一、破解目标:SDProtector1.1加壳的Test.exe(目标程序来自flyODBG)
二、破解工具:OllyDbg v1.10,LordPE
三、破解作者:DarkBull@email.com.cn
四、破解过程:
1.首先忽略所有异常,用OllyDbg载入,EP如下:
SDProtec.> 55 PUSH EBP
00457001 8BEC MOV EBP,ESP
00457003 6A FF PUSH -1
00457005 68 1D32130>PUSH 513321D
0045700A 68 8888880>PUSH 8888888
0045700F 64:A1 0000>MOV EAX,DWORD PTR FS:[0]
00457015 50 PUSH EAX
00457016 64:8925 00>MOV DWORD PTR FS:[0],ESP ; 仿VC入口
0045701D 58 POP EAX
0045701E 64:A3 0000>MOV DWORD PTR FS:[0],EAX
00457024 58 POP EAX
00457025 58 POP EAX
00457026 58 POP EAX
00457027 58 POP EAX
00457028 8BE8 MOV EBP,EAX
隐藏OD,给ZwQueryInformationProcess打补丁,下断HE CreateProcessA,拦截后堆栈如下:
0012FF98 004581F2 /CALL to CreateProcessA
0012FF9C 00000000 |ModuleFileName = NULL
0012FFA0 0045742C |CommandLine = ""C:\...\Test\SDProtector Test.EXE""
0012FFA4 00000000 |pProcessSecurity = NULL
0012FFA8 00000000 |pThreadSecurity = NULL
0012FFAC 00000001 |InheritHandles = TRUE
0012FFB0 00000000 |CreationFlags = 0
0012FFB4 00000000 |pEnvironment = NULL
0012FFB8 00000000 |CurrentDir = NULL
0012FFBC 00457530 |pStartupInfo = SDProtec.00457530
0012FFC0 0045741C \pProcessInfo = SDProtec.0045741C
SDP要创建子进程了,CreationFlags为0,没有调试子进程,创建后结束父进程,此时临时文件夹有个~temp0184331004.tmp。
2.用OD重新载入,下断HE ReadFile,返回后代码如下:
00464167 85C0 TEST EAX,EAX ; 读临时文件是否成功
00464169 75 19 JNZ SHORT SDProtec.00464184 ; 成功则跳
0046416B 837D FC 03 CMP DWORD PTR SS:[EBP-4],3
0046416F 0F84 69010>JE SDProtec.004642DE
00464175 6A 64 PUSH 64
00464177 E8 5530000>CALL SDProtec.004671D1
0046417C FF45 FC INC DWORD PTR SS:[EBP-4]
0046417F E9 3301000>JMP SDProtec.004642B7
00464184 9C PUSHFD
00464185 60 PUSHAD
00464186 0F31 RDTSC
00464188 8955 E8 MOV DWORD PTR SS:[EBP-18],EDX ; 保存时间
0046418B 8945 DC MOV DWORD PTR SS:[EBP-24],EAX ; 保存时间
0046418E 61 POPAD
0046418F 9D POPFD
00464190 837D F8 0C CMP DWORD PTR SS:[EBP-8],0C
00464194 73 6E JNB SHORT SDProtec.00464204
00464196 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
00464199 8B4D DC MOV ECX,DWORD PTR SS:[EBP-24]
0046419C 8B55 E0 MOV EDX,DWORD PTR SS:[EBP-20]
0046419F 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
004641A2 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
004641A5 894D F0 MOV DWORD PTR SS:[EBP-10],ECX
004641A8 50 PUSH EAX
004641A9 8955 F4 MOV DWORD PTR SS:[EBP-C],EDX
004641AC E8 BBFBFFF>CALL SDProtec.00463D6C
004641B1 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
004641B4 51 PUSH ECX
