昨天有人在讨论一个armadillod壳保护的软件,down下来看了下,说是标准壳,却与一般的情况不太一样。
软件下载地址
http://yncnc.onlinedown.net/soft/41711.htm
peid查壳结果
Armadillo 1.xx - 2.xx -> Silicon Realms Toolworks [Overlay]
od载入,找到地球人都知道的magic jmp处
003C471F 8906 mov dword ptr ds:[esi],eax ; kernel32.77E40000
003C4721 3BC3 cmp eax,ebx
003C4723 75 0B jnz short 003C4730
003C4725 FF76 F8 push dword ptr ds:[esi-8]
003C4728 FF15 CCB03D00 call dword ptr ds:[3DB0CC] ; kernel32.LoadLibraryA
003C472E 8906 mov dword ptr ds:[esi],eax
003C4730 391E cmp dword ptr ds:[esi],ebx
003C4732 74 19 je short 003C474D
003C4734 8B7E FC mov edi,dword ptr ds:[esi-4]
003C4737 391F cmp dword ptr ds:[edi],ebx
003C4739 74 12 je short 003C474D
003C473B FF37 push dword ptr ds:[edi]
003C473D FF36 push dword ptr ds:[esi]
003C473F FF15 C8B03D00 call dword ptr ds:[3DB0C8] ; kernel32.GetProcAddress
003C4745 8947 0C mov dword ptr ds:[edi+C],eax
003C4748 83C7 10 add edi,10
003C474B ^ EB EA jmp short 003C4737
003C474D 83C6 0C add esi,0C
003C4750 395E F8 cmp dword ptr ds:[esi-8],ebx
003C4753 ^ 75 C1 jnz short 003C4716
003C4755 E9 98000000 jmp 003C47F2
003C475A 381D 502D3E00 cmp byte ptr ds:[3E2D50],bl
003C4760 0F85 8C000000 jnz 003C47F2
003C4766 895D DC mov dword ptr ss:[ebp-24],ebx
到这里,怎么看也不像是magic jmp
将就着改下,到401000段下内存断点断在oep处,看了下iat,还是有好多没有解密。看来那里确实不是magic jmp了
通过对iat下写入断点,很容易来到写入iat的地方
003D2111 6A 01 push 1
003D2113 58 pop eax
003D2114 85C0 test eax,eax
003D2116 0F84 7D010000 je 003D2299
003D211C 83A5 6CFCFFFF 00 and dword ptr ss:[ebp-394],0
003D2123 8B85 9CFEFFFF mov eax,dword ptr ss:[ebp-164]
003D2129 0FBE00 movsx eax,byte ptr ds:[eax]
003D212C 85C0 test eax,eax
003D212E 75 12 jnz short 003D2142
003D2130 8B85 9CFEFFFF mov eax,dword ptr ss:[ebp-164]
003D2136 40 inc eax
003D2137 8985 9CFEFFFF mov dword ptr ss:[ebp-164],eax
003D213D E9 57010000 jmp 003D2299
003D2142 8B85 9CFEFFFF mov eax,dword ptr ss:[ebp-164]
003D2148 0FB600 movzx eax,byte ptr ds:[eax]
003D214B 3D FF000000 cmp eax,0FF
003D2150 0F85 A7000000 jnz 003D21FD
003D2156 8B85 9CFEFFFF mov eax,dword ptr ss:[ebp-164]
003D215C 40 inc eax
003D215D 8985 9CFEFFFF mov dword ptr ss:[ebp-164],eax
003D2163 8B85 9CFEFFFF mov eax,dword ptr ss:[ebp-164]
003D2169 66:8B00 mov ax,word ptr ds:[eax]
003D216C 66:8985 68FCFFFF mov word ptr ss:[ebp-398],ax
003D2173 8B85 9CFEFFFF mov eax,dword ptr ss:[ebp-164]
003D2179 40 inc eax
003D217A 40 inc eax
003D217B 8985 9CFEFFFF mov dword ptr ss:[ebp-164],eax
003D2181 0FB785 68FCFFFF movzx eax,word ptr ss:[ebp-398]
003D2188 50 push eax
003D2189 FFB5 88FCFFFF push dword ptr ss:[ebp-378]
003D218F E8 D229FFFF call 003C4B66
003D2194 8985 6CFCFFFF mov dword ptr ss:[ebp-394],eax
003D219A 83BD 6CFCFFFF 00 cmp dword ptr ss:[ebp-394],0
003D21A1 75 58 jnz short 003D21FB
003D21A3 FF15 C4B03D00 call dword ptr ds:[3DB0C4] ; ntdll.RtlGetLastWin32Error
003D21A9 83F8 32 cmp eax,32
003D21AC 75 0A jnz short 003D21B8
003D21AE C785 6CFCFFFF 5B4>mov dword ptr ss:[ebp-394],3C4B5B
003D21B8 83BD 6CFCFFFF 00 cmp dword ptr ss:[ebp-394],0
003D21BF 75 3A jnz short 003D21FB
003D21C1 8B45 08 mov eax,dword ptr ss:[ebp+8]
003D21C4 8B00 mov eax,dword ptr ds:[eax]
003D21C6 C700 03000000 mov dword ptr ds:[eax],3
