-
-
脱loveboom的execryptor的例子
-
发表于:
2005-12-22 21:31
11876
-
脱loveboom的execryptor的文章里的那个例子
学习了loveboom的文章收获不小
其实像VB这样的程序,就算execryptor,利用现有的条件是可以轻松脱掉的
flyodbg + hideod插件 (看雪老师的)
OD载入cexe.exe停在系统断点
忽略所有异常, 清除所有断点(包括OEP的只一次的那个, alt-b, 所有的统统的删掉)
打上hideod插件 , option可以这样选
然后shift + F9运行
实际上是跑不起来的, 左下角显示被调试的程序无法处理异常
但是不要紧, 看看401000的段, 已经解码了
这时可以用OD dump, 得到1.exe
dump 后cexe.exe不要关, 到401000段, ctrl-b搜索ff 25
找到这些
00402350 - FF25 74104000 jmp dword ptr ds:[401074] ; MSVBVM60.__vbaChkstk
00402356 - FF25 BC104000 jmp dword ptr ds:[4010BC] ; MSVBVM60.__vbaExceptHandler
0040235C - FF25 D0104000 jmp dword ptr ds:[4010D0] ; MSVBVM60.__vbaFPException
00402362 - FF25 60104000 jmp dword ptr ds:[401060] ; MSVBVM60._adj_fdiv_m16i
00402368 - FF25 40104000 jmp dword ptr ds:[401040] ; MSVBVM60._adj_fdiv_m32
0040236E - FF25 04114000 jmp dword ptr ds:[401104] ; MSVBVM60._adj_fdiv_m32i
00402374 - FF25 24104000 jmp dword ptr ds:[401024] ; MSVBVM60._adj_fdiv_m64
0040237A - FF25 1C114000 jmp dword ptr ds:[40111C] ; MSVBVM60._adj_fdiv_r
00402380 - FF25 68104000 jmp dword ptr ds:[401068] ; MSVBVM60._adj_fdivr_m16i
00402386 - FF25 18114000 jmp dword ptr ds:[401118] ; MSVBVM60._adj_fdivr_m32
0040238C - FF25 0C114000 jmp dword ptr ds:[40110C] ; MSVBVM60._adj_fdivr_m32i
00402392 - FF25 C8104000 jmp dword ptr ds:[4010C8] ; MSVBVM60._adj_fdivr_m64
00402398 - FF25 A4104000 jmp dword ptr ds:[4010A4] ; MSVBVM60._adj_fpatan
0040239E - FF25 C4104000 jmp dword ptr ds:[4010C4] ; MSVBVM60._adj_fprem
004023A4 - FF25 30104000 jmp dword ptr ds:[401030] ; MSVBVM60._adj_fprem1
004023AA - FF25 08104000 jmp dword ptr ds:[401008] ; MSVBVM60._adj_fptan
004023B0 - FF25 3C114000 jmp dword ptr ds:[40113C] ; MSVBVM60._CIatan
004023B6 - FF25 04104000 jmp dword ptr ds:[401004] ; MSVBVM60._CIcos
004023BC - FF25 54114000 jmp dword ptr ds:[401154] ; MSVBVM60._CIexp
004023C2 - FF25 E8104000 jmp dword ptr ds:[4010E8] ; MSVBVM60._CIlog
004023C8 - FF25 6C104000 jmp dword ptr ds:[40106C] ; MSVBVM60._CIsin
004023CE - FF25 B0104000 jmp dword ptr ds:[4010B0] ; MSVBVM60._CIsqrt
004023D4 - FF25 4C114000 jmp dword ptr ds:[40114C] ; MSVBVM60._CItan
004023DA - FF25 48114000 jmp dword ptr ds:[401148] ; MSVBVM60._allmul
004023E0 - FF25 9C104000 jmp dword ptr ds:[40109C] ; MSVBVM60.DllFunctionCall
004023E6 - FF25 20104000 jmp dword ptr ds:[401020] ; MSVBVM60.__vbaEnd
004023EC - FF25 64104000 jmp dword ptr ds:[401064] ; MSVBVM60.__vbaObjSetAddref
004023F2 - FF25 5C104000 jmp dword ptr ds:[40105C] ; MSVBVM60.rtcMsgBox
004023F8 - FF25 10114000 jmp dword ptr ds:[401110] ; MSVBVM60.__vbaStrCopy
004023FE - FF25 1C104000 jmp dword ptr ds:[40101C] ; MSVBVM60.__vbaFreeVarList
00402404 - FF25 14114000 jmp dword ptr ds:[401114] ; MSVBVM60.__vbaFreeStrList
0040240A - FF25 18104000 jmp dword ptr ds:[401018] ; MSVBVM60.__vbaStrVarMove
00402410 - FF25 00114000 jmp dword ptr ds:[401100] ; MSVBVM60.__vbaNew2
00402416 - FF25 40114000 jmp dword ptr ds:[401140] ; MSVBVM60.__vbaStrMove
0040241C - FF25 34114000 jmp dword ptr ds:[401134] ; MSVBVM60.__vbaVarDup
00402422 - FF25 D4104000 jmp dword ptr ds:[4010D4] ; MSVBVM60.rtcStrConvVar2
00402428 - FF25 14104000 jmp dword ptr ds:[401014] ; MSVBVM60.__vbaLenBstr
0040242E - FF25 5C114000 jmp dword ptr ds:[40115C] ; MSVBVM60.__vbaFreeObj
00402434 - FF25 58114000 jmp dword ptr ds:[401158] ; MSVBVM60.__vbaFreeStr
