壳虽然旧点,就当科普,感谢海浪轻风前辈提供加壳文件。脱壳后小逆一下,用delphi实现了类似功能,不敢独享,希望大伙喜欢。
yoda's Protector 1.03.3脱壳笔记 天易love 2011-9-25
海浪轻风前辈在<<自制一个带OpenGL特效的注册机>>一文中提供了一个注册机,偶以为是打包的源文件,
原来是加了yoda's Protector 1.03.3 -> Ashkbiz Danehkar壳的可执行文件,真是太伤人了!
fly大侠好像有过一篇相关文章,那是我脱完之后才发现的,灰常郁闷,就当练练手吧!如果你想练习一
下脱壳,可以忽略掉所有异常再设置以下硬件断点,就可以跳过前面的int3产生的异常:
43b9b1
43bd14
43d884
43DC8C
如果你不觉得麻烦就可以不忽略掉所有异常,然后你就会遇到5、6个int3产生的异常,这时根据堆栈找到
下步要去的地址。
上来就是反调试,先根据getversion的返回值eax选择反调试方式:
0043C422 C785 F4074100 0>MOV DWORD PTR SS:[EBP+4107F4],2
0043C42C EB 40 JMP SHORT MyOpenGL.0043C46E
0043C42E 3C 03 CMP AL,3
0043C430 75 3C JNZ SHORT MyOpenGL.0043C46E
0043C432 C785 F4074100 0>MOV DWORD PTR SS:[EBP+4107F4],1
0043C43C EB 30 JMP SHORT MyOpenGL.0043C46E
0043C43E 3C 03 CMP AL,3 //windows 3.x
0043C440 75 0C JNZ SHORT MyOpenGL.0043C44E
0043C442 C785 F4074100 0>MOV DWORD PTR SS:[EBP+4107F4],4
0043C44C EB 20 JMP SHORT MyOpenGL.0043C46E
0043C44E 3C 04 CMP AL,4 //windows 9x/NT4.0
0043C450 75 0C JNZ SHORT MyOpenGL.0043C45E
0043C452 C785 F4074100 0>MOV DWORD PTR SS:[EBP+4107F4],8
0043C45C EB 10 JMP SHORT MyOpenGL.0043C46E
0043C45E 3C 05 CMP AL,5 //windows 2000/XP
0043C460 75 0C JNZ SHORT MyOpenGL.0043C46E
0043C462 C785 F4074100 1>MOV DWORD PTR SS:[EBP+4107F4],10 //反调试手段的标志
0043B96A 50 PUSH EAX
0043B96B E8 1DFDFFFF CALL MyOpenGL.0043B68D User32.FindWindowA
0043B970 8985 FC074100 MOV DWORD PTR SS:[EBP+4107FC],EAX
0043B976 E8 18FDFFFF CALL MyOpenGL.0043B693 User32.GetTopWindow
0043B97B 8985 04084100 MOV DWORD PTR SS:[EBP+410804],EAX
0043B981 E8 03000000 CALL MyOpenGL.0043B989
0043B986 EB 01 JMP SHORT MyOpenGL.0043B989
0043B988 - E9 E827FCFF JMP 003FE175
0043B98D FF50 50 CALL DWORD PTR DS:[EAX+50]
0043B990 E8 68FCFFFF CALL MyOpenGL.0043B5FD kernel32.GetPriorityClass
0043B995 8985 0C084100 MOV DWORD PTR SS:[EBP+41080C],EAX
0043B99B 58 POP EAX
0043B99C 68 80000000 PUSH 80
0043B9A1 50 PUSH EAX
0043B9A2 E8 50FCFFFF CALL MyOpenGL.0043B5F7 kernel32.SetPriorityClass
0043B9A7 F785 F4074100 0>TEST DWORD PTR SS:[EBP+4107F4],8 //反调试手段的标志,根据windows版本初始化
0043B9B1 75 07 JNZ SHORT MyOpenGL.0043B9BA //第一个硬件断点 必须让它跳走
0043B9B3 6A 01 PUSH 1
0043B9B5 E8 BBFCFFFF CALL MyOpenGL.0043B675 User32.BlockInput 禁用鼠标键盘
0043B9BA BA 00000000 MOV EDX,0
0043B9BF F785 14084100 0>TEST DWORD PTR SS:[EBP+410814],1
0043B9C9 75 05 JNZ SHORT MyOpenGL.0043B9D0
0043BD0A F785 F4074100 0>TEST DWORD PTR SS:[EBP+4107F4],2
0043BD14 75 10 JNZ SHORT MyOpenGL.0043BD26 //第二个硬件断点 必须让它跳走,否则
0043BD16 BB 01000000 MOV EBX,1
0043BD1B 8B85 E8074100 MOV EAX,DWORD PTR SS:[EBP+4107E8]
