下载地址:http://61.153.193.236/download/webmediaV5.0.rar
注册码:1AEE-98B4
abc
3768-9599-9057-0633
作者声明:加入FLY学院的第一片文章。没有别的目的
加壳方式:Armadillo 3。78 - SiliconRealms Toolworks
工具调试环境:WinXP、Ollydbg、PEiD、LordPE、ImportREC 1.6
忽略所有异常隐藏od
00454000 P> 60 pushad
00454001 E8 00000000 call Patch-2.00454006
00454006 5D pop ebp
00454007 50 push eax
00454008 51 push ecx
00454009 0FCA bswap edx
0045400B F7D2 not edx
0045400D 9C pushfd
0045400E F7D2 not edx
00454010 0FCA bswap edx
BP OpenMutexA 下断SHIIFT+F9
7C80EC1B k> 8BFF mov edi,edi//这里
7C80EC1D 55 push ebp
7C80EC1E 8BEC mov ebp,esp
7C80EC20 51 push ecx
7C80EC21 51 push ecx
7C80EC22 837D 10 00 cmp dword ptr ss:[ebp+10],0
7C80EC26 56 push esi
看堆栈
0012D784 0042B9B8 /CALL 到 OpenMutexA 来自 Patch-2.0042B9B2
0012D788 001F0001 |Access = 1F0001
0012D78C 00000000 |Inheritable = FALSE
0012D790 0012DDC4 \MutexName = "9C4::DAACE00BDE"
Ctrl+G:401000 键入以下代码
00401000 60 pushad
00401001 9C pushfd
00401002 68 B4FB1200 push 12DDC4栈里看到的值
00401007 33C0 xor eax,eax
00401009 50 push eax
0040100A 50 push eax
0040100B E8 B4B2A577 call kernel32.CreateMutexA
00401010 9D popfd
00401011 61 popad
00401012 E9 33F7A577 jmp kernel32.OpenMutexA
在401000处新建起源,F9运行,再次中断在OpenMutexA处。
取消断点
Ctrl+G:401000 撤消选择
下断:BP GetModuleHandleA+5
7C80B52E 837D 08 00 cmp dword ptr ss:[ebp+8],0//到这里
7C80B532 74 18 je short kernel32.7C80B54C
7C80B534 FF75 08 push dword ptr ss:[ebp+8]
7C80B537 E8 682D0000 call kernel32.7C80E2A4
7C80B53C 85C0 test eax,eax
7C80B53E 74 08 je short kernel32.7C80B548
7C80B540 FF70 04 push dword ptr ds:[eax+4]
7C80B543 E8 F4300000 call kernel32.GetModuleHandleW
7C80B548 5D pop ebp
7C80B549 C2 0400 retn 4
看堆栈
0012CE4C /0012CE84
0012CE50 |5D175394 返回到 5D175394 来自 kernel32.GetModuleHandleA
0012CE54 |5D1753E0 ASCII "kernel32.dll"
0012CF0C /0012CF28
0012CF10 |77F45BB0 返回到 SHLWAPI.77F45BB0 来自 kernel32.GetModuleHandleA
0012CF14 |77F44FF4 ASCII "KERNEL32.DLL"
0012D724 /0012D78C
0012D728 |0042AAF3 返回到 Patch-2.0042AAF3 来自 kernel32.GetModuleHandleA
0012D72C |00000000
00127A68 /0012CD94
00127A6C |00AC530E 返回到 00AC530E 来自 kernel32.GetModuleHandleA
00127A70 |00AD8BAC ASCII "kernel32.dll"
00127A74 |00AD9CC4 ASCII "VirtualAlloc"
00127A68 /0012CD94
00127A6C |00AC532B 返回到 00AC532B 来自 kernel32.GetModuleHandleA
00127A70 |00AD8BAC ASCII "kernel32.dll"
00127A74 |00AD9CB8 ASCII "VirtualFree"
001277CC /00127A6C
001277D0 |00AB4F9E 返回到 00AB4F9E 来自 kernel32.GetModuleHandleA
001277D4 |00127920 ASCII "kernel32.dll"
取消断点,ALT+F9返回
00AB4F9E 8B0D AC0DAE00 mov ecx,dword ptr ds:[AE0DAC]
00AB4FA4 89040E mov dword ptr ds:[esi+ecx],eax
00AB4FA7 A1 AC0DAE00 mov eax,dword ptr ds:[AE0DAC]
00AB4FAC 391C06 cmp dword ptr ds:[esi+eax],ebx
00AB4FAF 75 16 jnz short 00AB4FC7
00AB4FB1 8D85 B4FEFFFF lea eax,dword ptr ss:[ebp-14C]
00AB4FB7 50 push eax
00AB4FB8 FF15 B432AD00 call dword ptr ds:[AD32B4] ; kernel32.LoadLibraryA
00AB4FBE 8B0D AC0DAE00 mov ecx,dword ptr ds:[AE0DAC]
00AB4FC4 89040E mov dword ptr ds:[esi+ecx],eax
00AB4FC7 A1 AC0DAE00 mov eax,dword ptr ds:[AE0DAC]
00AB4FCC 391C06 cmp dword ptr ds:[esi+eax],ebx
00AB4FCF 0F84 2F010000 je 00AB5104//改为JMP
00AB4FD5 33C9 xor ecx,ecx
00AB4FD7 8B07 mov eax,dword ptr ds:[edi]
00AB4FD9 3918 cmp dword ptr ds:[eax],ebx
00AB4FDB 74 06 je short 00AB4FE3
00AB4FDD 41 inc ecx
00AB4FDE 83C0 0C add eax,0C
00AB4FE1 ^ EB F6 jmp short 00AB4FD9
00AB4FE3 8BD9 mov ebx,ecx
00AB4FE5 C1E3 02 shl ebx,2
00AB4FE8 53 push ebx
00AB4FE9 E8 A4DA0100 call 00AD2A92 ; jmp to msvcrt.operator new
下内存访问断点401000处 shift+f9 一片红色呵呵
00401000 68 0F304000 push Patch-2.0040300F//OEP 在这儿用LordPE纠正ImageSize后完全DUMP这个进程
00401005 E8 0A020000 call Patch-2.00401214 ; jmp to kernel32.GetStartupInfoA
0040100A 68 53304000 push Patch-2.00403053
0040100F 68 0F304000 push Patch-2.0040300F
00401014 6A 00 push 0
00401016 6A 00 push 0
00401018 6A 24 push 24
0040101A 6A 00 push 0
0040101C 6A 00 push 0
0040101E 6A 00 push 0
00401020 6A 00 push 0
运行ImportREC 1.6,选择这个进程。把OEP改为1000,点IT AutoSearch,CUT掉无效函数。FixDump,正常运行!
by:夜凉如水
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法