-
-
[转帖]关于yoda's Protector v1.02 (.dll,.ocx) -> Ashkbiz Danehkar (h) *脱壳问题
-
发表于: 2010-12-8 11:22 4665
-
我是转载的大家看看====================================
d ptr fs:[0],esp
004017 =======================================
OD载入停在 00408040 50 push eax
========================================
00408040 50 push eax
00408041 B8 01010000 mov eax, 101
00408046 89E2 mov edx, esp
00408048 83C2 04 add edx, 4
0040804B C74424 FC 0F340>mov dword ptr [esp-4], 340F
00408053 89E1 mov ecx, esp
00408055 83E9 04 sub ecx, 4
00408058 9D popfd
00408059 - FFE1 jmp ecx //一个往死里跳的跳 NOP掉 往下走!
0040805B 58 pop eax
0040805C 58 pop eax
0040805D 58 pop eax
0040805E 58 pop eax
0040805F 31C0 xor eax, eax
00408061 5A pop edx
00408062 59 pop ecx
00408063 59 pop ecx
========================================
00408067 55 push ebp
00408068 E8 98010000 call 00408205 //出现一个CALL……继续F8走到死,持续6次决定F7跟进!……(进的没目的随后才知道蒙到地了)
0040806D 1A65 59 sbb ah, byte ptr [ebp+59]
00408070 2C B4 sub al, 0B4
00408072 1D 4782327C sbb eax, 7C328247
00408077 8539 test dword ptr [ecx], edi
00408079 C40E les ecx, fword ptr [esi]
0040807B 2282 C82C67D7 and al, byte ptr [edx+D7672CC8]
00408081 ^ 79 F2 jns short 00408075
========================================
跟进后继续F8走 走到retn返回到
0040700D 60 pushad //事后牛人告诉我这就是壳代码!怎么知道的我现在也不知道貌似UPX进来的时候也在PUSHAD 差不多个样!都压站!ESP尝试中……
0040700E E8 EDFFFFFF call 00407000
00407013 - EB A3 jmp short 00406FB8
00407015 D6 salc
00407016 1D D68373D6 sbb eax, D67383D6
0040701B 1BB2 6F366FD6 sbb esi, dword ptr [edx+D66F366F]
00407021 61 popad
00407022 7B D6 jpo short 00406FFA
00407024 F3: prefix rep:
00407025 52 push edx
00407026 5E pop esi
=========================================
hr 0012ffa4 尝试失败……资料中显示成功……
0040747A FF95 D96B4000 call dword ptr [ebp+406BD9] //F9或是SHITF+F9第会在次卡死
00407480 E8 0E000000 call 00407493
00407485 45 inc ebp
00407486 78 69 js short 004074F1
00407488 74 57 je short 004074E1
0040748A 696E 64 6F77734>imul ebp, dword ptr [esi+64], 4573776>
00407491 78 00 js short 00407493
00407493 50 push eax
00407494 FF95 C26E4000 call dword ptr [ebp+406EC2]
0040749A 8985 A9664000 mov dword ptr [ebp+4066A9], eax
004074A0 6A 04 push 4
004074A2 FF95 A9664000 call dword ptr [ebp+4066A9]
004074A8 E9 23080000 jmp 00407CD0
========================================
既然失败了……继续尝试F8
========================================
00407013 /EB 13 jmp short 00407028 //F8两步后走到此处!
00407015 |66:AD lods word ptr [esi]
00407017 |66:33C3 xor ax, bx
0040701A |66:AB stos word ptr es:[edi]
0040701C |02DF add bl, bh
0040701E |86DF xchg bh, bl
00407020 |66:D1CB ror bx, 1
00407023 |66:43 inc bx
00407025 ^|E2 EE loopd short 00407015
00407027 |C3 retn //F2断下!SHITF+F9 断下!F7跟过去!
00407028 \91 xchg eax, ecx
========================================
00407055 90 nop //来到此处!