0043BD21 E8 3D030000 CALL MyOpenGL.0043C063 //结束od调试线程
0043BD26 6A F0 PUSH -10
0043BD28 8B85 FC074100 MOV EAX,DWORD PTR SS:[EBP+4107FC]
0043BD2E 50 PUSH EAX
0043BD2F E8 47F9FFFF CALL MyOpenGL.0043B67B User32.GetWindowLongA
0043BD34 8985 00084100 MOV DWORD PTR SS:[EBP+410800],EAX
0043BD3A 0D 00000008 OR EAX,8000000 //禁用任务栏 WS_EX_NOACTIVATE = $08000000;
0043BD3F 50 PUSH EAX //如果nop该行就会出错,因为这段代码是被保护的,先不管它
0043BD40 6A F0 PUSH -10
0043BD42 8B85 FC074100 MOV EAX,DWORD PTR SS:[EBP+4107FC]
0043BD48 50 PUSH EAX
0043BD49 E8 33F9FFFF CALL MyOpenGL.0043B681 User32.SetWindowLongA
堆栈中数据:
0012EBF4 00090130 |hWnd = 00090130 (class='Shell_TrayWnd') //修改任务栏窗口的风格
0012EBF8 FFFFFFF0 |Index = GWL_STYLE
0012EBFC 96000000 \NewValue = 96000000
壳的一些准备工作:
0043BDD8 E8 03000000 CALL MyOpenGL.0043BDE0 // 重点call 跟进
0043BDDD EB 01 JMP SHORT MyOpenGL.0043BDE0
0043BDE0 8BBD E0074100 MOV EDI,DWORD PTR SS:[EBP+4107E0]
0043BDE6 037F 3C ADD EDI,DWORD PTR DS:[EDI+3C]
0043BDE9 8BB5 E0074100 MOV ESI,DWORD PTR SS:[EBP+4107E0]
0043BDEF 8B4F 54 MOV ECX,DWORD PTR DS:[EDI+54]
0043BDF2 8D85 7B0C4100 LEA EAX,DWORD PTR SS:[EBP+410C7B]
0043BDF8 50 PUSH EAX
0043BDF9 6A 04 PUSH 4
0043BDFB 51 PUSH ECX
0043BDFC FFB5 E0074100 PUSH DWORD PTR SS:[EBP+4107E0]
0043BE02 E8 72F7FFFF CALL MyOpenGL.0043B579 kernel32.VirtualProtect
.......
0043BE49 57 PUSH EDI
0043BE4A 50 PUSH EAX
0043BE4B E8 2FF7FFFF CALL MyOpenGL.0043B57F kernel32.GetModuleFileNameA
0043BE50 6A 00 PUSH 0
0043BE52 68 80000000 PUSH 80
0043BE57 6A 03 PUSH 3
0043BE59 6A 00 PUSH 0
0043BE5B 6A 01 PUSH 1
0043BE5D 68 00000080 PUSH 80000000
0043BE62 57 PUSH EDI
0043BE63 E8 1DF7FFFF CALL MyOpenGL.0043B585 kernel32.CreateFileA
0043BE68 83F8 FF CMP EAX,-1
0043BE6B 75 07 JNZ SHORT MyOpenGL.0043BE74
0043BE6D 33C0 XOR EAX,EAX
0043BE6F E9 26010000 JMP MyOpenGL.0043BF9A
0043BE74 8BF8 MOV EDI,EAX
0043BE76 6A 00 PUSH 0
0043BE78 57 PUSH EDI
0043BE79 E8 1FF7FFFF CALL MyOpenGL.0043B59D kernel32.GetFileSize
0043BE7E 50 PUSH EAX
0043BE7F 57 PUSH EDI
0043BE80 56 PUSH ESI
0043BE81 8BBD E0074100 MOV EDI,DWORD PTR SS:[EBP+4107E0]
0043BE87 037F 3C ADD EDI,DWORD PTR DS:[EDI+3C]
0043BE8A 8BF7 MOV ESI,EDI
0043BE8C 83C6 06 ADD ESI,6
0043BE8F 33C9 XOR ECX,ECX
0043BE91 66:8B0E MOV CX,WORD PTR DS:[ESI]
0043BE94 49 DEC ECX
0043BE95 81C6 F2000000 ADD ESI,0F2
0043BE9B B8 28000000 MOV EAX,28
0043BEA0 F7E1 MUL ECX
0043BEA2 03F0 ADD ESI,EAX
0043BEA4 83C6 10 ADD ESI,10 // .do 加壳文件的最后一个节
0043BEA7 8B0E MOV ECX,DWORD PTR DS:[ESI]
........
