【破文标题】:一分钟脱ARM Protector 0.1 主程序的壳
【破解目标】:ARM Protector 0.1 主程序
【破解作者】:jney2
【破解日期】:2005年3月16日
【作者声明】:脱壳,我是菜鸟,更要学习,练习!!!一点心得,大家分享。
【简要介绍】:ARM Protector 0.1 主程序并不是用自身加壳,用Peid查壳:MEW 10 1.0 -> NorthFox/HCC。好象没见过,我脱完后感觉很简单的,也许只是简单的压缩壳吧!
【脱壳过程】:Ollydbg1.1修改版,ImportREC16
【脱壳过程】:
1、用OD载入停在:
0040707E > 33C0 XOR EAX,EAX
00407080 - E9 D090FFFF JMP armp.00400155
F8两次到这里,再稍微往下拉一拉,可看到JMP EAX这句,F2下断,F9运行,断下:
00400155 ? BE 61704000 MOV ESI,armp.00407061
0040015A . AC LODS BYTE PTR DS:[ESI]
0040015B . 91 XCHG EAX,ECX
0040015C . AD LODS DWORD PTR DS:[ESI]
0040015D . 95 XCHG EAX,EBP
0040015E . AD LODS DWORD PTR DS:[ESI]
0040015F . 92 XCHG EAX,EDX
00400160 > AD LODS DWORD PTR DS:[ESI]
00400161 . 51 PUSH ECX
00400162 . 56 PUSH ESI
00400163 . 87F2 XCHG EDX,ESI
00400165 . 97 XCHG EAX,EDI
00400166 . FC CLD
00400167 . B2 80 MOV DL,80
00400169 . 33DB XOR EBX,EBX
0040016B > A4 MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
0040016C . B3 02 MOV BL,2
0040016E > FF55 04 CALL DWORD PTR SS:[EBP+4]
00400171 .^ 73 F8 JNB SHORT armp.0040016B
00400173 . 33C9 XOR ECX,ECX
00400175 . FF55 04 CALL DWORD PTR SS:[EBP+4]
00400178 . 73 18 JNB SHORT armp.00400192
0040017A . 33C0 XOR EAX,EAX
0040017C . FF55 04 CALL DWORD PTR SS:[EBP+4]
0040017F . 73 1F JNB SHORT armp.004001A0
00400181 . B3 02 MOV BL,2
00400183 . 41 INC ECX
00400184 . B0 10 MOV AL,10
00400186 > FF55 04 CALL DWORD PTR SS:[EBP+4]
00400189 . 12C0 ADC AL,AL
0040018B .^ 73 F9 JNB SHORT armp.00400186
0040018D . 75 4F JNZ SHORT armp.004001DE
0040018F . AA STOS BYTE PTR ES:[EDI]
00400190 .^ EB DC JMP SHORT armp.0040016E
00400192 > E8 5D000000 CALL armp.004001F4
00400197 . 2BCB SUB ECX,EBX
00400199 . 75 17 JNZ SHORT armp.004001B2
0040019B . FF55 08 CALL DWORD PTR SS:[EBP+8]
0040019E . EB 35 JMP SHORT armp.004001D5
004001A0 > AC LODS BYTE PTR DS:[ESI]
004001A1 . D1E8 SHR EAX,1
004001A3 . 74 04 JE SHORT armp.004001A9
004001A5 . 13C9 ADC ECX,ECX
004001A7 . EB 23 JMP SHORT armp.004001CC
004001A9 > 87F2 XCHG EDX,ESI
004001AB . 5E POP ESI
004001AC . 59 POP ECX
004001AD .^ E2 B1 LOOPD SHORT armp.00400160
004001AF . AD LODS DWORD PTR DS:[ESI]
004001B0 . FFE0 JMP EAX //*******F2下断,运行,断在这里。********
F8按一次,来到这里,同样的,再稍微往下拉一拉,可看到RETN指令,后面是许多00字节,F2下断,F9运行,断下::
00408FF1 BE E58F4000 MOV ESI,armp.00408FE5
00408FF6 56 PUSH ESI
00408FF7 AD LODS DWORD PTR DS:[ESI]
00408FF8 97 XCHG EAX,EDI
00408FF9 AD LODS DWORD PTR DS:[ESI]
00408FFA 91 XCHG EAX,ECX
00408FFB AD LODS DWORD PTR DS:[ESI]
00408FFC 5E POP ESI
