MOV DWORD PTR DS:[4020D7],EAX

Remove the memory breakpoint and dump the file with OllyDump plugin.Try to load in
Olly the dumped file,or to open  it with LordPe.Well,it is not regignized as a valid
PE file becasue Dillo has destroyed the PE header as an anti-dumping trick.Well this is
easy to be fixed.When U are at OEP see the PE header pressing the "M" button in Olly.This
is just before the program's code (for me it has start address 400000 and Size 1000).Now
open a second Olly and load the packed file.See also its header.Well,compare with your
eyes the two headers and make the header of the exe that is at OEP the same with the
header that has the packed file(and not in reverse order).Easy to be done since only
some bytes of the header (not much) have chenged.When done,dump again the exe that is
at OEP,and close the session of the second Olly U recently opened.

Now try to open the new dumped file with Olly.It opens just fine.But when running it
crashes.Well,time for some IAT rebuilding.In this case IMPRec will not fix many
thunks in IAT.And this is being done because not only redirects the API calls and]
it erases the IAT (remember the option Enable import elimination I used? ;) but also
splices the code in many parts of memory OUT of the image memory dump of the prog in
memory (remember also the Enable strategic code splicing option I used? ;).This is done
by allocating memory space using Virtualalloc and same kind of API's.So those parts of
the code (that is actually taken from the original code segment) are not in the dumped
file that Ollu Dump Plugin produced.So new the idea is this:

I will dump the part of memory that has been allocated by the protector and contains
the exe's code and I will dump also the part of memory that has been  allocated and
containz the ABSOLUTE api addresses of iat (since at the time of the dumping all
ABSOLUTE api addresses the exe uses,either taked from original IAT of the redirected
should be present somewhere in memory).Then I will fill the space between the last
segment of the exe and the Virtual address that those dumped segments
with other segments (not dumped,I will create them with LordPE).Those are useless but
need for filling the memory addresses when the exe is being running.So,at the end I will
have as a dump a BIGGER file than the protected(because of all this space of segments)
but will be an exactly copy of memory,so it will run just fine.But where are those two
segments in ourcase?Well this is the way to find out:

U are at OEP in Olly,here:

00401099 EB 27          JMP SHORT packed.004010C2 <--- Olly Breakz HeRe at OEP.So OEP=00401099
0040109B 33C0          XOR EAX,EAX
0040109D A3 F7204000    MOV DWORD PTR DS:[4020F7],EAX
004010A2 6A 29          PUSH 29
004010A4 68 0E204000    PUSH packed.0040200E
004010A9 6A 65          PUSH 65
004010AB FF75 08       PUSH DWORD PTR SS:[EBP+8]
004010AE E8 D9010000    CALL packed.0040128C                   ; JMP to USER32.GetDlgItemTextA
004010B3 A3 F7204000    MOV DWORD PTR DS:[4020F7],EAX
004010B8 B8 01000000    MOV EAX,1
004010BD E9 89000000    JMP packed.0040114B
004010C2 6A 00          PUSH 0
004010C4 E8 E1010000    CALL packed.004012AA

Start tracing using F7 till 004010C4.Enter the call with F7 and U are HeRe:

004012AA  -FF25 98304000 JMP DWORD PTR DS:[403098]

Well,at [403098] was supposed to be an address of the API.Let's trace using F7
and we jamp here:

00AC8C70 55             PUSH EBP
00AC8C71 8BEC          MOV EBP,ESP
00AC8C73 51             PUSH ECX
00AC8C74 53             PUSH EBX
00AC8C75 56             PUSH ESI
00AC8C76 57             PUSH EDI
00AC8C77 FF75 08       PUSH DWORD PTR SS:[EBP+8]
00AC8C7A E8 1ACBFFFF    CALL 00AC5799
00AC8C7F 85C0          TEST EAX,EAX
00AC8C81 59             POP ECX
00AC8C82 8945 FC       MOV DWORD PTR SS:[EBP-4],EAX
00AC8C85 75 2A          JNZ SHORT 00AC8CB1
00AC8C87 60             PUSHAD
00AC8C88 8B15 184AAF00 MOV EDX,DWORD PTR DS:[AF4A18]          ; kernel32.77E7A237

So,we can assume that becasue the Base Address of our exe is at 00400000 this
part of code is the spliced code from Dillo.So the segment that has code
that has been sliced from Dillo is located at 00ACXXXX,and if U see in memory
map pressing the "M" button in Olly,this is the segment that has address
AB0000 and size 4E000.So first in Olly right click on the segment in memory
image (pressing "M" button) and set access->Full access.If U don't do so
then it will not be dumped.Now open lordPE,select the process and dump partial
this segment.Now where is the segment of valid API addresses?Well
we stoped tracing at 00AC8C70,continue tracing using F7 and enter the call at
00AC8C7A.We are HeRe:

00AC5799 55             PUSH EBP
00AC579A 8BEC          MOV EBP,ESP
00AC579C 6A FF          PUSH -1
00AC579E 68 E826AE00    PUSH 0AE26E8
00AC57A3 68 4017AE00    PUSH 0AE1740                            ; JMP to msvcrt._except_handler3
00AC57A8 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00AC57AE 50             PUSH EAX
00AC57AF 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
00AC57B6 83EC 0C       SUB ESP,0C
00AC57B9 53             PUSH EBX
00AC57BA 56             PUSH ESI
00AC57BB 57             PUSH EDI
00AC57BC 8965 E8       MOV DWORD PTR SS:[EBP-18],ESP
00AC57BF 8365 FC 00    AND DWORD PTR SS:[EBP-4],0
00AC57C3 6A 3A          PUSH 3A
00AC57C5 8B7D 08       MOV EDI,DWORD PTR SS:[EBP+8]
00AC57C8 57             PUSH EDI
00AC57C9 FF15 0423AE00 CALL DWORD PTR DS:[AE2304]             ; msvcrt.strchr

Trace with F7 till 00AC57C9.Check contents at [AE2304].U See this:

00AE2304  00 36 C4 77 00 3A C4 77 90 35 C4 77 60 2E C4 77  .6镊.:镊?镊`.镊
00AE2314  50 32 C4 77 25 89 C2 77 10 2F C4 77 33 89 C2 77  P2镊%?w/镊3?w
00AE2324  70 BD C1 77 44 3F C4 77 F8 C5 C1 77 66 CD C3 77  p搅wD?镊?流f兔w
00AE2334  75 D9 C3 77 34 E0 C3 77 C1 3F C4 77 F0 3D C4 77  u倜w4嗝w?镊?镊
00AE2344  C5 CB C1 77 42 89 C2 77 DC 7A C3 77 40 31 C3 77  潘流B?w茭明@1明
00AE2354  F6 30 C3 77 6B AA C2 77 DB 79 C3 77 46 AC C2 77  ?明k?w垸明F?w
00AE2364  88 D3 C5 77 82 E3 C3 77 BF E1 C3 77 85 BF C3 77  ?坯?明酷明?明
00AE2374  20 26 C4 77 A2 22 C4 77 B8 27 C4 77 F5 24 C4 77 &镊?镊?镊?镊
00AE2384  70 26 C4 77 62 23 C4 77 9A 2A C4 77 F5 19 C2 77  p&镊b#镊?镊?瞒
00AE2394  C0 36 C4 77 00 00 00 00 50 16 12 77 4B 17 12 77  ?镊....PwKw
00AE23A4  7E 36 12 77 EC 14 12 77 00 00 00 00 97 28 43 77  ~6w?w....?Cw
00AE23B4  00 00 00 00 E6 56 D4 77 69 8E D6 77 79 96 D4 77  ....嬷憎i?wy?w
00AE23C4  3C 97 D6 77 C4 C6 D4 77 CA 6B D4 77 CB 0B D6 77  <?w钠憎孰憎?主
00AE23D4  6F 68 D4 77 0C 86 D4 77 C0 5A D4 77 D9 55 D4 77  oh憎.?w磊憎僬憎
00AE23E4  E9 D9 D4 77 9D 56 D4 77 09 53 D4 77 27 8E D4 77  橘憎?憎.S憎'?w

Well,these are the valid absolute IAT addresses.So if we trace with F7 once
more we will jamp at api 77C43600.So,this is the same segment we dumped
before.No more dumping.

Open now lordPE.U remember that the dumped section had as started address
the address AB0000?So,create a new segment and make the Virtual size and
the Raw size so big,that now,adding a section from file (choosing the dumped
section before) the Raw Offset and Virtual Offset will be AB0000-ImageBase.For
ImageBase=0040000 Roffset and Voffset are same 6B0000.So,when it will run this
segment will go at AB0000 and the exe will find its spliced code and the
IAT addresses there.The segments in memory when we are at OEP in Olly are:

Memory map
Address Size    Owner    Section Contains    Type Access Initial Mapped as
00010000 00001000                                     Priv RW       RW
00020000 00001000                                     Priv RW       RW
000E4000 00001000                                     Priv RW  Guar  RW
000E5000 0004B000                      stack of mai  Priv RW  Guar  RW
00130000 00001000                                     Map R       R
00140000 00016000                                     Priv RW       RW
00240000 00006000                                     Priv RW       RW
00250000 00001000                                     Map RW       RW
00260000 00016000                                     Map R       R       \Device\HarddiskVolume1\WINDOWS\system32\unicode.nls
00280000 00034000                                     Map R       R       \Device\HarddiskVolume1\WINDOWS\system32\locale.nls
002C0000 00041000                                     Map R       R       \Device\HarddiskVolume1\WINDOWS\system32\sortkey.nls
00310000 00006000                                     Map R       R       \Device\HarddiskVolume1\WINDOWS\system32\sorttbls.nls
00320000 00006000                                     Map R E    R E
003E0000 00002000                                     Map R E    R E
003F0000 00001000                                     Priv RW       RW
00400000 00001000 packed                            Imag R       RWE
00401000 00001000 packed    CODE                   Imag R       RWE
00402000 00001000 packed    DATA                   Imag R       RWE
00403000 00001000 packed    .idata                Imag R       RWE
00404000 00001000 packed    .reloc                Imag R       RWE
00405000 00040000 packed    .text    code       Imag R       RWE
00445000 00010000 packed    .adata                Imag R       RWE
00455000 00010000 packed    .data    data,imports  Imag R       RWE
00465000 00010000 packed    .reloc1 relocations Imag R       RWE
00475000 00030000 packed    .pdata                Imag R       RWE
004A5000 00007000 packed    .rsrc    resources    Imag R       RWE
004B0000 00103000                                     Map R       R
005C0000 000D4000                                     Map R E    R E
008C0000 00001000                                     Priv RW       RW
008D0000 0000E000                                     Priv RW       RW
008E0000 00003000                                     Map R       R       \Device\HarddiskVolume1\WINDOWS\system32\ctype.nls
008F0000 0000E000                                     Priv RW       RW
00900000 00051000                                     Map R       R
00960000 00001000                                     Map RW       RW
00970000 00010000                                     Map RW       RW
009B0000 00001000                                     Priv RW       RW
00AB0000 0004E000                                     Priv RW       RW
00B00000 0000C000                                     Priv RW       RW
00B10000 00002000                                     Map R       R
00B20000 00018000                                     Priv RW       RW
00B40000 000A4000                                     Priv RW       RW
00BF4000 00001000                                     Priv RW       RW
00C04000 00001000                                     Priv RW       RW
00C20000 00006000                                     Priv RW       RW
00C30000 00003000                                     Priv RW       RW
00C70000 00001000                                     Map RW       RW
00C80000 00001000                                     Map RW       RW
00C90000 00001000                                     Priv RW       RW
00CD1000 00002000                                     Priv RW       RW
00E90000 00011000                                     Map R       R       \Device\HarddiskVolume1\WINDOWS\system32\c_1253.nls
00EB0000 00001000                                     Priv RW       RW
00F30000 00001000                                     Priv RW       RW
00F40000 00007000                                     Map RW       RW
00FC0000 00004000                                     Priv RW       RW
00FD0000 00003000                                     Priv RW       RW
0110D000 00003000                                     Priv RW  Guar  RW
01300000 00002000                                     Map R       R
01310000 00010000                                     Priv RW       RW
5AD70000 00001000 uxtheme             PE header    Imag R       RWE
5AD71000 0002C000 uxtheme .text    code,imports  Imag R       RWE
5AD9D000 00001000 uxtheme .data    data       Imag R       RWE
5AD9E000 00004000 uxtheme .rsrc    resources    Imag R       RWE
5ADA2000 00002000 uxtheme .reloc    relocations Imag R       RWE
666F0000 00001000 inetmib1             PE header    Imag R       RWE
666F1000 00005000 inetmib1 .text    code,imports  Imag R       RWE
666F6000 00003000 inetmib1 .data    data       Imag R       RWE
666F9000 00001000 inetmib1 .rsrc    resources    Imag R       RWE
666FA000 00001000 inetmib1 .reloc    relocations Imag R       RWE
70A70000 00001000 SHLWAPI             PE header    Imag R       RWE
70A71000 0005B000 SHLWAPI .text    code,imports  Imag R       RWE
70ACC000 00001000 SHLWAPI .data    data       Imag R       RWE
70ACD000 00002000 SHLWAPI .rsrc    resources    Imag R       RWE
70ACF000 00005000 SHLWAPI .reloc    relocations Imag R       RWE
71950000 00001000 comctl_1             PE header    Imag R       RWE
71951000 00088000 comctl_1 .text    code,imports  Imag R       RWE
719D9000 00001000 comctl_1 .data    data       Imag R       RWE
719DA000 00054000 comctl_1 .rsrc    resources    Imag R       RWE
71A2E000 00006000 comctl_1 .reloc    relocations Imag R       RWE
71AA0000 00001000 WS2HELP             PE header    Imag R       RWE
71AA1000 00004000 WS2HELP .text    code,imports  Imag R       RWE
71AA5000 00001000 WS2HELP .data    data       Imag R       RWE
71AA6000 00001000 WS2HELP .rsrc    resources    Imag R       RWE
71AA7000 00001000 WS2HELP .reloc    relocations Imag R       RWE
71AB0000 00001000 WS2_32             PE header    Imag R       RWE
71AB1000 00011000 WS2_32    .text    code,imports  Imag R       RWE
71AC2000 00001000 WS2_32    .data    data       Imag R       RWE
71AC3000 00001000 WS2_32    .rsrc    resources    Imag R       RWE
71AC4000 00001000 WS2_32    .reloc    relocations Imag R       RWE
71AD0000 00001000 WSOCK32             PE header    Imag R       RWE
71AD1000 00003000 WSOCK32 .text    code,imports  Imag R       RWE
71AD4000 00003000 WSOCK32 .rsrc    data,resourc  Imag R       RWE
71AD7000 00001000 WSOCK32 .reloc    relocations Imag R       RWE
71BF0000 00001000 SAMLIB             PE header    Imag R       RWE
71BF1000 0000D000 SAMLIB    .text    code,imports  Imag R       RWE
71BFE000 00001000 SAMLIB    .data    data       Imag R       RWE
71BFF000 00001000 SAMLIB    .rsrc    resources    Imag R       RWE
71C00000 00001000 SAMLIB    .reloc    relocations Imag R       RWE
71C20000 00001000 NETAPI32             PE header    Imag R       RWE
71C21000 00046000 NETAPI32 .text    code,imports  Imag R       RWE
71C67000 00003000 NETAPI32 .data    data       Imag R       RWE
71C6A000 00001000 NETAPI32 .rsrc    resources    Imag R       RWE
71C6B000 00003000 NETAPI32 .reloc    relocations Imag R       RWE
71F60000 00001000 snmpapi             PE header    Imag R       RWE
71F61000 00004000 snmpapi .text    code,imports  Imag R       RWE
71F65000 00001000 snmpapi .data    data       Imag R       RWE
71F66000 00001000 snmpapi .rsrc    resources    Imag R       RWE
71F67000 00001000 snmpapi .reloc    relocations Imag R       RWE
73420000 00001000 MSVBVM60             PE header    Imag R       RWE
73421000 000FD000 MSVBVM60 .text    code,imports  Imag R       RWE
7351E000 0000D000 MSVBVM60 ENGINE    code       Imag R       RWE
7352B000 00007000 MSVBVM60 .data    data       Imag R       RWE
73532000 00031000 MSVBVM60 .rsrc    resources    Imag R       RWE
73563000 00010000 MSVBVM60 .reloc    relocations Imag R       RWE
74720000 00001000 MSCTF                PE header    Imag R       RWE
74721000 0003A000 MSCTF    .text    code,imports  Imag R       RWE
7475B000 00002000 MSCTF    .data    data       Imag R       RWE
7475D000 00004000 MSCTF    .rsrc    resources    Imag R       RWE
74761000 00003000 MSCTF    .reloc    relocations Imag R       RWE
763B0000 00001000 comdlg32             PE header    Imag R       RWE
763B1000 0002C000 comdlg32 .text    code,imports  Imag R       RWE
763DD000 00004000 comdlg32 .data    data       Imag R       RWE
763E1000 00011000 comdlg32 .rsrc    resources    Imag R       RWE
763F2000 00003000 comdlg32 .reloc    relocations Imag R       RWE
76670000 00001000 SETUPAPI             PE header    Imag R       RWE
76671000 00071000 SETUPAPI .text    code,imports  Imag R       RWE
766E2000 00002000 SETUPAPI .data    data       Imag R       RWE
766E4000 0006E000 SETUPAPI .rsrc    resources    Imag R       RWE
76752000 00005000 SETUPAPI .reloc    relocations Imag R       RWE
76B20000 00001000 ATL                PE header    Imag R       RWE
76B21000 0000A000 ATL       .text    code       Imag R       RWE
76B2B000 00003000 ATL       .rdata    imports,expo  Imag R       RWE
76B2E000 00002000 ATL       .data    data       Imag R       RWE
76B30000 00003000 ATL       .rsrc    resources    Imag R       RWE
76B33000 00002000 ATL       .reloc    relocations Imag R       RWE
76D40000 00001000 MPRAPI             PE header    Imag R       RWE
76D41000 00012000 MPRAPI    .text    code,imports  Imag R       RWE
76D53000 00001000 MPRAPI    .data    data       Imag R       RWE
76D54000 00001000 MPRAPI    .rsrc    resources    Imag R       RWE
76D55000 00001000 MPRAPI    .reloc    relocations Imag R       RWE
76D60000 00001000 iphlpapi             PE header    Imag R       RWE
76D61000 00011000 iphlpapi .text    code,imports  Imag R       RWE
76D72000 00001000 iphlpapi .data    data       Imag R       RWE
76D73000 00003000 iphlpapi .rsrc    resources    Imag R       RWE
76D76000 00001000 iphlpapi .reloc    relocations Imag R       RWE
76E10000 00001000 adsldpc             PE header    Imag R       RWE
76E11000 00021000 adsldpc .text    code,imports  Imag R       RWE
76E32000 00001000 adsldpc .data    data       Imag R       RWE
76E33000 00001000 adsldpc .rsrc    resources    Imag R       RWE
76E34000 00001000 adsldpc .reloc    relocations Imag R       RWE
76E40000 00001000 ACTIVEDS             PE header    Imag R       RWE
76E41000 00023000 ACTIVEDS .text    code,imports  Imag R       RWE
76E64000 00008000 ACTIVEDS .data    data       Imag R       RWE
76E6C000 00001000 ACTIVEDS .rsrc    resources    Imag R       RWE
76E6D000 00002000 ACTIVEDS .reloc    relocations Imag R       RWE
76E80000 00001000 rtutils             PE header    Imag R       RWE
76E81000 00009000 rtutils .text    code,imports  Imag R       RWE
76E8A000 00001000 rtutils .data    data       Imag R       RWE
76E8B000 00001000 rtutils .rsrc    resources    Imag R       RWE
76E8C000 00001000 rtutils .reloc    relocations Imag R       RWE
76F60000 00001000 WLDAP32             PE header    Imag R       RWE
76F61000 00020000 WLDAP32 .text    code,imports  Imag R       RWE
76F81000 00008000 WLDAP32 .data    data       Imag R       RWE
76F89000 00001000 WLDAP32 .rsrc    resources    Imag R       RWE
76F8A000 00002000 WLDAP32 .reloc    relocations Imag R       RWE
77120000 00001000 OLEAUT32             PE header    Imag R       RWE
77121000 00081000 OLEAUT32 .text    code,imports  Imag R       RWE
771A2000 00002000 OLEAUT32 .data                   Imag R       RWE
771A4000 00001000 OLEAUT32 .rsrc    resources    Imag R       RWE
771A5000 00006000 OLEAUT32 .reloc    relocations Imag R       RWE
771B0000 00001000 OLE32                PE header    Imag R       RWE
771B1000 000F9000 OLE32    .text    code,imports  Imag R       RWE
772AA000 00006000 OLE32    .orpc    code       Imag R       RWE
772B0000 00007000 OLE32    .data    data       Imag R       RWE
772B7000 00002000 OLE32    .rsrc    resources    Imag R       RWE
772B9000 0000E000 OLE32    .reloc    relocations Imag R       RWE
77340000 00001000 COMCTL32             PE header    Imag R       RWE
77341000 00066000 COMCTL32 .text    code,imports  Imag R       RWE
773A7000 00001000 COMCTL32 .data    data       Imag R       RWE
773A8000 0001F000 COMCTL32 .rsrc    resources    Imag R       RWE
773C7000 00004000 COMCTL32 .reloc    relocations Imag R       RWE
773D0000 00001000 SHELL32             PE header    Imag R       RWE
773D1000 001E0000 SHELL32 .text    code,imports  Imag R       RWE
775B1000 0001C000 SHELL32 .data    data       Imag R       RWE
775CD000 005E0000 SHELL32 .rsrc    resources    Imag R       RWE
77BAD000 0001A000 SHELL32 .reloc    relocations Imag R       RWE
77C10000 00001000 msvcrt             PE header    Imag R       RWE
77C11000 00047000 msvcrt    .text    code,imports  Imag R       RWE
77C58000 00007000 msvcrt    .data    data       Imag R       RWE
77C5F000 00001000 msvcrt    .rsrc    resources    Imag R       RWE
77C60000 00003000 msvcrt    .reloc    relocations Imag R       RWE
77D40000 00001000 USER32             PE header    Imag R       RWE
77D41000 0005B000 USER32    .text    code,imports  Imag R       RWE
77D9C000 00002000 USER32    .data    data       Imag R       RWE
77D9E000 0002B000 USER32    .rsrc    resources    Imag R       RWE
77DC9000 00003000 USER32    .reloc    relocations Imag R       RWE
77DD0000 00001000 ADVAPI32             PE header    Imag R       RWE
77DD1000 00067000 ADVAPI32 .text    code,imports  Imag R       RWE
77E38000 00005000 ADVAPI32 .data    data       Imag R       RWE
77E3D000 0001B000 ADVAPI32 .rsrc    resources    Imag R       RWE
77E58000 00005000 ADVAPI32 .reloc    relocations Imag R       RWE
77E60000 00001000 kernel32             PE header    Imag R       RWE
77E61000 00076000 kernel32 .text    code,imports  Imag R       RWE
77ED7000 00003000 kernel32 .data    data       Imag R       RWE
77EDA000 00066000 kernel32 .rsrc    resources    Imag R       RWE
77F40000 00006000 kernel32 .reloc    relocations Imag R       RWE
77F50000 00001000 ntdll                PE header    Imag R       RWE
77F51000 0006E000 ntdll    .text    code,exports  Imag R       RWE
77FBF000 00004000 ntdll    ECODE    code       Imag R       RWE
77FC3000 00005000 ntdll    .data    data       Imag R       RWE
77FC8000 0002C000 ntdll    .rsrc    resources    Imag R       RWE
77FF4000 00003000 ntdll    .reloc    relocations Imag R       RWE
78000000 00001000 RPCRT4             PE header    Imag R       RWE
78001000 00070000 RPCRT4    .text    code,imports  Imag R       RWE
78071000 00006000 RPCRT4    .orpc    code       Imag R       RWE
78077000 00001000 RPCRT4    .data    data       Imag R       RWE
78078000 00001000 RPCRT4    .rsrc    resources    Imag R       RWE
78079000 00005000 RPCRT4    .reloc    relocations Imag R       RWE
7E090000 00001000 GDI32                PE header    Imag R       RWE
7E091000 0003C000 GDI32    .text    code,imports  Imag R       RWE
7E0CD000 00001000 GDI32    .data    data       Imag R       RWE
7E0CE000 00001000 GDI32    .rsrc    resources    Imag R       RWE
7E0CF000 00002000 GDI32    .reloc    relocations Imag R       RWE
7F6F0000 00007000                                     Map R E    R E
7FFB0000 00024000                                     Map R       R
7FFDD000 00001000                                     Priv RWE    RWE
7FFDE000 00001000                      data block o  Priv RWE    RWE
7FFDF000 00001000                                     Priv RWE    RWE
7FFE0000 00001000                                     Priv R       R

U see that after the last section  of the exe starting at 004A5000 (.rsrc),there
is allocated memory till address AB0000 where the segment we need is.The memory
dump after creating the two new segments and loading the exe into Olly is:

Memory map
Address Size    Owner    Section Contains    Type Access Initial Mapped as
00010000 00001000                                     Priv RW       RW
00020000 00001000                                     Priv RW       RW
0012D000 00001000                                     Priv RW  Guar  RW
0012E000 00002000                      stack of mai  Priv RW  Guar  RW
00130000 00001000                                     Map R       R
00140000 00004000                                     Priv RW       RW
00240000 00006000                                     Priv RW       RW
00250000 00001000                                     Map RW       RW
00260000 00016000                                     Map R       R       \Device\HarddiskVolume1\WINDOWS\system32\unicode.nls
00280000 00034000                                     Map R       R       \Device\HarddiskVolume1\WINDOWS\system32\locale.nls
002C0000 00041000                                     Map R       R       \Device\HarddiskVolume1\WINDOWS\system32\sortkey.nls
00310000 00006000                                     Map R       R       \Device\HarddiskVolume1\WINDOWS\system32\sorttbls.nls
00320000 00006000                                     Map R E    R E
003E0000 00002000                                     Map R E    R E
003F0000 00001000                                     Priv RW       RW
00400000 00001000 unpacked             PE header    Imag R       RWE
00401000 00001000 unpacked CODE                   Imag R       RWE
00402000 00001000 unpacked DATA                   Imag R       RWE
00403000 00001000 unpacked .idata                Imag R       RWE
00404000 00001000 unpacked .reloc                Imag R       RWE
00405000 00040000 unpacked .text    code       Imag R       RWE
00445000 00010000 unpacked .adata                Imag R       RWE
00455000 00010000 unpacked .data    data,imports  Imag R       RWE
00465000 00010000 unpacked .reloc1 relocations Imag R       RWE
00475000 00030000 unpacked .pdata                Imag R       RWE
004A5000 00007000 unpacked .rsrc    resources    Imag R       RWE
004AC000 00604000 unpacked .NewSec                Imag R       RWE
00AB0000 0004E000 unpacked dumped1.                Imag R       RWE
00B00000 00103000                                     Map R       R
00C10000 000D4000                                     Map R E    R E
00F10000 00001000                                     Priv RW       RW
77D40000 00001000 USER32             PE header    Imag R       RWE
77D41000 0005B000 USER32    .text    code,imports  Imag R       RWE
77D9C000 00002000 USER32    .data    data       Imag R       RWE
77D9E000 0002B000 USER32    .rsrc    resources    Imag R       RWE
77DC9000 00003000 USER32    .reloc    relocations Imag R       RWE
77DD0000 00001000 ADVAPI32             PE header    Imag R       RWE
77DD1000 00067000 ADVAPI32 .text    code,imports  Imag R       RWE
77E38000 00005000 ADVAPI32 .data    data       Imag R       RWE
77E3D000 0001B000 ADVAPI32 .rsrc    resources    Imag R       RWE
77E58000 00005000 ADVAPI32 .reloc    relocations Imag R       RWE
77E60000 00001000 kernel32             PE header    Imag R       RWE
77E61000 00076000 kernel32 .text    code,imports  Imag R       RWE
77ED7000 00003000 kernel32 .data    data       Imag R       RWE
77EDA000 00066000 kernel32 .rsrc    resources    Imag R       RWE
77F40000 00006000 kernel32 .reloc    relocations Imag R       RWE
77F50000 00001000 ntdll                PE header    Imag R       RWE
77F51000 0006E000 ntdll    .text    code,exports  Imag R       RWE
77FBF000 00004000 ntdll    ECODE    code       Imag R       RWE
77FC3000 00005000 ntdll    .data    data       Imag R       RWE
77FC8000 0002C000 ntdll    .rsrc    resources    Imag R       RWE
77FF4000 00003000 ntdll    .reloc    relocations Imag R       RWE
78000000 00001000 RPCRT4             PE header    Imag R       RWE
78001000 00070000 RPCRT4    .text    code,imports  Imag R       RWE
78071000 00006000 RPCRT4    .orpc    code       Imag R       RWE
78077000 00001000 RPCRT4    .data    data       Imag R       RWE
78078000 00001000 RPCRT4    .rsrc    resources    Imag R       RWE
78079000 00005000 RPCRT4    .reloc    relocations Imag R       RWE
7E090000 00001000 GDI32                PE header    Imag R       RWE
7E091000 0003C000 GDI32    .text    code,imports  Imag R       RWE
7E0CD000 00001000 GDI32    .data    data       Imag R       RWE
7E0CE000 00001000 GDI32    .rsrc    resources    Imag R       RWE
7E0CF000 00002000 GDI32    .reloc    relocations Imag R       RWE
7F6F0000 00007000                                     Map R E    R E
7FFB0000 00024000                                     Map R       R
7FFDE000 00001000                      data block o  Priv RWE    RWE
7FFDF000 00001000                                     Priv RWE    RWE
7FFE0000 00001000                                     Priv R       R

So we forced the loader to allocate so much space in memory and with those
memory locations as start (and proper sizes) by creating a useless actually
for running segment (.NewSec),but after that is the so much useful segment
that containz the absolute API calls and the spliced code of the exe (dumped1.).

Now try to run it.It still does not run.Why?Becuase Dillo added a last protection.
If U see the dll's that are loaded ("M" button) when U are at OEP in Olly are more that the dll's
loaded when U load the clear dumped file.So,we have to inject some code to the exe,use
LoadLibraryA to load any missing dll's and then Jamp at OEP.In my case the only dll
that has to be loaded is msvcrt.dll.So here is the code I patched,before jamping at OEP:

004012C6 > 9C             PUSHFD
004012C7 60             PUSHAD
004012C8 68 1C154000    PUSH unpacked.0040151C                ; ASCII "C:\WINDOWS\system32\msvcrt.dll"
004012CD E8 8FC6A777    CALL kernel32.LoadLibraryA
004012D2 61             POPAD
004012D3 9D             POPFD
004012D4  ^E9 C0FDFFFF    JMP unpacked.00401099

Well the final exe is 10 MB's because of the segment .NewSec we added,in order
the addresses to be good.When zipped,the size becomes almost equal with the packed
file,because the segment .NewSec we added is not actually a "working" segment but
uses only for the proper addressing allocation.So it is filled with 00's by LordPE
and zip compresses it in a large amount (up to 97%).We could have used also
VirtuallAlloc and not have put the .NewSec segment,and just copy the dumped1. segment
at AB0000.I tried it but I couldn't use VirtuallAlloc to allocate for a specific memory
location as start (here AB0000).But U can try it.

Now the exe runz perfectly.Have in mind that by that way the exe may not run
in other version of Windows that the system U unpacked it at,because the new IAT
containz the ABSOLUTE addresses of the API's that exe uses in that particular system.
But who carez?We have unpacked it,nice and clean...

This is the End.I think this is the Best Tutor I ever WroTe ;) U may also think this ;)

[课程]Linux pwn 探索篇！

收藏・0

免费・0

支持

最新回复 (16)
fly 雪币： 898 活跃值： (4039) 能力值： ( LV9，RANK：3410 ) 在线值：发帖 294 回帖 7686 粉丝 32 关注私信	fly 85 2 楼最初由鸡蛋壳发布 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@ Armadillo 4.05 (Public Build) manually unpacking @@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ........ KaGra又重新换了标题中的Armadillo版本号？ Armadillo 4.01a (Public Build) manually unpacking by KaGra http://www.exetools.com/forum/showthread.php?t=6578 2005-2-21 16:40 0
鸡蛋壳雪币： 427 活跃值： (412) 能力值： ( LV2，RANK：10 ) 在线值：发帖 456 回帖 3147 粉丝 9 关注私信	鸡蛋壳 3 楼最初由 fly 发布 KaGra又重新换了标题中的Armadillo版本号？ ........ 作者意思是表示通用。 2005-2-21 20:05 0
fly 雪币： 898 活跃值： (4039) 能力值： ( LV9，RANK：3410 ) 在线值：发帖 294 回帖 7686 粉丝 32 关注私信	fly 85 4 楼哦可能也表示by KaGra可以通用 2005-2-21 20:09 0
鸡蛋壳雪币： 427 活跃值： (412) 能力值： ( LV2，RANK：10 ) 在线值：发帖 456 回帖 3147 粉丝 9 关注私信	鸡蛋壳 5 楼最初由 fly 发布哦可能也表示by KaGra可以通用我给的是匿名人士教程，估计是真正的幕后高手。 2005-2-21 20:40 0
winbase 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 14 粉丝 0 关注私信	winbase 6 楼版主不跟了几个帖子我还以为是鸡蛋壳终于脱成功一个牛壳呢，原来如此啊。。。哈哈 2005-2-21 20:54 0
lucktiger 雪币： 5690 活跃值： (2537) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 260 粉丝 1 关注私信	lucktiger 7 楼学习学习！！ 2005-2-22 13:52 0
comicmanz 雪币： 201 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 23 粉丝 0 关注私信	comicmanz 8 楼哪位简单翻译一下阿？英文太差，看不懂 2005-2-22 19:28 0
newsearch 雪币： 257 活跃值： (369) 能力值： ( LV12，RANK：370 ) 在线值：发帖 14 回帖 342 粉丝 2 关注私信	newsearch 9 9 楼这款是牛壳，我可脱壳不了。先试着翻译一段，慢慢来哈，学习的先。蛋蛋推荐的，想必不错。蛋蛋尽找别人的，自己也要写些文章噻。还有，上次你推荐的麦咖啡，我装不起耶，也不回帖帮我看看哈。 2005-2-23 00:49 0
newsearch 雪币： 257 活跃值： (369) 能力值： ( LV12，RANK：370 ) 在线值：发帖 14 回帖 342 粉丝 2 关注私信	newsearch 9 10 楼晕哦，我本想修改，反而成了重复发帖，汗！我本不想灌水哦 2005-2-23 00:52 0
newsearch 雪币： 257 活跃值： (369) 能力值： ( LV12，RANK：370 ) 在线值：发帖 14 回帖 342 粉丝 2 关注私信	newsearch 9 11 楼删除的重复发帖，晕。翻译未完待续 nug不知道怎样翻译，“花屏”？ 2005-2-23 00:54 0
newsearch 雪币： 257 活跃值： (369) 能力值： ( LV12，RANK：370 ) 在线值：发帖 14 回帖 342 粉丝 2 关注私信	newsearch 9 12 楼 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@ Armadillo 4.01a (Public Build)手工脱壳 @@@@@@@@@ 作者：KaGra 翻译：newsearch[TT] @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 请在记事本中阅读该教程。字体：Fixedsys 字体大小：9（呵呵，我这里只有12的）　有时候，在逆向者的生命中会迎来伟大的一天。下面就是其中之一。我将在这里给你介绍目前最新版本的Armadillo 4.05的手工脱壳教程。现在开始... 使用的工具: Olly v1.10,commandline Plug,HideOlly Plug,Ollydump Plug, LordPE and NO IMPREC. 正如你所闻，使用ImpRec或其它工具没有输入重建。我们将采用的方法是手工进行并且极其简单，可用于目前的所有加壳。我用一个下载的Armadillo版本加壳了一个Crackme，这仅仅是一个演示版本，但我检测了诸如保护选项等所有特征，它们运行得很好。因此，与注册版本在使用选项的仅有差别在于：当被保护文件启动时，它仅是一个nag屏幕。如果你进入Dillo的菜单Protection->Edit Project，你将会看到保护选项。我选择了如下这些：保护选项:Standard Protection only(仅用标准保护),Enable import elimination(输入表消除), Enable strategic code splicing(战略代码拼接?),enable memory patching protections(内存补丁保护). 当你第一次打开Dillo时，让所以其它选项保持默认。在ZIP文件中，你将会找到一个加壳的和一个未加壳的EXE文件。在OD中打开并加载加壳的EXE版本，确保未放置任何断点，并且仅在调试选项中选择了“Ignore memory Access Violations in KERNEL32”(在Kernel.32中忽略内存访问异常)。我在Dillo中设置的这些选项有两个反调试保护：第一个是在IsDebuggerPresent API上的通常调用，但因为有HideOlly插件，我们将不会遇到麻烦；第二个是在OutPutDebugString API上的调用，如果调试器运行，它将在调试器中打印一个字符串。实际情况是，Olly v1.10有一个格式堆栈缓冲器上溢(bug缺陷)，如果你给出了一个字符串诸如%x将触发该上溢并将是Olly崩溃(看文章http://www.securiteam.com/windowsntfocus/5ZP0N00DFE.html) 我们将使用一个技巧来欺骗它：在Olly代码窗口，点击“搜索－>所有模块中的名称”。找到OutPutDebugString并双击，你将来到该API起始代码的内存位置。不要在此设置任何断点，因为Dillo的“内存补丁保护”将发现它（也许其它选项也一样）。