程序地址:
ffeK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6e0R3^5k6%4y4Q4x3X3g2U0L8$3#2Q4x3V1k6K6L8$3k6@1i4K6u0r3M7$3!0J5N6o6l9I4x3W2)9J5c8Y4y4G2M7Y4b7H3x3e0S2Q4x3V1k6V1L8%4N6F1i4K6u0V1y4U0f1%4z5o6m8Q4x3X3g2Z5N6r3#2D9
OD载入,程序入口
00EF4014 E9 1C350000 jmp TdxW.00EF7535
.............
00EF7535 8BC5 mov eax, ebp
00EF7537 8BD4 mov edx, esp
00EF7539 60 pushad
00EF753A E8 00000000 call TdxW.00EF753F
00EF753F 5D pop ebp ; kernel32.7C81776F
00EF7540 81ED 2B35970D sub ebp, 0D97352B
00EF7546 8995 7124970D mov dword ptr ss:[ebp+D972471], edx ; ntdll.KiFastSystemCallRet
00EF754C 89B5 F12E970D mov dword ptr ss:[ebp+D972EF1], esi
00EF7552 8985 B118970D mov dword ptr ss:[ebp+D9718B1], eax
00EF7558 83BD F90A970D 00 cmp dword ptr ss:[ebp+D970AF9], 0
00EF755F 74 0C je short TdxW.00EF756D
00EF7561 8BE8 mov ebp, eax
00EF7563 8BE2 mov esp, edx ; ntdll.KiFastSystemCallRet
00EF7565 B8 01000000 mov eax, 1
00EF756A C2 0C00 retn 0C
脱壳跳转到near OPE处代码,典型的VC6的代码
006EC244 80E1 1F and cl, 0x1F
006EC247 D3E8 shr eax, cl
006EC249 C3 retn
006EC24A 33C0 xor eax, eax
006EC24C 33D2 xor edx, edx
006EC24E C3 retn
006EC24F C8 BF606E enter 0x60BF, 0x6E
006EC253 ^ E0 96 loopdne short TdxW.006EC1EB
006EC255 90 nop
006EC256 81F4 0BD21A22 xor esp, 0x221AD20B
006EC25C F777 65 div dword ptr ds:[edi+0x65]
006EC25F 06 push es
006EC260 BB 884B8F7E mov ebx, 0x7E8F4B88
006EC265 5F pop edi
006EC266 3C C0 cmp al, 0xC0
006EC268 98 cwde
006EC269 BF 305DD653 mov edi, 0x53D65D30
006EC26E C009 F5 ror byte ptr ds:[ecx], 0xF5
006EC271 AF scas dword ptr es:[edi]
006EC272 8C51 2D mov word ptr ds:[ecx+0x2D], ss
006EC275 9A 02895DFC 6A0>call far 026A:FC5D8902
006EC27C FF15 E4C27000 call near dword ptr ds:[0x70C2E4] ; msvcrt.__set_app_type
在堆栈跟踪EBP
(EBP 0012FEF4)
0012FEE0 01006742 TdxW.01006742
0012FEE4 0012FFE0 指针到下一个 SEH 记录
0012FEE8 006EC3D4 SE 句柄
0012FEEC 0072BCC8 TdxW.0072BCC8
0012FEF0 FFFFFFFF
0012FEF4 00000000
修复被偷代码,并修复push -0x1后两行代码,将EIP跳转到006EC24F,lordpe dump,importRec修改IAT,似乎一切OK。
006EC24F 55 push ebp
006EC250 8BEC mov ebp, esp
006EC252 6A FF push -0x1
006EC254 68 C8BC7200 push TdxW.0072BCC8
006EC259 68 D4C36E00 push TdxW.006EC3D4 ; jmp to msvcrt._except_handler3
006EC25E 64:A1 00000000 mov eax, dword ptr fs:[0]
006EC264 50 push eax
006EC265 64:8925 0000000>mov dword ptr fs:[0], esp
006EC26C 83EC 68 sub esp, 0x68
006EC26F 53 push ebx
006EC270 56 push esi ; TdxW.01006C3E
006EC271 57 push edi
006EC272 8965 E8 mov dword ptr ss:[ebp-0x18], esp
006EC275 33DB xor ebx, ebx
006EC277 895D FC mov dword ptr ss:[ebp-0x4], ebx ; The (near) OEP, by quosego/SnD
006EC27A 6A 02 push 0x2
006EC27C FF15 E4C27000 call near dword ptr ds:[0x70C2E4] ; msvcrt.__set_app_type
但是修正后的程序无法运行,双击无任何反应。
OD载入脱壳后程序,发现如下call中调研了ExitProcess,
005E04FC |. 5B pop ebx ; 下面的call代码有问题
005E04FD 81C4 F8000000 add esp, 0F8
005E0503 E8 4821ECFF call Unpack_.004A2650
跟踪进call Unpack_.004A2650,发现是一堆伪指令,无法跟踪。
004A2650 $ 68 C1EB4CDB push DB4CEBC1
004A2655 . E8 A6FDA100 call Unpack_.00EC2400
004A265A > 2C FA sub al, 0FA
004A265C . 8D47 50 lea eax, dword ptr ds:[edi+50]
004A265F . 0FBAE1 16 bt ecx, 16
004A2663 . 9C pushfd
004A2664 . 39C5 cmp ebp, eax ; mfc42.755DE5EC
004A2666 . 60 pushad
004A2667 . 8D6424 24 lea esp, dword ptr ss:[esp+24]
004A266B .^ 0F87 FCFDFEFF ja Unpack_.0049246D
而且代码好像还在自修改。如果将这个call Unpack_.004A2650 NOP掉,程序可以进入登录界面,但是登录后程序会跑飞,跑飞后寄存器:
EAX 0C2BD74C PTFrame.0C2BD74C
ECX 00129AB0
EDX 0C2BD74C PTFrame.0C2BD74C
EBX 0A0B7FD0
ESP 00129A9C
EBP 0C2B0000 PTFrame.0C2B0000
ESI FFFFFFFF
EDI 00000080
EIP 00000000
请大侠赐教:是否脱壳有问题?为何到了Near OPE后程序仍然在自修改?如何正确脱壳?
谢谢!(以前曾经脱过几个类似的壳)
[培训]科锐软件逆向54期预科班、正式班开始火爆招生报名啦!!!