00407056 8DBD 24624000 lea edi, dword ptr [ebp+406224]
0040705C 32C0 xor al, al
0040705E B9 3B000000 mov ecx, 3B
00407063 F3:AA rep stos byte ptr es:[edi]
00407065 8DB5 74624000 lea esi, dword ptr [ebp+406274]
0040706B 8BFE mov edi, esi
0040706D B9 F7050000 mov ecx, 5F7
00407072 E8 9EFFFFFF call 00407015
00407077 90 nop //F2 断下SHIFT+F9 断下
00407078 21F7 and edi, esi
0040707A AA stos byte ptr es:[edi]
0040707B 6D ins dword ptr es:[edi], dx
0040707C C8 A4039B enter 3A4, 9B
00407080 3199 7D20B16A xor dword ptr [ecx+6AB1207D], ebx
========================================
额……全是空代码
00407028 0000 add byte ptr [eax], al
0040702A 0000 add byte ptr [eax], al
0040702C 0000 add byte ptr [eax], al
0040702E 0000 add byte ptr [eax], al
00407030 0000 add byte ptr [eax], al
00407032 0000 add byte ptr [eax], al
00407034 0000 add byte ptr [eax], al
00407036 0000 add byte ptr [eax], al
00407038 0000 add byte ptr [eax], al
0040703A 0000 add byte ptr [eax], al
0040703C 0000 add byte ptr [eax], al
========================================
下边的代码解码……zzZZ
00407064 AA stos byte ptr es:[edi]
00407065 8DB5 74624000 lea esi, dword ptr [ebp+406274]
0040706B 8BFE mov edi, esi
0040706D B9 F7050000 mov ecx, 5F7
00407072 E8 9EFFFFFF call 00407015
00407077 90 nop
00407078 8D85 90624000 lea eax, dword ptr [ebp+406290]
0040707E 50 push eax
0040707F 8DBD AD664000 lea edi, dword ptr [ebp+4066AD]
00407085 57 push edi
00407086 64:8B11 mov edx, dword ptr fs:[ecx]
00407089 52 push edx
0040708A 64:8921 mov dword ptr fs:[ecx], esp
0040708D 8909 mov dword ptr [ecx], ecx
0040708F E9 5B010000 jmp 004071EF
========================================
处理INT3
二进制查找
C3 CC 8D 85
00407239 CC int3
NOP掉
00407239 90 nop
---------------------------------------
二进制查找
66 C7 42 06 FF FF
出现多句 一共5句
00407162 66:C742 06 FFFF mov word ptr [edx+6], 0FFFF
00407168 C742 20 0000000>mov dword ptr [edx+20], 0
0040716F C742 28 0000000>mov dword ptr [edx+28], 0
00407176 C742 2C FFFFFF0>mov dword ptr [edx+2C], 0FFFFFFF
0040717D C742 34 FFFFFF0>mov dword ptr [edx+34], 0FFFFFFF
NOP掉前四句!
随后找到
00407194 F3:AA rep stos byte ptr es:[edi]
(位置在其下方) NOP掉!
继续 下找 代码
004071BB 68 04010000 push 104
004071C0 FFB5 336E4000 push dword ptr [ebp+406E33]
004071C6 6A 00 push 0
004071C8 FF95 F16B4000 call dword ptr [ebp+406BF1]
004071CE 6A 00 push 0 //这里 |||如果不NOP掉就汇编下 jmp short 004071E9
004071D0 6A 00 push 0
004071D2 6A 04 push 4 //到
004071D4 6A 00 push 0
004071D6 6A 00 push 0
004071D8 68 00000080 push 80000000
004071DD FFB5 336E4000 push dword ptr [ebp+406E33]
004071E3 FF95 ED6B4000 call dword ptr [ebp+406BED] //这里全都NOP到就好,这个应该是加密的……
004071E9 8985 476E4000 mov dword ptr [ebp+406E47], eax //不NOP掉 就汇编跳到这里 目的都是为了跳过 上边的那个CALL
004071EF 8B85 456D4000 mov eax, dword ptr [ebp+406D45]
004071F5 0385 516D4000 add eax, dword ptr [ebp+406D51]
004071FB 8B8D 496D4000 mov ecx, dword ptr [ebp+406D49]
00407201 B8 40000000 mov eax, 40
========================================
========================================
查找要跟随的表达式 GetModuleHandleA
出现错误…… 原因是在 前两次下断后没有取消断点……
重新来过后停在
7C80B6C1 > 8BFF mov edi, edi //这里!