00408FFD 50 PUSH EAX
00408FFE 83EE 04 SUB ESI,4
00409001 4E DEC ESI
00409002 4E DEC ESI
00409003 AC LODS BYTE PTR DS:[ESI]
00409004 48 DEC EAX
00409005 84C0 TEST AL,AL
00409007 74 32 JE SHORT armp.0040903B
00409009 48 DEC EAX
0040900A 84C0 TEST AL,AL
0040900C 74 3D JE SHORT armp.0040904B
0040900E 66:40 INC AX
00409010 66:40 INC AX
00409012 84C0 TEST AL,AL
00409014 ^ 75 EB JNZ SHORT armp.00409001
00409016 52 PUSH EDX
00409017 51 PUSH ECX
00409018 57 PUSH EDI
00409019 56 PUSH ESI
0040901A 56 PUSH ESI
0040901B FF51 04 CALL DWORD PTR DS:[ECX+4]
0040901E 5E POP ESI
0040901F 5F POP EDI
00409020 59 POP ECX
00409021 5A POP EDX
00409022 85C0 TEST EAX,EAX
00409024 74 06 JE SHORT armp.0040902C
00409026 83C7 04 ADD EDI,4
00409029 92 XCHG EAX,EDX
0040902A ^ EB D2 JMP SHORT armp.00408FFE
0040902C 52 PUSH EDX
0040902D 51 PUSH ECX
0040902E 57 PUSH EDI
0040902F 56 PUSH ESI
00409030 56 PUSH ESI
00409031 52 PUSH EDX
00409032 FF11 CALL DWORD PTR DS:[ECX]
00409034 5E POP ESI
00409035 5F POP EDI
00409036 59 POP ECX
00409037 5A POP EDX
00409038 AB STOS DWORD PTR ES:[EDI]
00409039 ^ EB C3 JMP SHORT armp.00408FFE
0040903B 52 PUSH EDX
0040903C 51 PUSH ECX
0040903D 57 PUSH EDI
0040903E 56 PUSH ESI
0040903F AD LODS DWORD PTR DS:[ESI]
00409040 50 PUSH EAX
00409041 52 PUSH EDX
00409042 FF11 CALL DWORD PTR DS:[ECX]
00409044 5E POP ESI
00409045 5F POP EDI
00409046 59 POP ECX
00409047 5A POP EDX
00409048 AB STOS DWORD PTR ES:[EDI]
00409049 ^ EB B3 JMP SHORT armp.00408FFE
0040904B C3 RETN //******F2下断,运行,断在这里。*****
0040904C 0000 ADD BYTE PTR DS:[EAX],AL
0040904E 0000 ADD BYTE PTR DS:[EAX],AL
00409050 0000 ADD BYTE PTR DS:[EAX],AL
00409052 0000 ADD BYTE PTR DS:[EAX],AL
再F8一次,就到了光明之颠了:OEP
00401000 6A 00 PUSH 0
00401002 E8 17220000 CALL armp.0040321E ; JMP to kernel32.GetModuleHandleA
00401007 A3 1C504000 MOV DWORD PTR DS:[40501C],EAX
0040100C 6A 00 PUSH 0
0040100E 68 24104000 PUSH armp.00401024
00401013 6A 00 PUSH 0
00401015 6A 65 PUSH 65
00401017 50 PUSH EAX
00401018 E8 9B210000 CALL armp.004031B8 ; JMP to USER32.DialogBoxParamA
0040101D 6A 00 PUSH 0
0040101F E8 EE210000 CALL armp.00403212 ; JMP to kernel32.ExitProcess
00401024 55 PUSH EBP
好了,就在00401000处用OD插件脱壳,存为dump.exe,运行ImportREC,选择这个进程。把OEP改为00001000,点IT AutoSearch,点“Get Import”,所有函数都是有效的。 FixDump,OK! 8K->42K。
再用Peid查壳:MASM32 / TASM32,收工。一分钟搞定!
【脱壳总结】:脱壳应该和手工脱一般的UPX壳差不多。后来我又用LordPE在OEP处DUMP进程,文件大小可减少到36K,难怪大侠们都用LordPE!
本文完。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课