0043BEB5 56 PUSH ESI
0043BEB6 6A 40 PUSH 40
0043BEB8 E8 CEF6FFFF CALL MyOpenGL.0043B58B kernel32.GlobalAlloc
0043BEBD 83F8 00 CMP EAX,0
0043BEC0 75 05 JNZ SHORT MyOpenGL.0043BEC7
0043BEC2 E9 CB000000 JMP MyOpenGL.0043BF92
0043BEC7 93 XCHG EAX,EBX
0043BEC8 6A 00 PUSH 0
0043BECA 8D85 7B0C4100 LEA EAX,DWORD PTR SS:[EBP+410C7B]
0043BED0 50 PUSH EAX
0043BED1 56 PUSH ESI
0043BED2 53 PUSH EBX
0043BED3 57 PUSH EDI
0043BED4 E8 BEF6FFFF CALL MyOpenGL.0043B597 ReadFile 整个文件
0043BED9 8BC3 MOV EAX,EBX
0043BEDB 8BCE MOV ECX,ESI
0043BEDD 53 PUSH EBX
0043BEDE 57 PUSH EDI
0043BEDF 51 PUSH ECX
0043BEE0 50 PUSH EAX
0043BEE1 E8 71000000 CALL MyOpenGL.0043BF57 //先计算整个文件的校验值
0043BEE6 83C4 08 ADD ESP,8
0043BEE9 8985 E4074100 MOV DWORD PTR SS:[EBP+4107E4],EAX //校验值存放到该处
0043BEEF 5F POP EDI
0043BEF0 5B POP EBX
0043BEF1 E8 03000000 CALL MyOpenGL.0043BEF9 // 跳走进行下面的解码工作
0043BEF6 EB 01 JMP SHORT MyOpenGL.0043BEF9
0043BEF8 - E9 8D8541EA JMP EA85448A
0043BEFD 40 INC EAX
首先将.do 节中偏移30AA处的数据先用简单的运算得到:
0043E0AA 96 75 AC A3 90 8F 8E 8D A6 7D 24 7B 88 87 86 85 杣悘帊${垏唴
0043E0BA 8E 05 04 81 80 7F 7E 7D 65 2D 95 6C 13 6A 76 75 ?亐~}e-昹jvu
0043E0CA 5D 0E 4D F4 70 6F 6E 6D 55 F6 85 5C 03 5A 66 65 ]M魀onmU鰠\Zfe
0043E0DA 4D EE E5 EC 63 5F 5E 5D 45 96 D3 CA 58 57 56 55 M铄靋_^]E栍蔢WVU
0043E0EA 3D 6E 35 51 50 4F 4E 4D 4C 4B 4A 49 48 47 46 45 =n5QPONMLKJIHGFE
0043E0FA 44 43 42 41 40 3F 3E 3D 3C 3B 3A 39 38 37 36 35 DCBA@?>=<;:98765
0043E10A 34 33 32 31 30 2F 2E 2D 2C 2B 2A 29 28 27 26 25 43210/.-,+*)('&%
0043E11A 24 23 22 21 20 1F 1E 1D 1C 1B 1A 19 18 17 16 15 $#"!
0043E12A 14 13 12 11 10 0F 0E 0D 0C 0B 0A 09 08 07 06 05 ....
0043E13A 04 03 02 01 00 FF FE FD FC FB FA F9 F8 F7 F6 F5 .鲺
0043E14A E7 0E C6 C9 F0 EF EE ED EC EB EA E9 D1 DA D9 D8 ?粕痫铐祀觊掩儇
0043E15A E4 E3 E2 E1 E2 45 58 50 4C 4F 52 45 52 2E 45 58 溷忉釫XPLORER.EX
0043E16A 45 00 5C 5C 2E 5C 53 49 43 45 00 5C 5C 2E 5C 4E E.\\.\SICE.\\.\N
0043E17A 54 49 43 45 00 53 68 65 6C 6C 5F 54 72 61 79 57 TICE.Shell_TrayW
0043E18A 6E 64 00 4F 4C 4C 59 44 42 47 00 nd.OLLYDBG.
再使用该段代码
0043BF22 AC LODS BYTE PTR DS:[ESI]
0043BF27 C0C8 B8 ROR AL,0B8
0043BF2D 2AC1 SUB AL,CL
0043BF2F 2C A8 SUB AL,0A8
0043BF31 C0C0 1D ROL AL,1D
0043BF35 2C E3 SUB AL,0E3
0043BF3D FEC8 DEC AL
0043BF4A 04 C2 ADD AL,0C2
0043BF4C 2C BB SUB AL,0BB
0043BF51 34 09 XOR AL,9
0043BF53 AA STOS BYTE PTR ES:[EDI]
0043BF54 ^\E2 CC LOOPD SHORT MyOpenGL.0043BF22
进一步解密得到:
0043E0AA 43 4F 44 45 00 00 00 00 44 41 54 41 00 00 00 00 CODE....DATA....
0043E0BA 42 53 53 00 00 00 00 00 2E 69 64 61 74 61 00 00 BSS......idata..
0043E0CA 2E 74 6C 73 00 00 00 00 2E 72 64 61 74 61 00 00 .tls.....rdata..
0043E0DA 2E 72 73 72 63 00 00 00 2E 78 30 31 00 00 00 00 .rsrc....x01....
0043E0EA 2E 64 6F 00 00 00 00 00 00 00 00 00 00 00 00 00 .do.............
0043E0FA 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0043E10A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0043E11A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0043E12A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0043E13A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0043E14A 61 64 8D 0D 00 00 00 00 00 00 00 00 2E 61 61 61 ad?.........aaa
0043E15A 00 00 00 00 43 45 58 50 4C 4F 52 45 52 2E 45 58 ....CEXPLORER.EX
0043E16A 45 00 5C 5C 2E 5C 53 49 43 45 00 5C 5C 2E 5C 4E E.\\.\SICE.\\.\N
0043E17A 54 49 43 45 00 53 68 65 6C 6C 5F 54 72 61 79 57 TICE.Shell_TrayW
0043E18A 6E 64 00 4F 4C 4C 59 44 42 47 00 nd.OLLYDBG.