7C80B6C3 55 push ebp
7C80B6C4 8BEC mov ebp, esp
7C80B6C6 837D 08 00 cmp dword ptr [ebp+8], 0
7C80B6CA 74 18 je short 7C80B6E4
7C80B6CC FF75 08 push dword ptr [ebp+8]
7C80B6CF E8 C0290000 call 7C80E094
7C80B6D4 85C0 test eax, eax
F9 两次 第二次是个漫长的等待 随即还是错误
一直停在
0040747A FF95 D96B4000 call dword ptr [ebp+406BD9]
两个小时后 问题原因出现在OD上……
换好OD 来到这一步
========================================
两次F9后 ALT+F9返回
00407312 0BC0 or eax,eax
00407314 75 08 jnz short 考核.0040731E
00407316 CC push ebx
00407317 FF95 D96B4000 call dword ptr ss:[ebp+406BD9]
0040731D 90 int3 /P掉
0040731E 8985 356D4000 mov dword ptr ss:[ebp+406D35],eax
00407324 C785 3D6D4000 000000>mov dword ptr ss:[ebp+406D3D],0
0040732E CC int3 /P掉
0040732F 8B95 516D4000 mov edx,dword ptr ss:[ebp+406D51]
00407335 8B06 mov eax,dword ptr ds:[esi]
00407337 0BC0 or eax,eax
00407339 75 04 jnz short 考核.0040733F
0040733B 8B46 10 mov eax,dword ptr ds:[esi+10]
0040733E CC int3 /P掉
0040733F 03C2 add eax,edx
下面还一个 也NOP掉
0040733B 8B46 10 mov eax,dword ptr ds:[esi+10]
0040733E CC int3 /P掉
0040733F 03C2 add eax,edx
00407341 0385 3D6D4000 add eax,dword ptr ss:[ebp+406D3D]
00407347 8B18 mov ebx,dword ptr ds:[eax]
========================================
CTRL+B 查找80 BD ?? ?? ?? ?? 01 75 5E
来到
0040737D 80BD 326E4000 01 cmp byte ptr ss:[ebp+406E32],1 //到这里
00407384 EB 5E jnz short 考核.004073E4 // 吧JNZ 改成无条件跳JMP
00407386 3B85 0D6C4000 cmp eax,dword ptr ss:[ebp+406C0D]
0040738C 75 08 jnz short 考核.00407396
0040738E 8D85 40674000 lea eax,dword ptr ss:[ebp+406740]
00407394 EB 4E jmp short 考核.004073E4
00407396 3B85 1D6C4000 cmp eax,dword ptr ss:[ebp+406C1D]
0040739C 75 08 jnz short 考核.004073A6
0040739E 8D85 026A4000 lea eax,dword ptr ss:[ebp+406A02]
004073A4 EB 3E jmp short 考核.004073E4
004073A6 3B85 ED6B4000 cmp eax,dword ptr ss:[ebp+406BED]
004073AC 75 08 jnz short 考核.004073B6
004073AE 8D85 726A4000 lea eax,dword ptr ss:[ebp+406A72]
004073B4 EB 2E jmp short 考核.004073E4
========================================
修改后单步F8
走到
0040742B 5D pop ebp
F2断下 -----SHITF+F9 运行-----断下
========================================
继续F8走 四步后来到一个RETM处 继续F8
========================================
00401700 55 db 55 ; CHAR 'U'
00401701 8B db 8B
00401702 EC db EC
00401703 6A db 6A ; CHAR 'j'
00401704 FF db FF
00401705 68 db 68 ; CHAR 'h'
00401706 00 db 00
00401707 25 db 25 ; CHAR '%'
00401708 40 db 40 ; CHAR '@'
00401709 00 db 00
0040170A 68 db 68 ; CHAR 'h'
0040170B 86 db 86
0040170C 18 db 18
0040170D 40 db 40 ; CHAR '@'
额……右键……分析代码……
00401700 /. 55 push ebp //传说中的OEP
00401701 |. 8BEC mov ebp,esp
00401703 |. 6A FF push -1
00401705 |. 68 00254000 push 考核.00402500
0040170A |. 68 86184000 push 考核.00401886 ; jmp to msvcrt._except_handler3; SE 句柄安装
0040170F |. 64:A1 00000000 mov eax,dword ptr fs:[0]
00401715 |. 50 push eax
00401716 |. 64:8925 00000000 mov dwor
d ptr fs:[0],esp
004017 =======================================
OD载入停在 00408040 50 push eax
========================================
00408040 50 push eax
00408041 B8 01010000 mov eax, 101
00408046 89E2 mov edx, esp
00408048 83C2 04 add edx, 4
0040804B C74424 FC 0F340>mov dword ptr [esp-4], 340F
00408053 89E1 mov ecx, esp
00408055 83E9 04 sub ecx, 4
00408058 9D popfd
00408059 - FFE1 jmp ecx //一个往死里跳的跳 NOP掉 往下走!