003D21CC FF15 C4B03D00 call dword ptr ds:[3DB0C4] ; ntdll.RtlGetLastWin32Error
003D21D2 50 push eax
003D21D3 0FB785 68FCFFFF movzx eax,word ptr ss:[ebp-398]
003D21DA 50 push eax
003D21DB FFB5 70FCFFFF push dword ptr ss:[ebp-390]
003D21E1 68 A4E53D00 push 3DE5A4 ; ASCII "File "%s", ordinal %d (error %d)"
003D21E6 8B45 08 mov eax,dword ptr ss:[ebp+8]
003D21E9 FF70 04 push dword ptr ds:[eax+4]
003D21EC E8 CB2C0000 call 003D4EBC
003D21F1 83C4 14 add esp,14
003D21F4 33C0 xor eax,eax
003D21F6 E9 57050000 jmp 003D2752
003D21FB EB 7A jmp short 003D2277
003D21FD 8B85 9CFEFFFF mov eax,dword ptr ss:[ebp-164]
003D2203 8985 64FCFFFF mov dword ptr ss:[ebp-39C],eax
003D2209 6A 00 push 0
003D220B FFB5 9CFEFFFF push dword ptr ss:[ebp-164]
003D2211 E8 EA2B0000 call 003D4E00
003D2216 59 pop ecx
003D2217 59 pop ecx
003D2218 40 inc eax
003D2219 8985 9CFEFFFF mov dword ptr ss:[ebp-164],eax
003D221F FFB5 64FCFFFF push dword ptr ss:[ebp-39C]
003D2225 FFB5 88FCFFFF push dword ptr ss:[ebp-378]
003D222B E8 3629FFFF call 003C4B66
003D2230 8985 6CFCFFFF mov dword ptr ss:[ebp-394],eax
003D2236 83BD 6CFCFFFF 00 cmp dword ptr ss:[ebp-394],0
003D223D 75 38 jnz short 003D2277
003D223F 8B45 08 mov eax,dword ptr ss:[ebp+8]
003D2242 8B00 mov eax,dword ptr ds:[eax]
003D2244 C700 03000000 mov dword ptr ds:[eax],3
003D224A FF15 C4B03D00 call dword ptr ds:[3DB0C4] ; ntdll.RtlGetLastWin32Error
003D2250 50 push eax
003D2251 FFB5 64FCFFFF push dword ptr ss:[ebp-39C]
003D2257 FFB5 70FCFFFF push dword ptr ss:[ebp-390]
003D225D 68 80E53D00 push 3DE580 ; ASCII "File "%s", function "%s" (error %d)"
003D2262 8B45 08 mov eax,dword ptr ss:[ebp+8]
003D2265 FF70 04 push dword ptr ds:[eax+4]
003D2268 E8 4F2C0000 call 003D4EBC
003D226D 83C4 14 add esp,14
003D2270 33C0 xor eax,eax
003D2272 E9 DB040000 jmp 003D2752
003D2277 8B85 74FCFFFF mov eax,dword ptr ss:[ebp-38C]
003D227D 8B8D 6CFCFFFF mov ecx,dword ptr ss:[ebp-394]
003D2283 8908 mov dword ptr ds:[eax],ecx //写入
003D2285 8B85 74FCFFFF mov eax,dword ptr ss:[ebp-38C] ; eBookStu.0057E1E8
003D228B 83C0 04 add eax,4
003D228E 8985 74FCFFFF mov dword ptr ss:[ebp-38C],eax
003D2294 ^ E9 78FEFFFF jmp 003D2111
注意这里
003D2219 8985 9CFEFFFF mov dword ptr ss:[ebp-164],eax
003D221F FFB5 64FCFFFF push dword ptr ss:[ebp-39C]
003D2225 FFB5 88FCFFFF push dword ptr ss:[ebp-378]
003D222B E8 3629FFFF call 003C4B66
003D2230 8985 6CFCFFFF mov dword ptr ss:[ebp-394],eax
003D2236 83BD 6CFCFFFF 00 cmp dword ptr ss:[ebp-394],0
003D223D 75 38 jnz short 003D2277
上面的call是个分水岭,在这里解出api的地址,几个加密api的加密处理也是在这里完成的。
在上面的call下断,看下堆栈
0012DF14 77E40000 ASCII "MZ?
0012DF18 00E62124 ASCII "LoadLibraryExA"
这个LoadLibraryExA进去后,经过上面那个call的处理,得出一个加密的地址。
注意这里,这个地方怎么看怎么像是GetProcAddress的参数,我们直接改成这样
003D221F FFB5 64FCFFFF push dword ptr ss:[ebp-39C]
003D2225 FFB5 88FCFFFF push dword ptr ss:[ebp-378]
003D222B E8 0291A877 call kernel32.GetProcAddress
003D2230 8985 6CFCFFFF mov dword ptr ss:[ebp-394],eax
003D2236 83BD 6CFCFFFF 00 cmp dword ptr ss:[ebp-394],0
003D223D 75 38 jnz short 003D2277
然后f9运行一下,程序提示异常了,但是所有的api都已经完全解出来,用ImportREC获取一下,然后填入oep,修复下dump下的文件,然后把overlay粘贴下,程序正常运行。因为注册用的是arm的注册模块,所以脱壳后就已经注册给你了。
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法