-
-
[原创]一款加壳程序到OEP之前所做的动作
-
发表于: 2012-6-19 14:55 10913
-
文章标题:一款加壳程序到OEP之前所做的动作
文章作者:xunbu7
作者邮箱:xunbu7@163.com
使用工具:OD,截图工具
目标文件:RebPE.exe加密与解密(第三版加密与解密_课件\chap13\13.2 寻找OEP\13.2.1 根据跨段指令寻找OEP\加壳后的)
参考资料:加密与解密(第三版)
作者声明:本人是个新手,最近利用业余时间做了如下文章。希望和大家分享一下,如有错误之处,还请不吝赐教!
这是一个压缩壳,可以为手动寻找OEP时,下的GetModuleHandleA等断点的原因提供较好的理解帮助。
加壳程序内存镜像
外壳段部分数据:
00413000 >60 E8 C2 00 00 00 2E 30 01 00 00 00 00 00 00 00 `杪....0.......
00413010 00 00 3E 30 01 00 2E 30 01 00 00 00 00 00 00 00 ..>0..0.......
00413020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 AE ..............@?
00413030 80 7C 41 B7 80 7C 7B 1D 80 7C 00 00 00 00 4B 45 €|A穩|{€|....KE
00413040 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 00 47 65 RNEL32.dll....Ge
00413050 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 tProcAddress...G
00413060 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 etModuleHandleA.
00413070 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 ..LoadLibraryA..
00413080 00 00 00 08 00 00 00 00 00 00 00 4E 64 00 00 5B ..........Nd..[
00413090 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
004130A0 00 00 00 00 00 00 00 00 00 00 00 56 69 72 74 75 ...........Virtu
004130B0 61 6C 41 6C 6C 6F 63 00 00 00 00 00 28 02 93 7C alAlloc.....(搢
004130C0 01 00 00 00 00 00 00 00 5D 81 ED 06 00 00 00 8B .......]來...?
004130D0 85 C0 00 00 00 0B C0 74 07 55 FF A5 C4 00 00 00 吚...纓Uツ...
004130E0 FF 85 C0 00 00 00 8B 44 24 24 89 85 BC 00 00 00 吚...婦$$墔?..
外壳段处理:
1.得到kernel32.dll的地址
2.得到 VirtualAlloc函数的地址
3. VirtualAlloc分配内存空间,返回的是被分配空间的起始地址
4.从壳块0041944e解压代码到分配到的内存00A30000
00A30000压缩段解压后的区段,负责对原程序进行解压和IAT初始化
00A3027D 85 84 02 00 00 61 68 00 00 00 00 C3 30 11 00 00 厔..ah....?..
00A3028D 01 00 00 00 7A 03 00 00 00 00 00 00 00 00 00 00 ...z ..........
00A3029D 00 00 40 00 00 40 00 00 00 10 00 00 00 24 00 00 ..@..@......$..
00A302AD 00 10 00 00 00 50 00 00 00 02 00 00 00 30 00 00 ....P......0..
00A302BD 00 60 00 00 00 02 00 00 40 97 00 00 30 93 00 00 .`.....@?.0?.
00A302CD 9E 0D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?..............
00A302DD 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00A302ED 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00A302FD 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00A3030D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00A3031D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00A3032D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00A3033D 00 00 00 00 40 AE 80 7C 41 B7 80 7C 7B 1D 80 7C ....@畝|A穩|{€|
00A3034D F1 9A 80 7C 00 00 40 00 37 31 41 00 00 00 00 00 駳€|..@.71A.....
00A3035D 84 9B 80 7C 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 剾€|KERNEL32.dll
00A3036D 00 56 69 72 74 75 61 6C 46 72 65 65 00 9C 50 00 .VirtualFree.淧.
00A3037D 00 0A 55 53 45 52 33 32 2E 64 6C 6C 00 06 00 00 ..USER32.dll...
00A3038D 00 0C 53 65 6E 64 4D 65 73 73 61 67 65 41 00 09 ..SendMessageA..