004641B5 E8 B2FBFFF>CALL SDProtec.00463D6C
004641BA 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
004641BD 52 PUSH EDX
004641BE E8 A9FBFFF>CALL SDProtec.00463D6C
004641C3 8B75 E4 MOV ESI,DWORD PTR SS:[EBP-1C]
004641C6 6A 00 PUSH 0
004641C8 6A 00 PUSH 0
004641CA 6A 00 PUSH 0
004641CC 56 PUSH ESI
004641CD E8 6F38000>CALL SDProtec.00467A41
004641D2 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
004641D5 6A 00 PUSH 0
004641D7 50 PUSH EAX
004641D8 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14]
004641DB 6A 0C PUSH 0C
004641DD 51 PUSH ECX
004641DE 56 PUSH ESI
004641DF E8 2138000>CALL SDProtec.00467A05
004641E4 85C0 TEST EAX,EAX
004641E6 0F85 1A010>JNZ SDProtec.00464306
004641EC 837D FC 03 CMP DWORD PTR SS:[EBP-4],3
004641F0 0F84 E8000>JE SDProtec.004642DE
004641F6 56 PUSH ESI
004641F7 E8 AD39000>CALL SDProtec.00467BA9
004641FC FF45 FC INC DWORD PTR SS:[EBP-4]
004641FF E9 B300000>JMP SDProtec.004642B7
00464204 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C]
00464207 52 PUSH EDX
00464208 E8 9C39000>CALL SDProtec.00467BA9
0046420D 8D85 A8FEF>LEA EAX,DWORD PTR SS:[EBP-158]
00464213 50 PUSH EAX
00464214 E8 FC36000>CALL SDProtec.00467915 ; 删除临时文件
00464219 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14]
0046421C 51 PUSH ECX
0046421D E8 4AFBFFF>CALL SDProtec.00463D6C
00464222 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
00464225 52 PUSH EDX
00464226 E8 41FBFFF>CALL SDProtec.00463D6C
0046422B 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
0046422E 50 PUSH EAX
0046422F E8 38FBFFF>CALL SDProtec.00463D6C
00464234 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
00464237 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
0046423A 2BC2 SUB EAX,EDX
0046423C 3D 401F000>CMP EAX,1F40 ; 时间间隔不能大于8秒
00464241 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
00464244 76 08 JBE SHORT SDProtec.0046424E ; 改为JMP
此时在第二段下内存访问断点,第三次拦截后,代码如下:
00464923 51 PUSH ECX
00464924 52 PUSH EDX
00464925 6A 10 PUSH 10
00464927 50 PUSH EAX
00464928 6A 14 PUSH 14
0046492A 53 PUSH EBX
0046492B E8 8ED1FFF>CALL SDProtec.00461ABE ; 解密IID
00464930 8B73 0C MOV ESI,DWORD PTR DS:[EBX+C]
00464933 85FF TEST EDI,EDI
00464935 74 0A JE SHORT SDProtec.00464941
00464937 8B4424 2C MOV EAX,DWORD PTR SS:[ESP+2C]
0046493B 03F5 ADD ESI,EBP
0046493D 03F0 ADD ESI,EAX
0046493F EB 02 JMP SHORT SDProtec.00464943
00464941 03F5 ADD ESI,EBP