//上面后半部分是检测父进程时用到的黑名单
然后用CryptDecrypt解码各节中的数据;
0043C8A1 50 PUSH EAX
0043C8A2 57 PUSH EDI
0043C8A3 6A 00 PUSH 0
0043C8A5 8B85 DAF24000 MOV EAX,DWORD PTR SS:[EBP+40F2DA]
0043C8AB 50 PUSH EAX
0043C8AC 6A 00 PUSH 0
0043C8AE 8B85 24084100 MOV EAX,DWORD PTR SS:[EBP+410824]
0043C8B4 50 PUSH EAX
0043C8B5 E8 2DEEFFFF CALL MyOpenGL.0043B6E7 //ADVAPI32.CryptDecrypt
如何得到IAT:
0043D6D4 BA 25DF4000 MOV EDX,MyOpenGL.0040DF25
0043D6D9 FF5415 00 CALL DWORD PTR SS:[EBP+EDX] // kernel32.GetProcAddress
0043D6DD 0BC0 OR EAX,EAX
.......................
0043D707 5A POP EDX
0043D708 8902 MOV DWORD PTR DS:[EDX],EAX //填入IAT真实的api地址
0043D70A EB 1C JMP SHORT MyOpenGL.0043D728
0043D70C 52 PUSH EDX
0043D70D 51 PUSH ECX
0043D70E 8B01 MOV EAX,DWORD PTR DS:[ECX]
0043D710 2D 00000080 SUB EAX,80000000
0043D715 50 PUSH EAX
0043D716 53 PUSH EBX
0043D717 BA 25DF4000 MOV EDX,MyOpenGL.0040DF25
0043D71C FF5415 00 CALL DWORD PTR SS:[EBP+EDX]
0043D720 85C0 TEST EAX,EAX
0043D722 74 6F JE SHORT MyOpenGL.0043D793
0043D724 59 POP ECX
0043D725 5A POP EDX
0043D726 8902 MOV DWORD PTR DS:[EDX],EAX //填入IAT替换的api地址
0043D728 51 PUSH ECX
0043D729 F785 500B4100 2>TEST DWORD PTR SS:[EBP+410B50],20
0043D733 74 47 JE SHORT MyOpenGL.0043D77C
0043D735 83BD 580B4100 0>CMP DWORD PTR SS:[EBP+410B58],0
0043D73C 74 14 JE SHORT MyOpenGL.0043D752
0043D73E 81FB 00000070 CMP EBX,70000000
0043D744 72 08 JB SHORT MyOpenGL.0043D74E
0043D746 81FB FFFFFF67 CMP EBX,77FFFFFF //只要将77FFFFFF改为67FFFFFF就可得到完好的IAT
0043D74C 76 0E JBE SHORT MyOpenGL.0043D75C
.................
0043D75E 8DBD 7B0C4100 LEA EDI,DWORD PTR SS:[EBP+410C7B]
0043D764 3E:8B77 04 MOV ESI,DWORD PTR DS:[EDI+4]
0043D768 8932 MOV DWORD PTR DS:[EDX],ESI
如果api地址小于77FFFFFF,就用其他值覆盖掉刚才存入的api,这样importREC修复就会出现无效指针
0043D46C 3E:837E 04 00 CMP DWORD PTR DS:[ESI+4],0 //IAT生成结束的地方
0043D471 0F84 19030000 JE MyOpenGL.0043D790
将未破坏的IAT复制出来如下:
0042511C E0 10 92 7C 00 10 92 7C 81 9F 80 7C 74 9B 80 7C ?抾.抾仧€|t泙|
0042512C E1 9A 80 7C BF 99 80 7C 1D 9A 80 7C B8 97 80 7C 釟€|繖€|殌|笚€|
0042513C F2 1E 80 7C AD 2F 81 7C 6E AC 80 7C FA CA 81 7C ?€|?亅n瑎|亅
0042514C 17 0E 81 7C 6A 3E 86 7C A5 AB 94 7C 99 2A 81 7C 亅j>唡カ攟?亅
0042515C C9 2F 81 7C 00 00 00 00 DB 11 D3 77 EA 07 D5 77 ?亅....?觲?誻
0042516C 00 00 00 00 AB 7A DA 77 42 78 DA 77 17 6C DA 77 ....珃趙Bx趙l趙
0042517C 00 00 00 00 55 9C 80 7C D0 97 80 7C 1D 9A 80 7C ....U渶|袟€|殌|
0042518C 31 B7 80 7C 00 00 00 00 17 0E 81 7C 46 24 80 7C 1穩|....亅F$€|
0042519C 12 18 80 7C 56 98 80 7C 31 B7 80 7C FA CA 81 7C €|V榾|1穩|亅
004251AC 28 1A 80 7C D7 9B 80 7C 00 00 00 00 1E 64 F2 77 (€|讻€|....d騱
004251BC 77 5D EF 77 83 63 F2 77 DB 5E EF 77 70 5B EF 77 w]飛僣騱踍飛p[飛
004251CC FA 6B EF 77 A5 61 EF 77 86 77 EF 77 00 BF F1 77 鷎飛飛唚飛.狂w
004251DC 69 D9 EF 77 F3 62 F2 77 00 00 00 00 D5 9B F2 5E i亠w骲騱....諞騘
004251EC 1C BB F2 5E CE BA F2 5E 00 00 00 00 56 AF D2 77 或^魏騘....Vw
004251FC 28 E5 D2 77 6B F5 D2 77 F3 99 D2 77 9D C2 D2 77 (逡wk跻w髾襴澛襴
0042520C 2E 8C D1 77 72 C9 D3 77 30 99 D2 77 C2 F3 D2 77 .屟wr捎w0櫼w麦襴
0042521C 9D 86 D1 77 19 97 D2 77 FD AA D2 77 EA 07 D5 77 潌褀椧w襴?誻
0042522C 7B 1F D3 77 F6 E8 D2 77 3E D3 D2 77 42 8C D1 77 {觲鲨襴>右wB屟w
0042523C 6B 21 D3 77 B4 90 D2 77 5D 94 D1 77 5E B0 D6 77 k!觲磹襴]斞w^爸w
0042524C 6E 43 D2 77 C7 86 D1 77 8E 90 D2 77 2A F9 D2 77 nC襴菃褀帎襴*w
0042525C 2F 9C D2 77 FD 8F D2 77 4E 4A D2 77 02 C7 D3 77 /溡w龔襴NJ襴怯w
0042526C 84 CB D2 77 F6 FB D2 77 44 B1 D3 77 A9 E4 D2 77 勊襴鳆襴D庇w╀襴
0042527C 7D A9 D2 77 E9 8F D2 77 00 00 00 00 E0 11 61 7D }┮w閺襴....?a}
0042528C 00 00 00 00 BC 51 F1 5E 7C 2D F1 5E 8C 2F F1 5E ....糛馸|-馸?馸
0042529C DC 3F F1 5E 5C 2F F1 5E 14 2F F1 5E F0 2E F1 5E ?馸\/馸/馸?馸
004252AC A4 3E F1 5E 9C 3C F1 5E 94 2A F1 5E 54 2E F1 5E ?馸?馸?馸T.馸
004252BC 48 2E F1 5E 2C 29 F1 5E 28 32 F1 5E C0 31 F1 5E H.馸,)馸(2馸?馸
004252CC 24 31 F1 5E 30 48 F1 5E F0 28 F1 5E 00 00 00 00 $1馸0H馸?馸....
004252DC 4B A3 E2 68 00 00 00 00 1E 0C 81 7C 12 18 80 7C Kbh.....亅€|
004252EC 28 1A 80 7C F9 BC 80 7C 45 A0 80 7C 19 BF 80 7C (€|€|E爛|縺|
004252FC 46 24 80 7C 88 0F 81 7C 46 2C 81 7C A4 00 93 7C F$€|?亅F,亅?搢
0042530C 98 C1 80 7C C7 06 81 7C D7 9B 80 7C 30 25 80 7C 樍€|?亅讻€|0%€|
0042531C 00 00 00 00 4A 5A B1 76 C8 57 B1 76 F3 BB B2 76 ....JZ眝萕眝蠡瞯
0042532C D9 59 B1 76 01 52 B1 76 80 BC B2 76 26 57 B1 76 資眝R眝€疾v&W眝
0042533C 00 00 00 00 ....
对应的二进制码:
E0 10 92 7C 00 10 92 7C 81 9F 80 7C 74 9B 80 7C E1 9A 80 7C BF 99 80 7C 1D 9A 80 7C B8 97 80 7C
F2 1E 80 7C AD 2F 81 7C 6E AC 80 7C FA CA 81 7C 17 0E 81 7C 6A 3E 86 7C A5 AB 94 7C 99 2A 81 7C
C9 2F 81 7C 00 00 00 00 DB 11 D3 77 EA 07 D5 77 00 00 00 00 AB 7A DA 77 42 78 DA 77 17 6C DA 77
00 00 00 00 55 9C 80 7C D0 97 80 7C 1D 9A 80 7C 31 B7 80 7C 00 00 00 00 17 0E 81 7C 46 24 80 7C
12 18 80 7C 56 98 80 7C 31 B7 80 7C FA CA 81 7C 28 1A 80 7C D7 9B 80 7C 00 00 00 00 1E 64 F2 77
77 5D EF 77 83 63 F2 77 DB 5E EF 77 70 5B EF 77 FA 6B EF 77 A5 61 EF 77 86 77 EF 77 00 BF F1 77
69 D9 EF 77 F3 62 F2 77 00 00 00 00 D5 9B F2 5E 1C BB F2 5E CE BA F2 5E 00 00 00 00 56 AF D2 77
28 E5 D2 77 6B F5 D2 77 F3 99 D2 77 9D C2 D2 77 2E 8C D1 77 72 C9 D3 77 30 99 D2 77 C2 F3 D2 77
9D 86 D1 77 19 97 D2 77 FD AA D2 77 EA 07 D5 77 7B 1F D3 77 F6 E8 D2 77 3E D3 D2 77 42 8C D1 77
6B 21 D3 77 B4 90 D2 77 5D 94 D1 77 5E B0 D6 77 6E 43 D2 77 C7 86 D1 77 8E 90 D2 77 2A F9 D2 77