0040805B 58 pop eax
0040805C 58 pop eax
0040805D 58 pop eax
0040805E 58 pop eax
0040805F 31C0 xor eax, eax
00408061 5A pop edx
00408062 59 pop ecx
00408063 59 pop ecx
========================================
00408067 55 push ebp
00408068 E8 98010000 call 00408205 //出现一个CALL……继续F8走到死,持续6次决定F7跟进!……(进的没目的随后才知道蒙到地了)
0040806D 1A65 59 sbb ah, byte ptr [ebp+59]
00408070 2C B4 sub al, 0B4
00408072 1D 4782327C sbb eax, 7C328247
00408077 8539 test dword ptr [ecx], edi
00408079 C40E les ecx, fword ptr [esi]
0040807B 2282 C82C67D7 and al, byte ptr [edx+D7672CC8]
00408081 ^ 79 F2 jns short 00408075
========================================
跟进后继续F8走 走到retn返回到
0040700D 60 pushad //事后牛人告诉我这就是壳代码!怎么知道的我现在也不知道貌似UPX进来的时候也在PUSHAD 差不多个样!都压站!ESP尝试中……
0040700E E8 EDFFFFFF call 00407000
00407013 - EB A3 jmp short 00406FB8
00407015 D6 salc
00407016 1D D68373D6 sbb eax, D67383D6
0040701B 1BB2 6F366FD6 sbb esi, dword ptr [edx+D66F366F]
00407021 61 popad
00407022 7B D6 jpo short 00406FFA
00407024 F3: prefix rep:
00407025 52 push edx
00407026 5E pop esi
=========================================
hr 0012ffa4 尝试失败……资料中显示成功……
0040747A FF95 D96B4000 call dword ptr [ebp+406BD9] //F9或是SHITF+F9第会在次卡死
00407480 E8 0E000000 call 00407493
00407485 45 inc ebp
00407486 78 69 js short 004074F1
00407488 74 57 je short 004074E1
0040748A 696E 64 6F77734>imul ebp, dword ptr [esi+64], 4573776>
00407491 78 00 js short 00407493
00407493 50 push eax
00407494 FF95 C26E4000 call dword ptr [ebp+406EC2]
0040749A 8985 A9664000 mov dword ptr [ebp+4066A9], eax
004074A0 6A 04 push 4
004074A2 FF95 A9664000 call dword ptr [ebp+4066A9]
004074A8 E9 23080000 jmp 00407CD0
========================================
既然失败了……继续尝试F8
========================================
00407013 /EB 13 jmp short 00407028 //F8两步后走到此处!
00407015 |66:AD lods word ptr [esi]
00407017 |66:33C3 xor ax, bx
0040701A |66:AB stos word ptr es:[edi]
0040701C |02DF add bl, bh
0040701E |86DF xchg bh, bl
00407020 |66:D1CB ror bx, 1
00407023 |66:43 inc bx
00407025 ^|E2 EE loopd short 00407015
00407027 |C3 retn //F2断下!SHITF+F9 断下!F7跟过去!
00407028 \91 xchg eax, ecx
========================================
00407055 90 nop //来到此处!
