-
-
用Ollydbg手脱Armadillo加壳的DLL
-
发表于:
2005-5-31 18:11
9774
-
用Ollydbg手脱Armadillo加壳的DLL
【破解作者】 jameshero
【使用工具】 PEID、flyODBG修改版
【破解平台】 winXP+SP2
【软件名称】 某服务端程序
【软件简介】 因为涉及到某些商业问题,在这就不说了,看方法吧
【加壳方式】 Armadillo 2.51 - 3.xx DLL Stub
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------------------------
【破解内容】
一。用PEID查看壳为:Armadillo 2.51 - 3.xx DLL Stub
具体版本不知道,看看先吧!
二。设置flyODBG忽略所有异常选项,OD自动隐藏插件帮你隐藏OD.
OD载入程序。
00944957 > 55 push ebp
00944958 8BEC mov ebp,esp
0094495A 53 push ebx
0094495B 8B5D 08 mov ebx,dword ptr ss:[ebp+8]
0094495E 56 push esi
0094495F 8B75 0C mov esi,dword ptr ss:[ebp+C]
00944962 57 push edi
00944963 8B7D 10 mov edi,dword ptr ss:[ebp+10]
00944966 85F6 test esi,esi
---------------------------------------------------------------
下断:BP GetModuleHandleA+5,Shift+F9运行,注意看堆栈:
---------------------------------------------------------------
00069510 |00B452CA 返回到 00B452CA 来自 kernel32.GetModuleHandleA
00069514 |00069660 ASCII "kernel32.dll"
---------------------------------------------------------------
当堆栈变成上面的样子就可以返回了,我们ALT+F9返回程序!
---------------------------------------------------------------
00B452CA 8B0D 3C1EB700 mov ecx,dword ptr ds:[B71E3C] <---------返回到这
00B452D0 89040E mov dword ptr ds:[esi+ecx],eax
00B452D3 A1 3C1EB700 mov eax,dword ptr ds:[B71E3C]
00B452D8 391C06 cmp dword ptr ds:[esi+eax],ebx
00B452DB 75 16 jnz short 00B452F3
00B452DD 8D85 B4FEFFFF lea eax,dword ptr ss:[ebp-14C]
00B452E3 50 push eax
00B452E4 FF15 B842B600 call dword ptr ds:[B642B8] ; kernel32.LoadLibraryA
00B452EA 8B0D 3C1EB700 mov ecx,dword ptr ds:[B71E3C]
00B452F0 89040E mov dword ptr ds:[esi+ecx],eax
00B452F3 A1 3C1EB700 mov eax,dword ptr ds:[B71E3C]
00B452F8 391C06 cmp dword ptr ds:[esi+eax],ebx
00B452FB 0F84 2F010000 je 00B45430 <--------------MAGICJUMP,改JMP 00B45430
00B45301 33C9 xor ecx,ecx
00B45303 8B07 mov eax,dword ptr ds:[edi]
00B45305 3918 cmp dword ptr ds:[eax],ebx
00B45307 74 06 je short 00B4530F
----------------------------------------------------------------
(注意:下面的方法和FLY的不太一样)
现在我们Alt+M打开内存查看窗口,看到这个DLL的给个区段
----------------------------------------------------------------
00870000 00001000 KingFor3 00870000 (itself) PE header //★ 这里下 内存访问 断点
00871000 0008B000 KingFor3 00870000 CODE
008FC000 00002000 KingFor3 00870000 DATA
008FE000 00001000 KingFor3 00870000 BSS
----------------------------------------------------------------
现在我们F9运行程序,中断在下面地址
----------------------------------------------------------------
00B585A7 0348 3C add ecx,dword ptr ds:[eax+3C] 〈------中断在这
00B585AA 898D FCD7FFFF mov dword ptr ss:[ebp-2804],ecx
00B585B0 A1 C8DFB600 mov eax,dword ptr ds:[B6DFC8]
00B585B5 8985 CCAEFFFF mov dword ptr ss:[ebp+FFFFAECC],eax
00B585BB 8B85 CCAEFFFF mov eax,dword ptr ss:[ebp+FFFFAECC]
00B585C1 8985 0CD8FFFF mov dword ptr ss:[ebp-27F4],eax
00B585C7 8B85 FCD7FFFF mov eax,dword ptr ss:[ebp-2804]
00B585CD 8B40 50 mov eax,dword ptr ds:[eax+50]
----------------------------------------------------------------
现在我们CTRL+S在整个区段搜索
mov edx,dword ptr ds:[ecx+C]
add edx,dword ptr ds:[ecx+8]
找到下面的地址
----------------------------------------------------------------
00B5E1D7 8D74C1 D8 lea esi,dword ptr ds:[ecx+eax*8-28]
00B5E1DB 33C0 xor eax,eax
00B5E1DD 3BCE cmp ecx,esi
00B5E1DF 73 11 jnb short 00B5E1F2
00B5E1E1 8B51 0C mov edx,dword ptr ds:[ecx+C]〈--------找到这
00B5E1E4 0351 08 add edx,dword ptr ds:[ecx+8]〈-------在这下断
00B5E1E7 3BD0 cmp edx,eax
----------------------------------------------------------------
在上面地址下断以后,ALT+M取消内存断点,F9运行断下
继续F9,会在这多次中断,看“寄存器”窗口的ECX 00870298 ASCII ".reloc"
当出现这个的时候,再看 下面,这个时候显示的就是重定位表RVA和大小
现在我们记下来,取消断点。
----------------------------------------------------------------
ds:[008702A0]=00009E78 〈----大小
edx=00092000 〈-------重定位RVA
----------------------------------------------------------------
现在我们ALT+M
----------------------------------------------------------------
00870000 00001000 KingFor3 00870000 (itself) PE header
00871000 0008B000 KingFor3 00870000 CODE //★ 这里下 内存访问 断点
008FC000 00002000 KingFor3 00870000 DATA
008FE000 00001000 KingFor3 00870000 BSS
---------------------------------------------------------------
继续F9就到了OEP
---------------------------------------------------------------
008FBBAC 55 push ebp 〈------OEP
008FBBAD 8BEC mov ebp,esp
008FBBAF 83C4 C4 add esp,-3C
008FBBB2 B8 A4B88F00 mov eax,KingFor3.008FB8A4
008FBBB7 E8 88A8F7FF call KingFor3.00876444
008FBBBC 6A 00 push 0
008FBBBE E8 8DBEF8FF call KingFor3.00887A50 ; jmp to ole32.CoInitialize
008FBBC3 E8 2C6FF7FF call KingFor3.00872AF4
008FBBC8 E8 93F9FFFF call KingFor3.008FB560
008FBBCD E8 CA84F7FF call KingFor3.0087409C
008FBBD2 8BC0 mov eax,eax
----------------------------------------------------------------
用LordPE选中Ollydbg的loaddll.exe的进程,在下面的列表里选择这个dll,然后完整脱壳,得到dumped.dll。
(下面找IAT地址的方法也和FLY的不一样,大家注意看!)