00464943 8B4424 18 MOV EAX,DWORD PTR SS:[ESP+18]
00464947 8D4C24 3C LEA ECX,DWORD PTR SS:[ESP+3C]
0046494B 8D9424 400>LEA EDX,DWORD PTR SS:[ESP+140]
00464952 51 PUSH ECX
00464953 8B4B 04 MOV ECX,DWORD PTR DS:[EBX+4]
00464956 52 PUSH EDX
00464957 6A 10 PUSH 10
00464959 50 PUSH EAX
0046495A 51 PUSH ECX
0046495B 56 PUSH ESI
0046495C 897424 50 MOV DWORD PTR SS:[ESP+50],ESI
00464960 E8 59D1FFF>CALL SDProtec.00461ABE ; 解密ModuleName
........ 判断函数是否加密
00464ABD 837D 00 00 CMP DWORD PTR SS:[EBP],0
00464AC1 0F84 07060>JE SDProtec.004650CE
00464AC7 8D5424 3C LEA EDX,DWORD PTR SS:[ESP+3C]
00464ACB 8D8424 400>LEA EAX,DWORD PTR SS:[ESP+140]
00464AD2 52 PUSH EDX
00464AD3 50 PUSH EAX
00464AD4 6A 10 PUSH 10
00464AD6 57 PUSH EDI
00464AD7 6A 04 PUSH 4
00464AD9 55 PUSH EBP
00464ADA E8 DFCFFFF>CALL SDProtec.00461ABE ; 解密Thunk Data
00464ADF 8D4C24 3C LEA ECX,DWORD PTR SS:[ESP+3C]
00464AE3 8D9424 400>LEA EDX,DWORD PTR SS:[ESP+140]
00464AEA 51 PUSH ECX
00464AEB 52 PUSH EDX
00464AEC 6A 10 PUSH 10
00464AEE 57 PUSH EDI
00464AEF 6A 04 PUSH 4
00464AF1 56 PUSH ESI
00464AF2 E8 C7CFFFF>CALL SDProtec.00461ABE ; 解密IAT
00464AF7 8B8424 480>MOV EAX,DWORD PTR SS:[ESP+448]
00464AFE 85C0 TEST EAX,EAX
00464B00 8B45 00 MOV EAX,DWORD PTR SS:[EBP]
00464B03 74 0F JE SHORT SDProtec.00464B14
00464B05 8B4C24 30 MOV ECX,DWORD PTR SS:[ESP+30]
00464B09 8D1C01 LEA EBX,DWORD PTR DS:[ECX+EAX]
00464B0C 8B4C24 2C MOV ECX,DWORD PTR SS:[ESP+2C]
00464B10 03D9 ADD EBX,ECX
00464B12 EB 07 JMP SHORT SDProtec.00464B1B
00464B14 8B5424 30 MOV EDX,DWORD PTR SS:[ESP+30]
00464B18 8D1C02 LEA EBX,DWORD PTR DS:[EDX+EAX]
00464B1B A9 0000008>TEST EAX,80000000 ; 是否为序号引入
00464B20 0F84 1F010>JE SDProtec.00464C45 ; 不是则跳
00464B26 8B4C24 24 MOV ECX,DWORD PTR SS:[ESP+24]
00464B2A 85C9 TEST ECX,ECX
00464B2C 8B8C24 480>MOV ECX,DWORD PTR SS:[ESP+448]
00464B33 0F84 AB000>JE SDProtec.00464BE4
00464B39 85C9 TEST ECX,ECX
00464B3B 0F84 ED000>JE SDProtec.00464C2E
00464B41 25 FFFFFF7>AND EAX,7FFFFFFF
00464B46 83F8 01 CMP EAX,1
00464B49 75 11 JNZ SHORT SDProtec.00464B5C
00464B4B 68 0FBB400>PUSH SDProtec.0040BB0F
00464B50 E8 2F74FFF>CALL SDProtec.0045BF84
00464B55 8906 MOV DWORD PTR DS:[ESI],EAX
00464B57 E9 5B05000>JMP SDProtec.004650B7
00464B5C 83F8 02 CMP EAX,2
00464B5F 75 11 JNZ SHORT SDProtec.00464B72
00464B61 68 1DBB400>PUSH SDProtec.0040BB1D
00464B66 E8 1974FFF>CALL SDProtec.0045BF84
00464B6B 8906 MOV DWORD PTR DS:[ESI],EAX