00407056 8DBD 24624000 lea edi, dword ptr [ebp+406224]
0040705C 32C0 xor al, al
0040705E B9 3B000000 mov ecx, 3B
00407063 F3:AA rep stos byte ptr es:[edi]
00407065 8DB5 74624000 lea esi, dword ptr [ebp+406274]
0040706B 8BFE mov edi, esi
0040706D B9 F7050000 mov ecx, 5F7
00407072 E8 9EFFFFFF call 00407015
00407077 90 nop //F2 断下SHIFT+F9 断下
00407078 21F7 and edi, esi
0040707A AA stos byte ptr es:[edi]
0040707B 6D ins dword ptr es:[edi], dx
0040707C C8 A4039B enter 3A4, 9B
00407080 3199 7D20B16A xor dword ptr [ecx+6AB1207D], ebx
========================================
额……全是空代码
00407028 0000 add byte ptr [eax], al
0040702A 0000 add byte ptr [eax], al
0040702C 0000 add byte ptr [eax], al
0040702E 0000 add byte ptr [eax], al
00407030 0000 add byte ptr [eax], al
00407032 0000 add byte ptr [eax], al
00407034 0000 add byte ptr [eax], al
00407036 0000 add byte ptr [eax], al
00407038 0000 add byte ptr [eax], al
0040703A 0000 add byte ptr [eax], al
0040703C 0000 add byte ptr [eax], al
========================================
下边的代码解码……zzZZ
00407064 AA stos byte ptr es:[edi]
00407065 8DB5 74624000 lea esi, dword ptr [ebp+406274]
0040706B 8BFE mov edi, esi
0040706D B9 F7050000 mov ecx, 5F7
00407072 E8 9EFFFFFF call 00407015
00407077 90 nop
00407078 8D85 90624000 lea eax, dword ptr [ebp+406290]
0040707E 50 push eax
0040707F 8DBD AD664000 lea edi, dword ptr [ebp+4066AD]
00407085 57 push edi
00407086 64:8B11 mov edx, dword ptr fs:[ecx]
00407089 52 push edx
0040708A 64:8921 mov dword ptr fs:[ecx], esp
0040708D 8909 mov dword ptr [ecx], ecx
0040708F E9 5B010000 jmp 004071EF
========================================
处理INT3
二进制查找
C3 CC 8D 85
00407239 CC int3
NOP掉
00407239 90 nop
---------------------------------------
二进制查找
66 C7 42 06 FF FF
出现多句 一共5句
00407162 66:C742 06 FFFF mov word ptr [edx+6], 0FFFF
00407168 C742 20 0000000>mov dword ptr [edx+20], 0
0040716F C742 28 0000000>mov dword ptr [edx+28], 0
00407176 C742 2C FFFFFF0>mov dword ptr [edx+2C], 0FFFFFFF
0040717D C742 34 FFFFFF0>mov dword ptr [edx+34], 0FFFFFFF
NOP掉前四句!
随后找到
00407194 F3:AA rep stos byte ptr es:[edi]
(位置在其下方) NOP掉!
继续 下找 代码
004071BB 68 04010000 push 104
004071C0 FFB5 336E4000 push dword ptr [ebp+406E33]
004071C6 6A 00 push 0
004071C8 FF95 F16B4000 call dword ptr [ebp+406BF1]
004071CE 6A 00 push 0 //这里 |||如果不NOP掉就汇编下 jmp short 004071E9
004071D0 6A 00 push 0
004071D2 6A 04 push 4 //到
004071D4 6A 00 push 0
004071D6 6A 00 push 0
004071D8 68 00000080 push 80000000
004071DD FFB5 336E4000 push dword ptr [ebp+406E33]
004071E3 FF95 ED6B4000 call dword ptr [ebp+406BED] //这里全都NOP到就好,这个应该是加密的……
004071E9 8985 476E4000 mov dword ptr [ebp+406E47], eax //不NOP掉 就汇编跳到这里 目的都是为了跳过 上边的那个CALL
004071EF 8B85 456D4000 mov eax, dword ptr [ebp+406D45]
004071F5 0385 516D4000 add eax, dword ptr [ebp+406D51]
004071FB 8B8D 496D4000 mov ecx, dword ptr [ebp+406D49]
00407201 B8 40000000 mov eax, 40
========================================
========================================
查找要跟随的表达式 GetModuleHandleA
出现错误…… 原因是在 前两次下断后没有取消断点……
重新来过后停在
7C80B6C1 > 8BFF mov edi, edi //这里!
