一程序用fi301r查看是Armadillo 3.01加壳,用PEiD v0.93查看是Armadillo 3.00a-3.61,运行后查看是双进程,按前辈们的文章脱壳时遇到问题,在此求教!谢谢!
由于权限不够,不能使用附件功能。只好给出程序连接:http://www.fairysoft.net/billiardgl/BilliardGL4.zip
脱壳过程如下:
设置Ollydbg忽略所有的异常选项。用IsDebug 1.4插件去掉Ollydbg的调试器标志
BP OpenMutexA
查看堆栈,注意到0012fbb4
在401000处输入经典代码
pushad
pushfd
push 0012fbb4
push 0
push 0
call kernel32.CreateMutexA
popfd
popad
jmp kernel32.OpenMutexA
在401000新建起源,F9运行,将双进程转为单进程,取消OpenMutexA断点
BP GetModuleHandleA,到下面
77E63DFC K> 55 push ebp <==停在此处,取消GetModuleHandleA断点
77E63DFD 8BEC mov ebp,esp
77E63DFF 837D 08 00 cmp dword ptr ss:[ebp+8],0
77E63E03 74 18 je short KERNEL32.77E63E1D <==在此处重新下断点
77E63E05 FF75 08 push dword ptr ss:[ebp+8]
77E63E08 E8 87FFFFFF call KERNEL32.77E63D94
77E63E0D 85C0 test eax,eax
77E63E0F 74 08 je short KERNEL32.77E63E19
77E63E11 FF70 04 push dword ptr ds:[eax+4]
77E63E14 E8 3F240000 call KERNEL32.GetModuleHandleW
77E63E19 5D pop ebp
77E63E1A C2 0400 retn 4
9次F9,第10次异常,忽略SHIFT+F9运行,ALT+F9返回到下面
00A57994 50 push eax
00A57995 FF15 C480A700 call dword ptr ds:[A780C4] ; KERNEL32.GetModuleHandleA
00A5799B 8B0D E011A800 mov ecx,dword ptr ds:[A811E0] <==返回到此处
00A579A1 89040E mov dword ptr ds:[esi+ecx],eax
00A579A4 A1 E011A800 mov eax,dword ptr ds:[A811E0]
00A579A9 393C06 cmp dword ptr ds:[esi+eax],edi
00A579AC 75 16 jnz short 00A579C4
00A579AE 8D85 B4FEFFFF lea eax,dword ptr ss:[ebp-14C]
00A579B4 50 push eax
00A579B5 FF15 CC80A700 call dword ptr ds:[A780CC] ; KERNEL32.LoadLibraryA
00A579BB 8B0D E011A800 mov ecx,dword ptr ds:[A811E0]
00A579C1 89040E mov dword ptr ds:[esi+ecx],eax
00A579C4 A1 E011A800 mov eax,dword ptr ds:[A811E0]
00A579C9 393C06 cmp dword ptr ds:[esi+eax],edi
00A579CC 0F84 AD000000 je 00A57A7F <==这就是 Magic Jump ,改为 jmp 00A57A7F
00A579D2 33C9 xor ecx,ecx
00A579D4 8B03 mov eax,dword ptr ds:[ebx]
00A579D6 3938 cmp dword ptr ds:[eax],edi
00A579D8 74 06 je short 00A579E0
搜索命令序列[sub edi,ecx
call edi]
可看到以下代码,在00A745FD处下断点,F9运行却不能中断到00A745FD(注:在00A745E1,00A745E4,00A745E7,00A745E9,00A745EE,00A745EF,00A745F4,00A745F7,00A745FA,
00A745FD,00A745FF处全部下上断点也都无法中断,全是到了00A706B2处,下GetCurrentThreadId断点也到不了)
00A74557 E8 7918FEFF call 00A55DD5
00A7455C C705 DCDBA700 EC>mov dword ptr ds:[A7DBDC],0A7E6E>; ASCII "RB"
00A74566 FF15 1481A700 call dword ptr ds:[A78114] ; KERNEL32.GetCurrentThreadId
00A7456C A3 AC56A800 mov dword ptr ds:[A856AC],eax
00A74571 E8 1537FEFF call 00A57C8B
00A74576 6A 00 push 0
00A74578 E8 648FFEFF call 00A5D4E1
00A7457D 6A 00 push 0
00A7457F C705 DCDBA700 E8>mov dword ptr ds:[A7DBDC],0A7E6E>; ASCII "RC"
00A74589 E8 7231FEFF call 00A57700
00A7458E 59 pop ecx
00A7458F 59 pop ecx
00A74590 E8 4A11FFFF call 00A656DF
00A74595 8BF8 mov edi,eax
00A74597 A1 9455A800 mov eax,dword ptr ds:[A85594]
00A7459C 8B48 70 mov ecx,dword ptr ds:[eax+70]
00A7459F 3348 40 xor ecx,dword ptr ds:[eax+40]
00A745A2 3348 08 xor ecx,dword ptr ds:[eax+8]
00A745A5 03F9 add edi,ecx
00A745A7 8B0E mov ecx,dword ptr ds:[esi]
00A745A9 85C9 test ecx,ecx
00A745AB 75 2F jnz short 00A745DC
00A745AD 8B78 70 mov edi,dword ptr ds:[eax+70]
00A745B0 E8 2A11FFFF call 00A656DF
00A745B5 8B0D 9455A800 mov ecx,dword ptr ds:[A85594] ; Billiard.0047A260
00A745BB FF76 14 push dword ptr ds:[esi+14]
00A745BE 8B51 40 mov edx,dword ptr ds:[ecx+40]
00A745C1 FF76 10 push dword ptr ds:[esi+10]
00A745C4 3351 08 xor edx,dword ptr ds:[ecx+8]
00A745C7 FF76 0C push dword ptr ds:[esi+C]
00A745CA 33D7 xor edx,edi
00A745CC 03C2 add eax,edx
00A745CE 8B51 68 mov edx,dword ptr ds:[ecx+68]
00A745D1 3351 04 xor edx,dword ptr ds:[ecx+4]
00A745D4 33D7 xor edx,edi
00A745D6 2BC2 sub eax,edx
00A745D8 FFD0 call eax
00A745DA EB 25 jmp short 00A74601
00A745DC 83F9 01 cmp ecx,1
00A745DF 75 22 jnz short 00A74603
00A745E1 FF76 04 push dword ptr ds:[esi+4]
00A745E4 FF76 08 push dword ptr ds:[esi+8]
00A745E7 6A 00 push 0
00A745E9 E8 F110FFFF call 00A656DF
00A745EE 50 push eax
00A745EF A1 9455A800 mov eax,dword ptr ds:[A85594]
00A745F4 8B48 70 mov ecx,dword ptr ds:[eax+70]
00A745F7 3348 68 xor ecx,dword ptr ds:[eax+68]
00A745FA 3348 04 xor ecx,dword ptr ds:[eax+4]
00A745FD 2BF9 sub edi,ecx
00A745FF FFD7 call edi <==这里应该是到OEP了,可怎么也到不了!
00A74601 8BD8 mov ebx,eax
00A74603 5F pop edi
00A74604 8BC3 mov eax,ebx
00A74606 5E pop esi
00A74607 5B pop ebx
00A74608 C3 retn
00A74609 837C24 08 01 cmp dword ptr ss:[esp+8],1
00A7460E 75 14 jnz short 00A74624
00A74610 68 D851A800 push 0A851D8
00A74615 FF15 9082A700 call dword ptr ds:[A78290] ; KERNEL32.InitializeCriticalSection
而是到了下面00A706B2处
00A706A0 D3EB shr ebx,cl
00A706A2 83E3 0F and ebx,0F
00A706A5 03F3 add esi,ebx
00A706A7 A1 3857A800 mov eax,dword ptr ds:[A85738]
00A706AC 8B0D 9455A800 mov ecx,dword ptr ds:[A85594] ; Billiard.0047A260
00A706B2 8B04B0 mov eax,dword ptr ds:[eax+esi*4] <==停在此处,显示“被调试的程序无法处理异常”
00A706B5 3341 54 xor eax,dword ptr ds:[ecx+54]
00A706B8 8B0D 9455A800 mov ecx,dword ptr ds:[A85594] ; Billiard.0047A260
00A706BE 3341 04 xor eax,dword ptr ds:[ecx+4]
00A706C1 8B0D 9455A800 mov ecx,dword ptr ds:[A85594] ; Billiard.0047A260
00A706C7 3341 74 xor eax,dword ptr ds:[ecx+74]
再F7程序就终止了!
就差这一步了,请教各位老大,给个指点,谢谢先!
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!