00464B6D E9 4505000>JMP SDProtec.004650B7
00464B72 83F8 03 CMP EAX,3
00464B75 75 11 JNZ SHORT SDProtec.00464B88
00464B77 68 33BB400>PUSH SDProtec.0040BB33
00464B7C E8 0374FFF>CALL SDProtec.0045BF84
00464B81 8906 MOV DWORD PTR DS:[ESI],EAX
00464B83 E9 2F05000>JMP SDProtec.004650B7
00464B88 83F8 04 CMP EAX,4
00464B8B 75 11 JNZ SHORT SDProtec.00464B9E
00464B8D 68 46BB400>PUSH SDProtec.0040BB46
00464B92 E8 ED73FFF>CALL SDProtec.0045BF84
00464B97 8906 MOV DWORD PTR DS:[ESI],EAX
00464B99 E9 1905000>JMP SDProtec.004650B7
00464B9E 83F8 05 CMP EAX,5
00464BA1 75 11 JNZ SHORT SDProtec.00464BB4
00464BA3 68 59BB400>PUSH SDProtec.0040BB59
00464BA8 E8 D773FFF>CALL SDProtec.0045BF84
00464BAD 8906 MOV DWORD PTR DS:[ESI],EAX
00464BAF E9 0305000>JMP SDProtec.004650B7
00464BB4 83F8 06 CMP EAX,6
00464BB7 75 11 JNZ SHORT SDProtec.00464BCA
00464BB9 68 6CBB400>PUSH SDProtec.0040BB6C
00464BBE E8 C173FFF>CALL SDProtec.0045BF84
00464BC3 8906 MOV DWORD PTR DS:[ESI],EAX
00464BC5 E9 ED04000>JMP SDProtec.004650B7
00464BCA 83F8 07 CMP EAX,7
00464BCD 0F85 E4040>JNZ SDProtec.004650B7
00464BD3 68 7FBB400>PUSH SDProtec.0040BB7F
00464BD8 E8 A773FFF>CALL SDProtec.0045BF84
00464BDD 8906 MOV DWORD PTR DS:[ESI],EAX
00464BDF E9 D304000>JMP SDProtec.004650B7
00464BE4 85C9 TEST ECX,ECX
00464BE6 74 46 JE SHORT SDProtec.00464C2E
00464BE8 8B4C24 1C MOV ECX,DWORD PTR SS:[ESP+1C]
00464BEC 85C9 TEST ECX,ECX
00464BEE 74 19 JE SHORT SDProtec.00464C09
00464BF0 8B06 MOV EAX,DWORD PTR DS:[ESI]
00464BF2 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
00464BF6 25 FFFFFF7>AND EAX,7FFFFFFF
00464BFB 50 PUSH EAX
00464BFC 51 PUSH ECX
00464BFD E8 332B000>CALL SDProtec.00467735
00464C02 8906 MOV DWORD PTR DS:[ESI],EAX
00464C04 E9 AE04000>JMP SDProtec.004650B7
00464C09 8B4C24 28 MOV ECX,DWORD PTR SS:[ESP+28]
00464C0D 85C9 TEST ECX,ECX
00464C0F 74 1D JE SHORT SDProtec.00464C2E
00464C11 8B5424 10 MOV EDX,DWORD PTR SS:[ESP+10]
00464C15 25 FFFFFF7>AND EAX,7FFFFFFF
00464C1A 50 PUSH EAX
00464C1B 52 PUSH EDX
00464C1C E8 2DCBFFF>CALL SDProtec.0046174E
00464C21 50 PUSH EAX
00464C22 E8 39F8FFF>CALL SDProtec.00464460
00464C27 8906 MOV DWORD PTR DS:[ESI],EAX
00464C29 E9 8904000>JMP SDProtec.004650B7
00464C2E 25 FFFFFF7>AND EAX,7FFFFFFF
00464C33 50 PUSH EAX
00464C34 8B4424 14 MOV EAX,DWORD PTR SS:[ESP+14]
00464C38 50 PUSH EAX
00464C39 E8 10CBFFF>CALL SDProtec.0046174E
00464C3E 8906 MOV DWORD PTR DS:[ESI],EAX
00464C40 E9 7204000>JMP SDProtec.004650B7
00464C45 8B4424 18 MOV EAX,DWORD PTR SS:[ESP+18]
00464C49 8D4C24 3C LEA ECX,DWORD PTR SS:[ESP+3C]
00464C4D 8D9424 400>LEA EDX,DWORD PTR SS:[ESP+140]
00464C54 51 PUSH ECX
00464C55 52 PUSH EDX
00464C56 6A 10 PUSH 10
00464C58 50 PUSH EAX
00464C59 6A 02 PUSH 2
00464C5B 53 PUSH EBX
00464C5C E8 5DCEFFF>CALL SDProtec.00461ABE ; 解密Hint
00464C61 8D4C24 3C LEA ECX,DWORD PTR SS:[ESP+3C]
00464C65 8D9424 400>LEA EDX,DWORD PTR SS:[ESP+140]
00464C6C 8B4424 18 MOV EAX,DWORD PTR SS:[ESP+18]
00464C70 51 PUSH ECX
00464C71 33C9 XOR ECX,ECX
00464C73 52 PUSH EDX
00464C74 66:8B0B MOV CX,WORD PTR DS:[EBX]
00464C77 6A 10 PUSH 10
00464C79 8D7B 02 LEA EDI,DWORD PTR DS:[EBX+2]
00464C7C 50 PUSH EAX
00464C7D 51 PUSH ECX
00464C7E 57 PUSH EDI
00464C7F E8 3ACEFFF>CALL SDProtec.00461ABE ; 解密FuncName
00464C84 8B4424 24 MOV EAX,DWORD PTR SS:[ESP+24]
00464C88 85C0 TEST EAX,EAX
00464C8A 8B8424 480>MOV EAX,DWORD PTR SS:[ESP+448]
00464C91 0F84 16010>JE SDProtec.00464DAD
........ 一些需要特殊照顾的常用函数。
00465015 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10]
00465019 57 PUSH EDI
0046501A 50 PUSH EAX
0046501B E8 2EC7FFF>CALL SDProtec.0046174E ; GetProcAddress
00465020 50 PUSH EAX
00465021 E8 3AF4FFF>CALL SDProtec.00464460 ; 地址进行转换
00465026 90 NOP ; 加密IAT(nop掉)
00465027 90 NOP
00465028 EB 73 JMP SHORT SDProtec.0046509D
0046502A 68 C8E6400>PUSH SDProtec.0040E6C8
0046502F E8 506FFFF>CALL SDProtec.0045BF84
00465034 50 PUSH EAX
00465035 57 PUSH EDI
00465036 E8 7E78FFF>CALL SDProtec.0045C8B9
0046503B 85C0 TEST EAX,EAX
0046503D 75 0E JNZ SHORT SDProtec.0046504D
0046503F 68 6CD6400>PUSH SDProtec.0040D66C
00465044 E8 3B6FFFF>CALL SDProtec.0045BF84
00465049 8906 MOV DWORD PTR DS:[ESI],EAX
0046504B EB 50 JMP SHORT SDProtec.0046509D
0046504D 68 A9D6400>PUSH SDProtec.0040D6A9
00465052 E8 2D6FFFF>CALL SDProtec.0045BF84
00465057 50 PUSH EAX
00465058 57 PUSH EDI
00465059 E8 5B78FFF>CALL SDProtec.0045C8B9
0046505E 85C0 TEST EAX,EAX
00465060 75 0E JNZ SHORT SDProtec.00465070
00465062 68 C0D6400>PUSH SDProtec.0040D6C0
00465067 E8 186FFFF>CALL SDProtec.0045BF84
0046506C 8906 MOV DWORD PTR DS:[ESI],EAX
0046506E EB 2D JMP SHORT SDProtec.0046509D
00465070 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
00465074 57 PUSH EDI
00465075 51 PUSH ECX
00465076 E8 D3C6FFF>CALL SDProtec.0046174E
0046507B 8906 MOV DWORD PTR DS:[ESI],EAX
0046507D EB 1E JMP SHORT SDProtec.0046509D
