引言:前些日子下载了蛋壳大侠用Thinstall2.517加壳的UnpackMe,偶研究一些时日,有点心得,请高手指点.
**********************************************************************
一、破解目标:用THinstall 2.517 加壳的Unpackme
二、破解工具:OllyDBG 1.10,ImportREC 1.6 Final
三、破解人:DarkBull@email.com.cn
四、破解过程:
1.用OD载入目标程序,用IsDebug V1.4插件去掉Ollydbg的调试器标志,代码如下:
MoleBoxP.> 55 PUSH EBP
00401A95 8BEC MOV EBP,ESP
00401A97 B8 C04E245>MOV EAX,59244EC0
00401A9C BB 21D4886>MOV EBX,6788D421
00401AA1 50 PUSH EAX
00401AA2 E8 0000000>CALL MoleBoxP.00401AA7
00401AA7 58 POP EAX
用F7步入,直到如下处:
00401A65 FF15 D4534>CALL NEAR DWORD PTR DS:[<&KERNEL32.GetModuleHandleA>] ;kernel32.GetModuleHandleA
00401A6B 50 PUSH EAX
00401A6C E8 BCFAFFF>CALL MoleBoxP.0040152D
00401A71 59 POP ECX
00401A72 59 POP ECX
00401A73 A1 785A400>MOV EAX,DWORD PTR DS:[405A78]
00401A78 8B40 10 MOV EAX,DWORD PTR DS:[EAX+10]
00401A7B 0305 745A4>ADD EAX,DWORD PTR DS:[405A74]
00401A81 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00401A84 E8 DBF5FFF>CALL MoleBoxP.00401064
00401A89 90 NOP ;花指令NOP掉
00401A8A 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00401A8D FFE0 JMP NEAR EAX ;EAX=7FF7AC54
F7步入后代码如下:
7FF7AC54 55 PUSH EBP
7FF7AC55 8BEC MOV EBP,ESP
7FF7AC57 6A FF PUSH -1
7FF7AC59 68 C8D1F87>PUSH 7FF8D1C8
7FF7AC5E 68 D0A9F77>PUSH 7FF7A9D0
7FF7AC63 64:A1 0000>MOV EAX,DWORD PTR FS:[0]
7FF7AC69 50 PUSH EAX
7FF7AC6A 64:8925 00>MOV DWORD PTR FS:[0],ESP
7FF7AC71 83EC 10 SUB ESP,10
7FF7AC74 53 PUSH EBX
7FF7AC75 56 PUSH ESI
7FF7AC76 57 PUSH EDI
7FF7AC77 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
7FF7AC7A FF15 7C72F>CALL NEAR DWORD PTR DS:[7FF8727C] ;kernel32.GetVersion
下断BPX OpenFileMappingA,拦截成功,代码如下:
7FF76098 FF15 9470F>CALL NEAR DWORD PTR DS:[7FF87094] ;kernel32.OpenFileMappingA
7FF7609E 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
7FF760A1 8D8D 38FFF>LEA ECX,DWORD PTR SS:[EBP-C8]
7FF760A7 E8 690E000>CALL 7FF76F15
7FF760AC 837D FC 00 CMP DWORD PTR SS:[EBP-4],0
7FF760B0 0F85 5C010>JNZ 7FF76212 ;改为JZ
F8运行到如下处:
7FF42C5C FF95 48FCF>CALL NEAR DWORD PTR SS:[EBP-3B8] ;MoleBoxP.004010E3=>OEP
2.用OllyDump v2.01插件DUMP,再用ImportREC附加于加壳程序,输入OEP搜索有13个未解析的指针,用OD载入加壳程序,查找未解析的地址,用ImportREC手动修复指针。
3.由于水平有限,我采用手动方式修复IAT,对于小程序来说还行,可是对于比较大的程序,那就“心有余而力不足了”,请高手多多指点。
4.顺便说一句,这个UnpackMe的音乐很好听。
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界