我有一个程序,壳是Armadillo 4.X+copymemII+Debug-Block,按照教程( http://intechhosting.com/~access/ARTeam/tutorials/file_info/download1.php?file=Unpacking_Armadillo_v4.x_With_Code_Splicing_by_MaDMAn_H3rCul3s.rar )
----这里有很多ARTERM发布的教程,地址: http://intechhosting.com/~access/ARTeam/tutorials/index.php?page=1
,去掉copymemII+Debug-Block(?应该绕过了),反正前面一切很顺利。
(略过了),直到我新开了一个ollydbg,附加了第二个线程,出来的截图如下:
7C921231 C3 retn
7C921232 8BFF mov edi,edi
7C921234 90 nop
7C921235 90 nop
7C921236 90 nop
7C921237 90 nop
7C921238 90 nop
7C921239 ntdll.Dbg> CC int3
7C92123A C3 retn
这里还是一切跟教程中形容的一样。接着Shift+F9,然后F12,出来的截图如下:
004A0000 test.<Mod>- EB FE jmp short test.<ModuleEntryPoint>
004A0002 0000 add byte ptr ds:[eax],al
004A0004 0000 add byte ptr ds:[eax],al
004A0006 5D pop ebp
004A0007 50 push eax
004A0008 51 push ecx
004A0009 0FCA bswap edx
004A000B F7D2 not edx
004A000D 9C pushfd
004A000E F7D2 not edx
004A0010 0FCA bswap edx
004A0012 EB 0F jmp short test.004A0023
004A0014 B9 EB0FB8EB mov ecx,EBB80FEB
004A0019 07 pop es
004A001A B9 EB0F90EB mov ecx,EB900FEB
004A001F 08FD or ch,bh
004A0021 EB 0B jmp short test.004A002E
004A0023 F2: prefix repne:
004A0024 ^ EB F5 jmp short test.004A001B
004A0026 ^ EB F6 jmp short test.004A001E
这里一切还是显得很正常,然后将EB FE改为程序原来的值60 E8,如下:
004A0000 test.<Mod> 60 pushad
004A0001 E8 00000000 call test.004A0006
004A0006 5D pop ebp
004A0007 50 push eax
004A0008 51 push ecx
004A0009 0FCA bswap edx
004A000B F7D2 not edx
004A000D 9C pushfd
004A000E F7D2 not edx
004A0010 0FCA bswap edx
接着下断CreateThread,Shift+F9运行。
好像这里出问题了,教程中说,此时应该出来一个nag窗口(不太明白是什么窗口,我想应该是提示你注册之类的),
但我跟踪的却是弹出提示"主线程被挂起"的窗口。没办法,硬着头皮,将主线程激活,它到也很顺利的中断在CreateThread
处了。此时屏幕中的截图如下:
7C81082F kernel32.> 8BFF mov edi,edi
7C810831 55 push ebp
7C810832 8BEC mov ebp,esp
7C810834 FF75 1C push dword ptr ss:[ebp+1C]
7C810837 FF75 18 push dword ptr ss:[ebp+18]
7C81083A FF75 14 push dword ptr ss:[ebp+14]
7C81083D FF75 10 push dword ptr ss:[ebp+10]
7C810840 FF75 0C push dword ptr ss:[ebp+C]
7C810843 FF75 08 push dword ptr ss:[ebp+8]
7C810846 6A FF push -1
7C810848 E8 D9FDFFFF call kernel32.CreateRemoteThread
7C81084D 5D pop ebp
7C81084E C2 1800 retn 18
哈哈,又回到很熟悉的地方了。CTRL+F9,停在retn 18处,F7跟进,出来的截图如下:
0047B626 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
0047B629 81E1 FF000000 and ecx,0FF
0047B62F 85C9 test ecx,ecx
0047B631 74 06 je short test.0047B639
0047B633 FF15 60004B00 call dword ptr ds:[<&KERNEL32.FreeCon>; kernel32.FreeConsole
0047B639 C685 FCFDFFFF 01 mov byte ptr ss:[ebp-204],1
0047B640 C685 20FFFFFF 00 mov byte ptr ss:[ebp-E0],0
0047B647 C685 24FFFFFF 00 mov byte ptr ss:[ebp-DC],0
0047B64E 68 386E4B00 push test.004B6E38
0047B653 FF15 B0014B00 call dword ptr ds:[<&KERNEL32.Initial>; kernel32.InitializeCriticalSection
0047B659 C745 FC 00000000 mov dword ptr ss:[ebp-4],0
0047B660 8D95 E0F5FFFF lea edx,dword ptr ss:[ebp-A20]
0047B666 8995 DCF5FFFF mov dword ptr ss:[ebp-A24],edx
0047B66C 51 push ecx
0047B66D 0FC9 bswap ecx
0047B66F F7D1 not ecx
0047B671 50 push eax
0047B672 F7D0 not eax
0047B674 B8 6D69656C mov eax,6C65696D
到这里,发现彻底跟丢。跟了半天也到不了那个地球人都熟悉的“call ECX”处了。
呜呜,这么会是这样呢?请各位老大赐教,不胜感激!
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