0046507F 8B5424 10 MOV EDX,DWORD PTR SS:[ESP+10]
00465083 57 PUSH EDI
00465084 52 PUSH EDX
00465085 E8 C4C6FFF>CALL SDProtec.0046174E
0046508A 8906 MOV DWORD PTR DS:[ESI],EAX
0046508C 8B4C24 14 MOV ECX,DWORD PTR SS:[ESP+14]
00465090 85C9 TEST ECX,ECX
00465092 74 09 JE SHORT SDProtec.0046509D
00465094 8901 MOV DWORD PTR DS:[ECX],EAX
00465096 83C1 04 ADD ECX,4
00465099 894C24 14 MOV DWORD PTR SS:[ESP+14],ECX
0046509D 33C0 XOR EAX,EAX
0046509F 66:8B03 MOV AX,WORD PTR DS:[EBX]
004650A2 50 PUSH EAX
004650A3 68 FF00000>PUSH 0FF
004650A8 57 PUSH EDI
004650A9 E8 C785FFF>CALL SDProtec.0045D675 ; 清除Name
004650AE 90 NOP ; 清除序号(nop掉)
004650AF 90 NOP
004650B0 90 NOP
004650B1 90 NOP
004650B2 90 NOP
004650B3 8B7C24 18 MOV EDI,DWORD PTR SS:[ESP+18]
004650B7 3BEE CMP EBP,ESI
004650B9 74 08 JE SHORT SDProtec.004650C3
004650BB 6A 04 PUSH 4
004650BD 55 PUSH EBP
004650BE E8 1C78FFF>CALL SDProtec.0045C8DF ; 清除Thunk Data
004650C3 83C5 04 ADD EBP,4
004650C6 83C6 04 ADD ESI,4
004650C9 ^ E9 EFF9FFF>JMP SDProtec.00464ABD ; 处理下一个函数
004650CE E8 7F88FFF>CALL SDProtec.0045D952
004650D3 8B7424 20 MOV ESI,DWORD PTR SS:[ESP+20]
004650D7 8B5424 38 MOV EDX,DWORD PTR SS:[ESP+38]
004650DB 8B4E 04 MOV ECX,DWORD PTR DS:[ESI+4]
004650DE 51 PUSH ECX
004650DF 68 FF00000>PUSH 0FF
004650E4 52 PUSH EDX
004650E5 E8 8B85FFF>CALL SDProtec.0045D675
004650EA 6A 14 PUSH 14
004650EC 56 PUSH ESI
004650ED E8 ED77FFF>CALL SDProtec.0045C8DF
004650F2 83C6 14 ADD ESI,14
004650F5 8B6C24 30 MOV EBP,DWORD PTR SS:[ESP+30]
004650F9 8BBC24 480>MOV EDI,DWORD PTR SS:[ESP+448]
00465100 897424 20 MOV DWORD PTR SS:[ESP+20],ESI
00465104 8BDE MOV EBX,ESI
00465106 8B7424 14 MOV ESI,DWORD PTR SS:[ESP+14]
0046510A ^ E9 F3F7FFF>JMP SDProtec.00464902 ; 处理下一个IID
修改上述几处后,可得到完整的IID,不再需要ImportREC了。
3.继续运行,直到如下处:
0045B8FB F2:AE REPNE SCAS BYTE PTR ES:[EDI] ; EDI=>OEP
0045B8FD 83F9 00 CMP ECX,0
0045B900 7E 13 JLE SHORT SDProtec.0045B915
0045B902 EB 01 JMP SHORT SDProtec.0045B905
0045B904 E8 4FFFD77>CALL 751DB858
0045B909 0375 01 ADD ESI,DWORD PTR SS:[EBP+1]
0045B90C FF57 47 CALL NEAR DWORD PTR DS:[EDI+47]
0045B90F 49 DEC ECX
0045B910 ^ 7F E9 JG SHORT SDProtec.0045B8FB
0045B912 EB 01 JMP SHORT SDProtec.0045B915
在00401055处下断点,拦截后DUMP下来,用LordPE作一些优化,去掉垃圾段。
2005-5-18
附件:Unpack.rar
顺便请教一下,为什么Test(OutPutDebugString)1.exe(见附件)脱壳后用PEID0.93查还为ARM1.XX的壳.
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!