2F 9C D2 77 FD 8F D2 77 4E 4A D2 77 02 C7 D3 77 84 CB D2 77 F6 FB D2 77 44 B1 D3 77 A9 E4 D2 77
7D A9 D2 77 E9 8F D2 77 00 00 00 00 E0 11 61 7D 00 00 00 00 BC 51 F1 5E 7C 2D F1 5E 8C 2F F1 5E
DC 3F F1 5E 5C 2F F1 5E 14 2F F1 5E F0 2E F1 5E A4 3E F1 5E 9C 3C F1 5E 94 2A F1 5E 54 2E F1 5E
48 2E F1 5E 2C 29 F1 5E 28 32 F1 5E C0 31 F1 5E 24 31 F1 5E 30 48 F1 5E F0 28 F1 5E 00 00 00 00
4B A3 E2 68 00 00 00 00 1E 0C 81 7C 12 18 80 7C 28 1A 80 7C F9 BC 80 7C 45 A0 80 7C 19 BF 80 7C
46 24 80 7C 88 0F 81 7C 46 2C 81 7C A4 00 93 7C 98 C1 80 7C C7 06 81 7C D7 9B 80 7C 30 25 80 7C
00 00 00 00 4A 5A B1 76 C8 57 B1 76 F3 BB B2 76 D9 59 B1 76 01 52 B1 76 80 BC B2 76 26 57 B1 76
00 00 00 00
接着运行加壳的程序,再运行importRec,选中进程中的加壳进程,输入oep,搜索到的iat含很多无效的指针。
这时用od附加该进程,而后将iat数据粘贴到进程的指定地址处。此时再在importRec中就可以搜索到所有的api,
然后修复一下即可。
如何飞到oep:
0043DC8C 61 POPAD //第4个硬件断点
0043DC8D 50 PUSH EAX //eax=0043DA2C
0043DC8E 33C0 XOR EAX,EAX
0043DC90 64:FF30 PUSH DWORD PTR FS:[EAX] //安装 seh
0043DC93 64:8920 MOV DWORD PTR FS:[EAX],ESP
0043DC96 /EB 01 JMP SHORT MyOpenGL.0043DC99
0043DC98 |C3 RETN
0043DC99 \0000 ADD BYTE PTR DS:[EAX],AL //这里异常后跳到0043DA2C
0043DA2C 55 PUSH EBP
0043DA2D 8BEC MOV EBP,ESP
0043DA2F 57 PUSH EDI
0043DA30 36:8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
0043DA34 3E:8BB8 C400000>MOV EDI,DWORD PTR DS:[EAX+C4]
0043DA3B 3E:FF37 PUSH DWORD PTR DS:[EDI]
0043DA3E 33FF XOR EDI,EDI
0043DA40 64:8F07 POP DWORD PTR FS:[EDI]
0043DA43 3E:8380 C400000>ADD DWORD PTR DS:[EAX+C4],8
0043DA4B 3E:8BB8 A400000>MOV EDI,DWORD PTR DS:[EAX+A4]
0043DA52 C1C7 07 ROL EDI,7 // 计算出 oep
0043DA55 3E:89B8 B800000>MOV DWORD PTR DS:[EAX+B8],EDI // CONTEXT.regEip=计算出的oep
0043DA5C B8 00000000 MOV EAX,0 //注意:B8是regEip在CONTEXT中的偏移
0043DA61 5F POP EDI
0043DA62 C9 LEAVE
0043DA63 C3 RETN
.............
7C92E48A 0AC0 OR AL,AL
7C92E48C 74 0C JE SHORT ntdll.7C92E49A
7C92E48E 5B POP EBX
7C92E48F 59 POP ECX
7C92E490 6A 00 PUSH 0
7C92E492 51 PUSH ECX
7C92E493 E8 C6EBFFFF CALL ntdll.ZwContinue //F7进入
7C92D05E > B8 20000000 MOV EAX,20
7C92D063 BA 0003FE7F MOV EDX,7FFE0300
7C92D068 FF12 CALL DWORD PTR DS:[EDX] //F7进入 ntdll.KiFastSystemCall
7C92D06A C2 0800 RETN 8
7C92E510 > 8BD4 MOV EDX,ESP
7C92E512 0F34 SYSENTER //f8就来到oep了
7C92E514 > C3 RETN
一些反调试:
反调试1:
0043D85D 8D85 A3E14000 LEA EAX,DWORD PTR SS:[EBP+40E1A3] //eax是模块入口点
0043D863 B9 C3034100 MOV ECX,004103C3
0043D868 81E9 A3E14000 SUB ECX,0040E1A3 //ecx是要保护的这段代码长度0x2220
0043D86E EB 01 JMP SHORT MyOpenGL.0043D871
................
0043D871 51 PUSH ECX
0043D872 50 PUSH EAX
0043D873 E8 DFE6FFFF CALL MyOpenGL.0043BF57 //计算校验值,从模块入口点开始长度为0x2220
.........