7C80B6C3 55 push ebp
7C80B6C4 8BEC mov ebp, esp
7C80B6C6 837D 08 00 cmp dword ptr [ebp+8], 0
7C80B6CA 74 18 je short 7C80B6E4
7C80B6CC FF75 08 push dword ptr [ebp+8]
7C80B6CF E8 C0290000 call 7C80E094
7C80B6D4 85C0 test eax, eax
F9 两次 第二次是个漫长的等待 随即还是错误
一直停在
0040747A FF95 D96B4000 call dword ptr [ebp+406BD9]
两个小时后 问题原因出现在OD上……
换好OD 来到这一步
========================================
两次F9后 ALT+F9返回
00407312 0BC0 or eax,eax
00407314 75 08 jnz short 考核.0040731E
00407316 CC push ebx
00407317 FF95 D96B4000 call dword ptr ss:[ebp+406BD9]
0040731D 90 int3 /P掉
0040731E 8985 356D4000 mov dword ptr ss:[ebp+406D35],eax
00407324 C785 3D6D4000 000000>mov dword ptr ss:[ebp+406D3D],0
0040732E CC int3 /P掉
0040732F 8B95 516D4000 mov edx,dword ptr ss:[ebp+406D51]
00407335 8B06 mov eax,dword ptr ds:[esi]
00407337 0BC0 or eax,eax
00407339 75 04 jnz short 考核.0040733F
0040733B 8B46 10 mov eax,dword ptr ds:[esi+10]
0040733E CC int3 /P掉
0040733F 03C2 add eax,edx
下面还一个 也NOP掉
0040733B 8B46 10 mov eax,dword ptr ds:[esi+10]
0040733E CC int3 /P掉
0040733F 03C2 add eax,edx
00407341 0385 3D6D4000 add eax,dword ptr ss:[ebp+406D3D]
00407347 8B18 mov ebx,dword ptr ds:[eax]
========================================
CTRL+B 查找80 BD ?? ?? ?? ?? 01 75 5E
来到
0040737D 80BD 326E4000 01 cmp byte ptr ss:[ebp+406E32],1 //到这里
00407384 EB 5E jnz short 考核.004073E4 // 吧JNZ 改成无条件跳JMP
00407386 3B85 0D6C4000 cmp eax,dword ptr ss:[ebp+406C0D]
0040738C 75 08 jnz short 考核.00407396
0040738E 8D85 40674000 lea eax,dword ptr ss:[ebp+406740]
00407394 EB 4E jmp short 考核.004073E4
00407396 3B85 1D6C4000 cmp eax,dword ptr ss:[ebp+406C1D]
0040739C 75 08 jnz short 考核.004073A6
0040739E 8D85 026A4000 lea eax,dword ptr ss:[ebp+406A02]
004073A4 EB 3E jmp short 考核.004073E4
004073A6 3B85 ED6B4000 cmp eax,dword ptr ss:[ebp+406BED]
004073AC 75 08 jnz short 考核.004073B6
004073AE 8D85 726A4000 lea eax,dword ptr ss:[ebp+406A72]
004073B4 EB 2E jmp short 考核.004073E4
========================================
修改后单步F8
走到
0040742B 5D pop ebp
F2断下 -----SHITF+F9 运行-----断下
========================================
继续F8走 四步后来到一个RETM处 继续F8
========================================
00401700 55 db 55 ; CHAR 'U'
00401701 8B db 8B
00401702 EC db EC
00401703 6A db 6A ; CHAR 'j'
00401704 FF db FF
00401705 68 db 68 ; CHAR 'h'
00401706 00 db 00
00401707 25 db 25 ; CHAR '%'
00401708 40 db 40 ; CHAR '@'
00401709 00 db 00
0040170A 68 db 68 ; CHAR 'h'
0040170B 86 db 86
0040170C 18 db 18
0040170D 40 db 40 ; CHAR '@'
额……右键……分析代码……
00401700 /. 55 push ebp //传说中的OEP
00401701 |. 8BEC mov ebp,esp
00401703 |. 6A FF push -1
00401705 |. 68 00254000 push 考核.00402500
0040170A |. 68 86184000 push 考核.00401886 ; jmp to msvcrt._except_handler3; SE 句柄安装
0040170F |. 64:A1 00000000 mov eax,dword ptr fs:[0]
00401715 |. 50 push eax
00401716 |. 64:8925 00000000 mov dwor
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
看原图
赞赏
雪币:
留言: