Akala v3.20密码壳的完美脱壳
看了http://bbs.pediy.com/showthread.php?s=&threadid=16248&highlight=Akala后,也动手脱了一下。结果发现完全可以完美脱壳,不必用SMC。
用OD载入程序:
00480001 > 60 PUSHAD
00480002 E8 03000000 CALL 0048000A ; 0048000A
00480007 - E9 EB045D45 JMP 45A504F7
0048000C 55 PUSH EBP
0048000D C3 RETN
0048000E E8 01000000 CALL 00480014 ; 00480014
00480013 EB 5D JMP SHORT 00480072 ; 00480072
00480015 BB EDFFFFFF MOV EBX,-13
在内存区12ffc0处的4个字节上下硬件访问断点,F9,断在:
004803A9 8985 A8030000 MOV DWORD PTR SS:[EBP+3A8],EAX
004803AF 61 POPAD
004803B0 75 08 JNZ SHORT 004803BA ///断在这里。
004803B2 B8 01000000 MOV EAX,1
004803B7 C2 0C00 RETN 0C
004803BA 68 E0444600 PUSH 4644E0
004803BF C3 RETN ///返回到密码壳入口。
004803C0 8B85 26040000 MOV EAX,DWORD PTR SS:[EBP+426]
进入密码壳:
004644E0 55 PUSH EBP ///密码壳入口。
004644E1 8BEC MOV EBP,ESP
004644E3 83C4 F0 ADD ESP,-10
004644E6 B8 D8414600 MOV EAX,4641D8
004644EB E8 B01CFAFF CALL 004061A0 ; 004061A0
004644F0 A1 28634600 MOV EAX,DWORD PTR DS:[466328]
004644F5 8B00 MOV EAX,DWORD PTR DS:[EAX]
004644F7 E8 B01AFFFF CALL 00455FAC ; 00455FAC
004644FC A1 28634600 MOV EAX,DWORD PTR DS:[466328]
00464501 8B00 MOV EAX,DWORD PTR DS:[EAX]
00464503 BA 40454600 MOV EDX,464540 ; ASCII "Akala EXE Lock"
00464508 E8 9716FFFF CALL 00455BA4 ; 00455BA4
0046450D 8B0D 2C644600 MOV ECX,DWORD PTR DS:[46642C] ; VC++1.004690C4
00464513 A1 28634600 MOV EAX,DWORD PTR DS:[466328]
00464518 8B00 MOV EAX,DWORD PTR DS:[EAX]
0046451A 8B15 B8374600 MOV EDX,DWORD PTR DS:[4637B8] ; VC++1.00463804
00464520 E8 9F1AFFFF CALL 00455FC4 ; 00455FC4
00464525 A1 28634600 MOV EAX,DWORD PTR DS:[466328]
0046452A 8B00 MOV EAX,DWORD PTR DS:[EAX]
0046452C E8 131BFFFF CALL 00456044 ; 00456044
00464531 E8 F6F9F9FF CALL 00403F2C ; 00403F2C
00464536 0000 ADD BYTE PTR DS:[EAX],AL
到004644E0时搜索所有字符串,查看后发现有“...FILE..LOCK...”。双击来到00463E0B处,F2下断。然后F9运行程序,随便输入密码,点“OK”后断下:
00463E0B BA 5C3F4600 MOV EDX,463F5C ; ASCII 10,"...FILE..LOCK..."///断在这里。
00463E10 33C9 XOR ECX,ECX
00463E12 8A08 MOV CL,BYTE PTR DS:[EAX]
00463E14 41 INC ECX
00463E15 E8 56EEF9FF CALL 00402C70 ; 00402C70
00463E1A 74 15 JE SHORT 00463E31 ; 00463E31
00463E1C BA 783F4600 MOV EDX,463F78 ; ASCII "Encryption Flag Error!"
00463E21 8B86 28030000 MOV EAX,DWORD PTR DS:[ESI+328]
00463E27 E8 9428FDFF CALL 004366C0 ; 004366C0
00463E2C E9 F1000000 JMP 00463F22 ; 00463F22
00463E31 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
00463E34 8D96 59030000 LEA EDX,DWORD PTR DS:[ESI+359]
00463E3A E8 6104FAFF CALL 004042A0 ; 004042A0
00463E3F 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00463E42 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
00463E45 E8 0E9DFFFF CALL 0045DB58 ; 0045DB58
00463E4A 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00463E4D 50 PUSH EAX
00463E4E 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
00463E51 8B86 2C030000 MOV EAX,DWORD PTR DS:[ESI+32C]
00463E57 E8 3428FDFF CALL 00436690 ; 00436690
00463E5C 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] ///EDX为输入的验证密码。
00463E5F 58 POP EAX ///EAX为加密密码。
00463E60 E8 E305FAFF CALL 00404448 ///比较。
00463E65 74 6D JE SHORT 00463ED4 ///不等则出错。
00463E67 FE86 40030000 INC BYTE PTR DS:[ESI+340]
00463E6D 8A9E 40030000 MOV BL,BYTE PTR DS:[ESI+340]
00463E73 80FB 03 CMP BL,3
00463E76 76 0C JBE SHORT 00463E84 ; 00463E84
00463E78 8BC6 MOV EAX,ESI
00463E7A E8 85EAFEFF CALL 00452904 ; 00452904
00463E7F E9 9E000000 JMP 00463F22 ; 00463F22
将00463E65处改为JMP,再F9,程序直接运行。关闭OD后程序照样继续运行,看来壳创建了一个新的进程。
重新加载程序,将00463E65处改为JMP后,bp WriteFile 断下:
77E192AA > 6A 18 PUSH 18 ///断在这里。
77E192AC 68 A0FEE477 PUSH 77E4FEA0
77E192B1 E8 4084FFFF CALL 77E116F6 ; 77E116F6
77E192B6 8B5D 14 MOV EBX,DWORD PTR SS:[EBP+14]
77E192B9 33C9 XOR ECX,ECX
堆栈区:
0012FB5C 00408735 /CALL 到 WriteFile 来自 VC++1.00408730
0012FB60 000000B8 |hFile = 000000B8 (window)
0012FB64 001937F8 |Buffer = 001937F8
0012FB68 0000D000 |nBytesToWrite = D000 (53248.)
0012FB6C 0012FB74 |pBytesWritten = 0012FB74
0012FB70 00000000 \pOverlapped = NULL
呵呵,缓冲区里就有完整的文件了。
把从001937F8处开始的大小为D000的缓冲区数据全部DUMP出来,保存为.exe文件即可。经比较DUMP出来的文件和加密前大小一致,可以说是完美脱壳:)
附件:ael.rar
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法