因此，下面将是OutPutDebugString的起始处： 77E949B7 > 68 2C020000 PUSH 22C 77E949BC 68 8853E977 PUSH kernel32.77E95388 77E949C1 E8 1259FEFF CALL kernel32.77E7A2D8 77E949C6 8365 FC 00 AND DWORD PTR SS:[EBP-4],0 77E949CA 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 77E949CD 8BC1 MOV EAX,ECX 77E949CF 8D70 01 LEA ESI,DWORD PTR DS:[EAX+1] 77E949D2 8A10 MOV DL,BYTE PTR DS:[EAX] 77E949D4 40 INC EAX 77E949D5 84D2 TEST DL,DL 77E949D7 ^75 F9 JNZ SHORT kernel32.77E949D2 77E949D9 2BC6 SUB EAX,ESI 77E949DB 40 INC EAX 77E949DC 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX 77E949DF 894D E4 MOV DWORD PTR SS:[EBP-1C],ECX 77E949E2 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20] 77E949E5 50 PUSH EAX 77E949E6 6A 02 PUSH 2 77E949E8 6A 00 PUSH 0 77E949EA 68 06000140 PUSH 40010006 77E949EF E8 43EEFDFF CALL kernel32.RaiseException 77E949F4 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF 77E949F8 E8 A259FEFF CALL kernel32.77E7A39F 77E949FD C2 0400 RETN 4 如你所见，它以RETN 4结束。进入第一行77E949B7(由于不同的Windows版本，你的地址可能不同)所在的操作码；这是一个内存补丁，Dillo将抓不到它，因为它在OS内存位置。现在，开始按Shift+F9多次直到程序执行。到底有多少次呢？在我的机子上是31次。重启Olly并进行所有反调试技巧，开始按Shift+F9多次，比前面的少2次；在我这里是29次。如果在这个过程中出现nag屏幕，不要理会，仅仅按OK。你将会来到这里： 00ADD266 8900 MOV DWORD PTR DS:[EAX],EAX <- Olly 中断在此 00ADD268 90 NOP 00ADD269 E9 57010000 JMP 00ADD3C5 00ADD26E FF75 EC PUSH DWORD PTR SS:[EBP-14] 00ADD271 E8 34F5FFFF CALL 00ADC7AA 00ADD276 59 POP ECX 00ADD277 C3 RETN 00ADD278 8B65 E8 MOV ESP,DWORD PTR SS:[EBP-18] 00ADD27B 70 07 JO SHORT 00ADD284 00ADD27D 7C 03 JL SHORT 00ADD282 00ADD27F EB 05 JMP SHORT 00ADD286 00ADD281 E8 74FBEBF9 CALL FA99CDFA 00ADD286 A1 5C4DAF00 MOV EAX,DWORD PTR DS:[AF4D5C] 00ADD28B 85C0 TEST EAX,EAX 00ADD28D 0F84 0C010000 JE 00ADD39F 00ADD293 8B50 04 MOV EDX,DWORD PTR DS:[EAX+4] 00ADD296 8B0D B84DAF00 MOV ECX,DWORD PTR DS:[AF4DB8] ; packed.00400000 00ADD29C 3BD1 CMP EDX,ECX 00ADD29E 8B1D BC4DAF00 MOV EBX,DWORD PTR DS:[AF4DBC] ; packed.004A5000 现在，在你程序的代码段设置一个内存访问断点，在Olly中按"M"按钮（对我而言，地址是401000，大小1000）。按数次Shift+F9，你将来到OEP。看起来如下： 00401099 EB 27 JMP SHORT packed.004010C2 <--- Olly 在OEP的中断在此，因此OEP=00401099 0040109B 33C0 XOR EAX,EAX 0040109D A3 F7204000 MOV DWORD PTR DS:[4020F7],EAX 004010A2 6A 29 PUSH 29 004010A4 68 0E204000 PUSH packed.0040200E 004010A9 6A 65 PUSH 65 004010AB FF75 08 PUSH DWORD PTR SS:[EBP+8] 004010AE E8 D9010000 CALL packed.0040128C ; 跳转到USER32.GetDlgItemTextA 004010B3 A3 F7204000 MOV DWORD PTR DS:[4020F7],EAX 004010B8 B8 01000000 MOV EAX,1 004010BD E9 89000000 JMP packed.0040114B 004010C2 6A 00 PUSH 0 004010C4 E8 E1010000 CALL packed.004012AA 004010C9 A3 F3204000 MOV DWORD PTR DS:[4020F3],EAX 004010CE C705 C7204000 03>MOV DWORD PTR DS:[4020C7],4003 004010D8 C705 CB204000 89>MOV DWORD PTR DS:[4020CB],packed.0040118> 004010E2 C705 CF204000 00>MOV DWORD PTR DS:[4020CF],0 004010EC C705 D3204000 00>MOV DWORD PTR DS:[4020D3],0 004010F6 A1 F3204000 MOV EAX,DWORD PTR DS:[4020F3] 004010FB A3 D7204000 MOV DWORD PTR DS:[4020D7],EAX 2005-2-23 00:54 0
采臣·宁雪币： 154 活跃值： (216) 能力值： ( LV4，RANK：50 ) 在线值：发帖 33 回帖 1343 粉丝 6 关注私信	采臣·宁 1 13 楼 nug据上下文，是不是打错字了。nag 2005-2-23 09:21 0
newsearch 雪币： 257 活跃值： (369) 能力值： ( LV12，RANK：370 ) 在线值：发帖 14 回帖 342 粉丝 2 关注私信	newsearch 9 14 楼最初由采臣・宁发布 nug据上下文，是不是打错字了。nag 我也猜测是不是nag，文中还出现了两次，可能是笔误。nag这个单词仅仅在医学上出现。 2005-2-23 09:53 0
fly 雪币： 898 活跃值： (4039) 能力值： ( LV9，RANK：3410 ) 在线值：发帖 294 回帖 7686 粉丝 32 关注私信	fly 85 15 楼 NAG：意指烦人的小窗口（不必翻译）未注册版Armadillo加壳会有NAG 建议：既然翻译就用原版，把教程篇名和作者还原 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@ Armadillo 4.01a (Public Build) manually unpacking by KaGra @@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 附件中是原版教程附件:by.KaGra.zip 2005-2-23 10:17 0
newsearch 雪币： 257 活跃值： (369) 能力值： ( LV12，RANK：370 ) 在线值：发帖 14 回帖 342 粉丝 2 关注私信	newsearch 9 16 楼最初由 fly 发布 NAG：意指烦人的小窗口（不必翻译）未注册版Armadillo加壳会有NAG ........ Fly老大来了哈。好，就用你给的原版。不经你提醒，又上了蛋蛋的当了原文是Nug，估计是笔误，我就把它当Nag翻译好了，不久前才去了一个程序的Nag。身体出了点BUG，要休息一下。希望有人接着翻译。 2005-2-23 10:36 0
Feisu 雪币： 1913 活跃值： (15) 能力值： (RANK：10 ) 在线值：发帖 24 回帖 144 粉丝 4 关注私信	Feisu 17 楼正如你所闻，使用ImpRec或其它工具没有输入重建。 Yes,as U heared.No Import Rebuilding using ImpRec or other toolz 这句话我想应该翻译错了吧。应该是不用ImpRec重建IAT 或者其他工具来重建IAT.这句话的意思应该是这样吧 2005-2-24 23:38 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