0043D87E 8B9D 540B4100 MOV EBX,DWORD PTR SS:[EBP+410B54] //第三个硬件断点
0043D884 33C3 XOR EAX,EBX //与壳中的校验值比较,在以上范围内设常用断点将无法到达oep
0043D886 74 2C JE SHORT MyOpenGL.0043D8B4
0043D888 EB 01 JMP SHORT MyOpenGL.0043D88B //不相等 over
反调试2:
0043BB24 F785 500B4100 0>TEST DWORD PTR SS:[EBP+410B50],1
0043BB2E 74 64 JE SHORT MyOpenGL.0043BB94
0043BB30 8DBD 220C4100 LEA EDI,DWORD PTR SS:[EBP+410C22]
0043BB36 6A 00 PUSH 0
0043BB38 68 80000000 PUSH 80
0043BB3D 6A 03 PUSH 3
0043BB3F 6A 00 PUSH 0
0043BB41 6A 03 PUSH 3
0043BB43 68 000000C0 PUSH C0000000
0043BB48 57 PUSH EDI ;FileName = "\\.\SICE" "\\.\NTICE"
0043BB49 E8 37FAFFFF CALL MyOpenGL.0043B585 ; JMP 到 kernel32.CreateFileA
0043BB4E 83F8 FF CMP EAX,-1
0043BB51 74 0F JE SHORT MyOpenGL.0043BB62
0043BB53 8BF8 MOV EDI,EAX
0043BB55 57 PUSH EDI
0043BB56 E8 48FAFFFF CALL MyOpenGL.0043B5A3 ; JMP 到 kernel32.CloseHandle
0043BB5B 6A 00 PUSH 0
0043BB5D E8 A1FAFFFF CALL MyOpenGL.0043B603 ; JMP 到 kernel32.ExitThread
反调试3:
0043D33B F785 500B4100 8>TEST DWORD PTR SS:[EBP+410B50],80
0043D345 75 24 JNZ SHORT MyOpenGL.0043D36B
0043D347 E8 5DE2FFFF CALL MyOpenGL.0043B5A9 ; JMP 到 kernel32.IsDebuggerPresent
0043D34C 0BC0 OR EAX,EAX
0043D34E 74 1B JE SHORT MyOpenGL.0043D36B
0043D350 8B85 E8074100 MOV EAX,DWORD PTR SS:[EBP+4107E8]
0043D356 50 PUSH EAX
0043D357 6A 01 PUSH 1
0043D359 68 FF0F1F00 PUSH 1F0FFF
0043D35E E8 88E2FFFF CALL MyOpenGL.0043B5EB ; JMP 到 kernel32.OpenProcess
0043D363 6A 00 PUSH 0
0043D365 50 PUSH EAX
0043D366 E8 86E2FFFF CALL MyOpenGL.0043B5F1 ; JMP 到 kernel32.TerminateProcess
反调试4:
0043D890 E8 AADDFFFF CALL MyOpenGL.0043B63F kernel32.GetTickCount
0043D895 8B8D 68084100 MOV ECX,DWORD PTR SS:[EBP+410868]
0043D89B 2BC1 SUB EAX,ECX //时间差
0043D89D 3D E02E0000 CMP EAX,2EE0
0043D8A2 /78 08 JS SHORT MyOpenGL.0043D8AC
0043D8A4 |EB 01 JMP SHORT MyOpenGL.0043D8A7
反调试5: 结束od调试线程的具体实现
0043C063 8BD5 MOV EDX,EBP
0043C065 81C2 F9EB4000 ADD EDX,MyOpenGL.0040EBF9
0043C06B 8902 MOV DWORD PTR DS:[EDX],EAX
0043C06D B9 49000000 MOV ECX,49
0043C072 8BD5 MOV EDX,EBP
0043C074 81C2 7B0C4100 ADD EDX,MyOpenGL.00410C7B
0043C07A 33C0 XOR EAX,EAX
0043C07C 8D3A LEA EDI,DWORD PTR DS:[EDX]
0043C07E 57 PUSH EDI
0043C07F F3:AB REP STOS DWORD PTR ES:[EDI]
0043C081 5F POP EDI
0043C082 36:C702 1C00000>MOV DWORD PTR SS:[EDX],1C
0043C089 8BD5 MOV EDX,EBP
0043C08B 81C2 F9EB4000 ADD EDX,MyOpenGL.0040EBF9
0043C091 8B02 MOV EAX,DWORD PTR DS:[EDX]
0043C093 50 PUSH EAX
0043C094 6A 04 PUSH 4
0043C096 E8 14F5FFFF CALL MyOpenGL.0043B5AF kernel32.CreateToolhelp32Snapshot
0043C09B 8BF0 MOV ESI,EAX
0043C09D 8BC5 MOV EAX,EBP
0043C09F 05 7B0C4100 ADD EAX,MyOpenGL.00410C7B
0043C0A4 50 PUSH EAX
0043C0A5 56 PUSH ESI
0043C0A6 E8 2EF5FFFF CALL MyOpenGL.0043B5D9 kernel32.Thread32First
0043C0AB 85C0 TEST EAX,EAX
0043C0AD 0F84 80000000 JE MyOpenGL.0043C133
0043C0B3 8BD5 MOV EDX,EBP