00A3039D 4C 6F 61 64 49 63 6F 6E 41 00 0D 44 65 73 74 72 LoadIconA..Destr
00A303AD 6F 79 57 69 6E 64 6F 77 00 0C 50 6F 73 74 4D 65 oyWindow..PostMe
00A303BD 73 73 61 67 65 41 00 09 45 6E 64 44 69 61 6C 6F ssageA..EndDialo
00A303CD 67 00 0F 44 69 61 6C 6F 67 42 6F 78 50 61 72 61 g.DialogBoxPara
00A303DD 6D 41 00 00 50 00 00 0C 4B 45 52 4E 45 4C 33 32 mA..P...KERNEL32
00A303ED 2E 64 6C 6C 00 26 00 00 00 0B 47 65 74 46 69 6C .dll.&...GetFil
00A303FD 65 54 79 70 65 00 0E 47 65 74 53 74 72 69 6E 67 eType.GetString
00A3040D 54 79 70 65 57 00 0E 47 65 74 53 74 72 69 6E 67 TypeW.GetString
00A3041D 54 79 70 65 41 00 0C 4C 43 4D 61 70 53 74 72 69 TypeA..LCMapStri
00A3042D 6E 67 57 00 0C 4C 43 4D 61 70 53 74 72 69 6E 67 ngW..LCMapString
00A3043D 41 00 13 4D 75 6C 74 69 42 79 74 65 54 6F 57 69 A.MultiByteToWi
00A3044D 64 65 43 68 61 72 00 0C 4C 6F 61 64 4C 69 62 72 deChar..LoadLibr
00A3045D 61 72 79 41 00 10 47 65 74 4D 6F 64 75 6C 65 48 aryA.GetModuleH
00A3046D 61 6E 64 6C 65 41 00 0F 47 65 74 53 74 61 72 74 andleA.GetStart
00A3047D 75 70 49 6E 66 6F 41 00 0F 47 65 74 43 6F 6D 6D upInfoA.GetComm
00A3048D 61 6E 64 4C 69 6E 65 41 00 0A 47 65 74 56 65 72 andLineA..GetVer
00A3049D 73 69 6F 6E 00 0B 45 78 69 74 50 72 6F 63 65 73 sion.ExitProces
00A304AD 73 00 10 54 65 72 6D 69 6E 61 74 65 50 72 6F 63 s.TerminateProc
00A304BD 65 73 73 00 11 47 65 74 43 75 72 72 65 6E 74 50 ess.GetCurrentP
00A304CD 72 6F 63 65 73 73 00 18 55 6E 68 61 6E 64 6C 65 rocess.Unhandle
00A304DD 64 45 78 63 65 70 74 69 6F 6E 46 69 6C 74 65 72 dExceptionFilter
00A304ED 00 12 47 65 74 4D 6F 64 75 6C 65 46 69 6C 65 4E .GetModuleFileN
00A304FD 61 6D 65 41 00 17 46 72 65 65 45 6E 76 69 72 6F ameA.FreeEnviro
00A3050D 6E 6D 65 6E 74 53 74 72 69 6E 67 73 41 00 17 46 nmentStringsA.F
第二段处理:
1.分别从外壳处得到GetProAddress、GetModuleHandleA、LoadLibraryA的地址到00A30000段存起来
2.得到本进程的基址00400000存到00A30000段
3. 得到kernel32.dll的地址
4 .得到 VirtualFree函数的地址存到00A30000段
5. 解压各个区段
VirtualAlloc申请内存,返回被申请内存的中转地址00A40000,准备用来解压各区块
将text段解压缩到分配到的内存地址00A40000
将被解压出来到00A40000段的数据复制回去到00401000
释放中转段00A40000
IAT初始化到rdata段的开始
Kernel32.GetModuleHandleA:
Kernel32.GetProAddress:
初始化IAT到rdata段的开始
00405000 F1 0E 81 7C 30 A5 80 7C 3C 8A 83 7C 48 CD 80 7C ?亅0|<妰|H蛝|
00405010 18 8E 83 7C 98 9C 80 7C 7B 1D 80 7C 41 B7 80 7C 巸|槣€|{€|A穩|
00405020 F2 1E 80 7C BD 2F 81 7C 7A 12 81 7C 12 CB 81 7C ?€|?亅z亅藖|
00405030 1A 1E 80 7C 95 DE 80 7C CA 3F 86 7C 6F B5 80 7C €|曓€|?唡o祤|
00405040 EF D6 81 7C 87 4B 81 7C 74 A1 80 7C 93 CC 81 7C 镏亅嘖亅t|撎亅
00405050 A8 2F 81 7C 37 CD 80 7C D9 2F 81 7C 92 4B 81 7C ?亅7蛝|?亅扠亅
00405060 7E 2B 81 7C 98 0F 81 7C 56 2C 81 7C 84 9B 80 7C ~+亅?亅V,亅剾€|
00405070 2D FF 92 7C 79 AA 94 7C 27 0E 81 7C 16 2F 81 7C -抾y獢|'亅/亅
00405080 B5 99 80 7C 47 28 81 7C C4 00 93 7C F1 9A 80 7C 禉€|G(亅?搢駳€|
00405090 77 84 93 7C 40 AE 80 7C 00 00 00 00 C2 F3 D2 77 w創|@畝|....麦襴
004050A0 F6 E8 D2 77 9C B1 D2 77 FD AA D2 77 4E 4A D2 77 鲨襴湵襴襴NJ襴
004050B0 44 B1 D3 77 00 00 00 00 FF FF FF FF 07 12 40 00 D庇w....@.
返回到OEP
OEP:
数据段的分析网页上不可见,所以原文附加上来.
一款加壳程序到OEP之前所做的动作.rar
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!