鸡蛋壳

456

发帖

3147

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (16)
fly 雪币： 898 活跃值： (4039) 能力值： ( LV9，RANK：3410 ) 在线值：发帖 294 回帖 7686 粉丝 32 关注私信	fly 85 2 楼最初由鸡蛋壳发布 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@ Armadillo 4.05 (Public Build) manually unpacking @@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ........ KaGra又重新换了标题中的Armadillo版本号？ Armadillo 4.01a (Public Build) manually unpacking by KaGra http://www.exetools.com/forum/showthread.php?t=6578 2005-2-21 16:40 0
鸡蛋壳雪币： 427 活跃值： (412) 能力值： ( LV2，RANK：10 ) 在线值：发帖 456 回帖 3147 粉丝 9 关注私信	鸡蛋壳 3 楼最初由 fly 发布 KaGra又重新换了标题中的Armadillo版本号？ ........ 作者意思是表示通用。 2005-2-21 20:05 0
fly 雪币： 898 活跃值： (4039) 能力值： ( LV9，RANK：3410 ) 在线值：发帖 294 回帖 7686 粉丝 32 关注私信	fly 85 4 楼哦可能也表示by KaGra可以通用 2005-2-21 20:09 0
鸡蛋壳雪币： 427 活跃值： (412) 能力值： ( LV2，RANK：10 ) 在线值：发帖 456 回帖 3147 粉丝 9 关注私信	鸡蛋壳 5 楼最初由 fly 发布哦可能也表示by KaGra可以通用我给的是匿名人士教程，估计是真正的幕后高手。 2005-2-21 20:40 0
winbase 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 14 粉丝 0 关注私信	winbase 6 楼版主不跟了几个帖子我还以为是鸡蛋壳终于脱成功一个牛壳呢，原来如此啊。。。哈哈 2005-2-21 20:54 0
lucktiger 雪币： 5690 活跃值： (2537) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 260 粉丝 1 关注私信	lucktiger 7 楼学习学习！！ 2005-2-22 13:52 0
comicmanz 雪币： 201 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 23 粉丝 0 关注私信	comicmanz 8 楼哪位简单翻译一下阿？英文太差，看不懂 2005-2-22 19:28 0
newsearch 雪币： 257 活跃值： (369) 能力值： ( LV12，RANK：370 ) 在线值：发帖 14 回帖 342 粉丝 2 关注私信	newsearch 9 9 楼这款是牛壳，我可脱壳不了。先试着翻译一段，慢慢来哈，学习的先。蛋蛋推荐的，想必不错。蛋蛋尽找别人的，自己也要写些文章噻。还有，上次你推荐的麦咖啡，我装不起耶，也不回帖帮我看看哈。 2005-2-23 00:49 0
newsearch 雪币： 257 活跃值： (369) 能力值： ( LV12，RANK：370 ) 在线值：发帖 14 回帖 342 粉丝 2 关注私信	newsearch 9 10 楼晕哦，我本想修改，反而成了重复发帖，汗！我本不想灌水哦 2005-2-23 00:52 0
newsearch 雪币： 257 活跃值： (369) 能力值： ( LV12，RANK：370 ) 在线值：发帖 14 回帖 342 粉丝 2 关注私信	newsearch 9 11 楼删除的重复发帖，晕。翻译未完待续 nug不知道怎样翻译，“花屏”？ 2005-2-23 00:54 0
newsearch 雪币： 257 活跃值： (369) 能力值： ( LV12，RANK：370 ) 在线值：发帖 14 回帖 342 粉丝 2 关注私信	newsearch 9 12 楼 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@ Armadillo 4.01a (Public Build)手工脱壳 @@@@@@@@@ 作者：KaGra 翻译：newsearch[TT] @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 请在记事本中阅读该教程。字体：Fixedsys 字体大小：9（呵呵，我这里只有12的）　有时候，在逆向者的生命中会迎来伟大的一天。下面就是其中之一。我将在这里给你介绍目前最新版本的Armadillo 4.05的手工脱壳教程。现在开始... 使用的工具: Olly v1.10,commandline Plug,HideOlly Plug,Ollydump Plug, LordPE and NO IMPREC. 正如你所闻，使用ImpRec或其它工具没有输入重建。我们将采用的方法是手工进行并且极其简单，可用于目前的所有加壳。我用一个下载的Armadillo版本加壳了一个Crackme，这仅仅是一个演示版本，但我检测了诸如保护选项等所有特征，它们运行得很好。因此，与注册版本在使用选项的仅有差别在于：当被保护文件启动时，它仅是一个nag屏幕。如果你进入Dillo的菜单Protection->Edit Project，你将会看到保护选项。我选择了如下这些：保护选项:Standard Protection only(仅用标准保护),Enable import elimination(输入表消除), Enable strategic code splicing(战略代码拼接?),enable memory patching protections(内存补丁保护). 当你第一次打开Dillo时，让所以其它选项保持默认。在ZIP文件中，你将会找到一个加壳的和一个未加壳的EXE文件。在OD中打开并加载加壳的EXE版本，确保未放置任何断点，并且仅在调试选项中选择了“Ignore memory Access Violations in KERNEL32”(在Kernel.32中忽略内存访问异常)。我在Dillo中设置的这些选项有两个反调试保护：第一个是在IsDebuggerPresent API上的通常调用，但因为有HideOlly插件，我们将不会遇到麻烦；第二个是在OutPutDebugString API上的调用，如果调试器运行，它将在调试器中打印一个字符串。实际情况是，Olly v1.10有一个格式堆栈缓冲器上溢(bug缺陷)，如果你给出了一个字符串诸如%x将触发该上溢并将是Olly崩溃(看文章http://www.securiteam.com/windowsntfocus/5ZP0N00DFE.html) 我们将使用一个技巧来欺骗它：在Olly代码窗口，点击“搜索－>所有模块中的名称”。找到OutPutDebugString并双击，你将来到该API起始代码的内存位置。不要在此设置任何断点，因为Dillo的“内存补丁保护”将发现它（也许其它选项也一样）。因此，下面将是OutPutDebugString的起始处： 77E949B7 > 68 2C020000 PUSH 22C 77E949BC 68 8853E977 PUSH kernel32.77E95388 77E949C1 E8 1259FEFF CALL kernel32.77E7A2D8 77E949C6 8365 FC 00 AND DWORD PTR SS:[EBP-4],0 77E949CA 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 77E949CD 8BC1 MOV EAX,ECX 77E949CF 8D70 01 LEA ESI,DWORD PTR DS:[EAX+1] 77E949D2 8A10 MOV DL,BYTE PTR DS:[EAX] 77E949D4 40 INC EAX 77E949D5 84D2 TEST DL,DL 77E949D7 ^75 F9 JNZ SHORT kernel32.77E949D2 77E949D9 2BC6 SUB EAX,ESI 77E949DB 40 INC EAX 77E949DC 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX 77E949DF 894D E4 MOV DWORD PTR SS:[EBP-1C],ECX 77E949E2 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20] 77E949E5 50 PUSH EAX 77E949E6 6A 02 PUSH 2 77E949E8 6A 00 PUSH 0 77E949EA 68 06000140 PUSH 40010006 77E949EF E8 43EEFDFF CALL kernel32.RaiseException 77E949F4 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF 77E949F8 E8 A259FEFF CALL kernel32.77E7A39F 77E949FD C2 0400 RETN 4 如你所见，它以RETN 4结束。进入第一行77E949B7(由于不同的Windows版本，你的地址可能不同)所在的操作码；这是一个内存补丁，Dillo将抓不到它，因为它在OS内存位置。现在，开始按Shift+F9多次直到程序执行。到底有多少次呢？在我的机子上是31次。重启Olly并进行所有反调试技巧，开始按Shift+F9多次，比前面的少2次；在我这里是29次。如果在这个过程中出现nag屏幕，不要理会，仅仅按OK。你将会来到这里： 00ADD266 8900 MOV DWORD PTR DS:[EAX],EAX <- Olly 中断在此 00ADD268 90 NOP 00ADD269 E9 57010000 JMP 00ADD3C5 00ADD26E FF75 EC PUSH DWORD PTR SS:[EBP-14] 00ADD271 E8 34F5FFFF CALL 00ADC7AA 00ADD276 59 POP ECX 00ADD277 C3 RETN 00ADD278 8B65 E8 MOV ESP,DWORD PTR SS:[EBP-18] 00ADD27B 70 07 JO SHORT 00ADD284 00ADD27D 7C 03 JL SHORT 00ADD282 00ADD27F EB 05 JMP SHORT 00ADD286 00ADD281 E8 74FBEBF9 CALL FA99CDFA 00ADD286 A1 5C4DAF00 MOV EAX,DWORD PTR DS:[AF4D5C] 00ADD28B 85C0 TEST EAX,EAX 00ADD28D 0F84 0C010000 JE 00ADD39F 00ADD293 8B50 04 MOV EDX,DWORD PTR DS:[EAX+4] 00ADD296 8B0D B84DAF00 MOV ECX,DWORD PTR DS:[AF4DB8] ; packed.00400000 00ADD29C 3BD1 CMP EDX,ECX 00ADD29E 8B1D BC4DAF00 MOV EBX,DWORD PTR DS:[AF4DBC] ; packed.004A5000 现在，在你程序的代码段设置一个内存访问断点，在Olly中按"M"按钮（对我而言，地址是401000，大小1000）。按数次Shift+F9，你将来到OEP。看起来如下： 00401099 EB 27 JMP SHORT packed.004010C2 <--- Olly 在OEP的中断在此，因此OEP=00401099 0040109B 33C0 XOR EAX,EAX 0040109D A3 F7204000 MOV DWORD PTR DS:[4020F7],EAX 004010A2 6A 29 PUSH 29 004010A4 68 0E204000 PUSH packed.0040200E 004010A9 6A 65 PUSH 65 004010AB FF75 08 PUSH DWORD PTR SS:[EBP+8] 004010AE E8 D9010000 CALL packed.0040128C ; 跳转到USER32.GetDlgItemTextA 004010B3 A3 F7204000 MOV DWORD PTR DS:[4020F7],EAX 004010B8 B8 01000000 MOV EAX,1 004010BD E9 89000000 JMP packed.0040114B 004010C2 6A 00 PUSH 0 004010C4 E8 E1010000 CALL packed.004012AA 004010C9 A3 F3204000 MOV DWORD PTR DS:[4020F3],EAX 004010CE C705 C7204000 03>MOV DWORD PTR DS:[4020C7],4003 004010D8 C705 CB204000 89>MOV DWORD PTR DS:[4020CB],packed.0040118> 004010E2 C705 CF204000 00>MOV DWORD PTR DS:[4020CF],0 004010EC C705 D3204000 00>MOV DWORD PTR DS:[4020D3],0 004010F6 A1 F3204000 MOV EAX,DWORD PTR DS:[4020F3] 004010FB A3 D7204000 MOV DWORD PTR DS:[4020D7],EAX 2005-2-23 00:54 0
采臣·宁雪币： 154 活跃值： (216) 能力值： ( LV4，RANK：50 ) 在线值：发帖 33 回帖 1343 粉丝 6 关注私信	采臣·宁 1 13 楼 nug据上下文，是不是打错字了。nag 2005-2-23 09:21 0
newsearch 雪币： 257 活跃值： (369) 能力值： ( LV12，RANK：370 ) 在线值：发帖 14 回帖 342 粉丝 2 关注私信	newsearch 9 14 楼最初由采臣・宁发布 nug据上下文，是不是打错字了。nag 我也猜测是不是nag，文中还出现了两次，可能是笔误。nag这个单词仅仅在医学上出现。 2005-2-23 09:53 0
fly 雪币： 898 活跃值： (4039) 能力值： ( LV9，RANK：3410 ) 在线值：发帖 294 回帖 7686 粉丝 32 关注私信	fly 85 15 楼 NAG：意指烦人的小窗口（不必翻译）未注册版Armadillo加壳会有NAG 建议：既然翻译就用原版，把教程篇名和作者还原 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@ Armadillo 4.01a (Public Build) manually unpacking by KaGra @@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 附件中是原版教程附件:by.KaGra.zip 2005-2-23 10:17 0
newsearch 雪币： 257 活跃值： (369) 能力值： ( LV12，RANK：370 ) 在线值：发帖 14 回帖 342 粉丝 2 关注私信	newsearch 9 16 楼最初由 fly 发布 NAG：意指烦人的小窗口（不必翻译）未注册版Armadillo加壳会有NAG ........ Fly老大来了哈。好，就用你给的原版。不经你提醒，又上了蛋蛋的当了原文是Nug，估计是笔误，我就把它当Nag翻译好了，不久前才去了一个程序的Nag。身体出了点BUG，要休息一下。希望有人接着翻译。 2005-2-23 10:36 0
Feisu 雪币： 1913 活跃值： (15) 能力值： (RANK：10 ) 在线值：发帖 24 回帖 144 粉丝 4 关注私信	Feisu 17 楼正如你所闻，使用ImpRec或其它工具没有输入重建。 Yes,as U heared.No Import Rebuilding using ImpRec or other toolz 这句话我想应该翻译错了吧。应该是不用ImpRec重建IAT 或者其他工具来重建IAT.这句话的意思应该是这样吧 2005-2-24 23:38 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复