0043C0B5 81C2 7B0C4100 ADD EDX,MyOpenGL.00410C7B
0043C0BB 8D0A LEA ECX,DWORD PTR DS:[EDX]
0043C0BD 51 PUSH ECX
0043C0BE 56 PUSH ESI
0043C0BF E8 1BF5FFFF CALL MyOpenGL.0043B5DF kernel32.Thread32Next
0043C0C4 85C0 TEST EAX,EAX
0043C0C6 74 6B JE SHORT MyOpenGL.0043C133
0043C0C8 56 PUSH ESI
0043C0C9 8BD5 MOV EDX,EBP
0043C0CB 81C2 7B0C4100 ADD EDX,MyOpenGL.00410C7B
0043C0D1 8B4A 0C MOV ECX,DWORD PTR DS:[EDX+C]
0043C0D4 8BD5 MOV EDX,EBP
0043C0D6 81C2 F9EB4000 ADD EDX,MyOpenGL.0040EBF9
0043C0DC 8B02 MOV EAX,DWORD PTR DS:[EDX]
0043C0DE 3BC8 CMP ECX,EAX
0043C0E0 75 3B JNZ SHORT MyOpenGL.0043C11D
0043C0E2 8BD5 MOV EDX,EBP
0043C0E4 81C2 7B0C4100 ADD EDX,MyOpenGL.00410C7B
0043C0EA 8B42 08 MOV EAX,DWORD PTR DS:[EDX+8]
0043C0ED 50 PUSH EAX
0043C0EE 6A 00 PUSH 0
0043C0F0 6A 02 PUSH 2
0043C0F2 E8 EEF4FFFF CALL MyOpenGL.0043B5E5 kernel32.OpenThread
0043C0F7 85C0 TEST EAX,EAX
0043C0F9 74 22 JE SHORT MyOpenGL.0043C11D
0043C0FB 8BC8 MOV ECX,EAX
0043C0FD 85DB TEST EBX,EBX
0043C0FF 74 0C JE SHORT MyOpenGL.0043C10D
0043C101 51 PUSH ECX
0043C102 8BC1 MOV EAX,ECX
0043C104 50 PUSH EAX
0043C105 E8 1DF5FFFF CALL MyOpenGL.0043B627 kernel32.SuspendThread
0043C10A 59 POP ECX
0043C10B EB 0A JMP SHORT MyOpenGL.0043C117
0043C10D 51 PUSH ECX
0043C10E 8BC1 MOV EAX,ECX
0043C110 50 PUSH EAX
0043C111 E8 17F5FFFF CALL MyOpenGL.0043B62D kernel32.ResumeThread
0043C116 59 POP ECX
0043C117 51 PUSH ECX
0043C118 E8 86F4FFFF CALL MyOpenGL.0043B5A3 kernel32.CloseHandle
0043C11D 5E POP ESI
0043C11E 8BD5 MOV EDX,EBP
0043C120 81C2 7B0C4100 ADD EDX,MyOpenGL.00410C7B
0043C126 8D0A LEA ECX,DWORD PTR DS:[EDX]
0043C128 51 PUSH ECX
0043C129 56 PUSH ESI
0043C12A E8 B0F4FFFF CALL MyOpenGL.0043B5DF kernel32.Thread32Next
0043C12F 85C0 TEST EAX,EAX
0043C131 ^ 75 95 JNZ SHORT MyOpenGL.0043C0C8
0043C133 B8 55555555 MOV EAX,55555555
0043C138 8BD5 MOV EDX,EBP
0043C13A 81C2 F9EB4000 ADD EDX,MyOpenGL.0040EBF9
0043C140 8902 MOV DWORD PTR DS:[EDX],EAX
0043C142 C3 RETN
多处用到的校验call: //可以检测你下的一次性断点,也可以阻止你修改代码
0043BF57 55 PUSH EBP
0043BF58 8BEC MOV EBP,ESP
0043BF5A 53 PUSH EBX
0043BF5B 51 PUSH ECX
0043BF5C 52 PUSH EDX
0043BF5D 56 PUSH ESI
0043BF5E 57 PUSH EDI
0043BF5F 36:8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
0043BF63 36:8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C]
0043BF67 8BF8 MOV EDI,EAX
0043BF69 33C0 XOR EAX,EAX
0043BF6B 33DB XOR EBX,EBX
0043BF6D 33D2 XOR EDX,EDX
0043BF6F 8A07 MOV AL,BYTE PTR DS:[EDI]
0043BF71 F7E2 MUL EDX
0043BF73 03D8 ADD EBX,EAX
0043BF75 42 INC EDX
0043BF76 47 INC EDI
0043BF77 ^ E2 F6 LOOPD SHORT MyOpenGL.0043BF6F
0043BF79 93 XCHG EAX,EBX
0043BF7A 5F POP EDI
0043BF7B 5E POP ESI
0043BF7C 5A POP EDX
0043BF7D 59 POP ECX
0043BF7E 5B POP EBX
0043BF7F 8BE5 MOV ESP,EBP
0043BF81 5D POP EBP
0043BF82 C3 RETN
附上脱壳后的程序及源代码,最后感谢海浪轻风前辈给我一次练手的机会!
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!