现在我们再次ALT+M
---------------------------------------------------------------
00870000 00001000 KingFor3 00870000 (itself) PE header
00871000 0008B000 KingFor3 00870000 CODE
008FC000 00002000 KingFor3 00870000 DATA
008FE000 00001000 KingFor3 00870000 BSS
008FF000 00003000 KingFor3 00870000 .idata <--这里,双击,可以看到数据
---------------------------------------------------------------
008FF000 00 00 00 00 00 00 00 00 00 00 00 00 20 F8 08 00 ............ ?.
008FF010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
008FF020 E0 FA 08 00 00 00 00 00 00 00 00 00 00 00 00 00 帔.............
008FF030 00 00 00 00 26 FB 08 00 00 00 00 00 00 00 00 00 ....&?.........
008FF040 00 00 00 00 00 00 00 00 66 FB 08 00 00 00 00 00 ........f?.....
008FF050 00 00 00 00 00 00 00 00 00 00 00 00 AE FB 08 00 ............?.
008FF060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
008FF070 08 FC 08 00 00 00 00 00 00 00 00 00 00 00 00 00 ?.............
008FF080 00 00 00 00 7A FC 08 00 00 00 00 00 00 00 00 00 ....z?.........
008FF090 00 00 00 00 00 00 00 00 24 02 09 00 00 00 00 00 ........$......
008FF0A0 00 00 00 00 00 00 00 00 00 00 00 00 72 02 09 00 ............r..
008FF0B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
008FF0C0 0C 07 09 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
008FF0D0 00 00 00 00 A4 11 09 00 00 00 00 00 00 00 00 00 ....?..........
008FF0E0 00 00 00 00 00 00 00 00 BA 11 09 00 00 00 00 00 ........?......
008FF0F0 00 00 00 00 00 00 00 00 00 00 00 00 C8 12 09 00 ............?..
008FF100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
008FF110 02 13 09 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............
008FF120 00 00 00 00 30 13 09 00 00 00 00 00 00 00 00 00 ....0..........
008FF130 00 00 00 00 00 00 00 00 3E 15 09 00 00 00 00 00 ........>......
008FF140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
008FF150 00 00 00 00 8A 18 93 7C ED 10 92 7C 05 10 92 7C ....????? 〈-这里就是IAT开始地址
008FF160 A1 9F 80 7C 14 9B 80 7C 81 9A 80 7C 5D 99 80 7C ???|??]?| 地址为8FF154
008FF170 BD 99 80 7C AC 92 80 7C 17 A4 80 7C AB 14 81 7C ?????|??
008FF180 37 97 80 7C 94 97 80 7C 7B 97 80 7C 59 B8 80 7C 7?|??{?|Y?|
008FF190 C7 A0 80 7C AD 9C 80 7C E0 C6 80 7C 11 03 81 7C 沁???嗥??
008FF1A0 4F 1D 80 7C 05 A4 80 7C EE 1E 80 7C 28 AC 80 7C O??|??(?|
008FF1B0 29 B5 80 7C 57 B3 80 7C 7E D4 80 7C 8D 2C 81 7C )?|W?|~?|??
---------------------------------------------------------------
好了,下面我们用ImportREC选取这个.dll,填入RVA=8FF154-400000=4FF154、大小如果你不确定
的话,就写1000好了
(这里ImportREC的设置,我们这里和FLY的也不一样,选中“使用来自磁盘的PE首部”)
为什么RVA是8FF154-400000=4FF154呢?因为这个时候ImportREC里显示的“镜像基址”为400000
现在点“获取输入信息”再CUT掉无效指针,OEP=008FBBAC-870000,现在FIXDUMP
再用LOADPE修复一下文件吧,修复的时候“镜像基址”改成870000,重定位表RVA和大小,就写上
我们上面看到的吧!到此,脱壳完成!
以上的方法和FLY大侠所写的有些不同,看方法吧,脱壳有很多路,主要看自己
穿山甲的加壳选项比较多,目前我能搞定的就这一种,其他的还在琢磨中,呵呵
其他的加壳方式,如果哪位大侠搞定了,还希望提点一下我等菜鸟
Jameshero
2005-5-31
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课