0040243A - FF25 3C104000 jmp dword ptr ds:[40103C] ; MSVBVM60.__vbaHresultCheckObj
00402440 - FF25 58104000 jmp dword ptr ds:[401058] ; MSVBVM60.__vbaObjSet
00402446 - FF25 90104000 jmp dword ptr ds:[401090] ; MSVBVM60.__vbaStrCmp
0040244C - FF25 80104000 jmp dword ptr ds:[401080] ; MSVBVM60.__vbaFileClose
00402452 - FF25 DC104000 jmp dword ptr ds:[4010DC] ; MSVBVM60.__vbaGetOwner3
00402458 - FF25 24114000 jmp dword ptr ds:[401124] ; MSVBVM60.rtcFileLen
0040245E - FF25 98104000 jmp dword ptr ds:[401098] ; MSVBVM60.__vbaPutOwner3
00402464 - FF25 8C104000 jmp dword ptr ds:[40108C] ; MSVBVM60.rtcKillFiles
0040246A - FF25 FC104000 jmp dword ptr ds:[4010FC] ; MSVBVM60.rtcFileLength
00402470 - FF25 F0104000 jmp dword ptr ds:[4010F0] ; MSVBVM60.__vbaFileOpen
00402476 - FF25 F8104000 jmp dword ptr ds:[4010F8] ; MSVBVM60.rtcFreeFile
0040247C - FF25 94104000 jmp dword ptr ds:[401094] ; MSVBVM60.__vbaAryConstruct2
00402482 - FF25 B8104000 jmp dword ptr ds:[4010B8] ; MSVBVM60.__vbaUI1I4
00402488 - FF25 7C104000 jmp dword ptr ds:[40107C] ; MSVBVM60.__vbaGosubFree
0040248E - FF25 4C104000 jmp dword ptr ds:[40104C] ; MSVBVM60.__vbaExitProc
00402494 - FF25 20114000 jmp dword ptr ds:[401120] ; MSVBVM60.rtcErrObj
0040249A - FF25 CC104000 jmp dword ptr ds:[4010CC] ; MSVBVM60.__vbaGosub
004024A0 - FF25 54104000 jmp dword ptr ds:[401054] ; MSVBVM60.__vbaOnError
004024A6 - FF25 60114000 jmp dword ptr ds:[401160] ; MSVBVM60.rtcR8ValFromBstr
004024AC - FF25 E4104000 jmp dword ptr ds:[4010E4] ; MSVBVM60.rtcBstrFromAnsi
004024B2 - FF25 00104000 jmp dword ptr ds:[401000] ; MSVBVM60.__vbaR8ForNextCheck
004024B8 - FF25 34104000 jmp dword ptr ds:[401034] ; MSVBVM60.__vbaStrCat
004024BE - FF25 70104000 jmp dword ptr ds:[401070] ; MSVBVM60.rtcMidCharBstr
004024C4 - FF25 2C104000 jmp dword ptr ds:[40102C] ; MSVBVM60.rtcAnsiValueBstr
004024CA - FF25 08114000 jmp dword ptr ds:[401108] ; MSVBVM60.rtcHexBstrFromVar
004024D0 - FF25 44104000 jmp dword ptr ds:[401044] ; MSVBVM60.__vbaAryDestruct
004024D6 - FF25 F4104000 jmp dword ptr ds:[4010F4] ; MSVBVM60.__vbaVar2Vec
004024DC - FF25 10104000 jmp dword ptr ds:[401010] ; MSVBVM60.__vbaAryMove
004024E2 - FF25 28104000 jmp dword ptr ds:[401028] ; MSVBVM60.__vbaRaiseEvent
004024E8 - FF25 44114000 jmp dword ptr ds:[401144] ; MSVBVM60.__vbaR8IntI4
004024EE - FF25 38114000 jmp dword ptr ds:[401138] ; MSVBVM60.__vbaFpI4
004024F4 - FF25 48104000 jmp dword ptr ds:[401048] ; MSVBVM60.rtcRandomNext
004024FA - FF25 50104000 jmp dword ptr ds:[401050] ; MSVBVM60.rtcRandomize
00402500 - FF25 D8104000 jmp dword ptr ds:[4010D8] ; MSVBVM60.__vbaUbound
00402506 - FF25 A8104000 jmp dword ptr ds:[4010A8] ; MSVBVM60.__vbaRedim
0040250C - FF25 0C104000 jmp dword ptr ds:[40100C] ; MSVBVM60.__vbaFreeVar
00402512 - FF25 78104000 jmp dword ptr ds:[401078] ; MSVBVM60.rtcSpaceVar
00402518 - FF25 EC104000 jmp dword ptr ds:[4010EC] ; MSVBVM60.__vbaErrorOverflow
0040251E - FF25 C0104000 jmp dword ptr ds:[4010C0] ; MSVBVM60.__vbaStrToUnicode
00402524 - FF25 38104000 jmp dword ptr ds:[401038] ; MSVBVM60.__vbaSetSystemError
0040252A - FF25 30114000 jmp dword ptr ds:[401130] ; MSVBVM60.__vbaStrToAnsi
00402530 - FF25 50114000 jmp dword ptr ds:[401150] ; MSVBVM60.__vbaAryUnlock
00402536 - FF25 88104000 jmp dword ptr ds:[401088] ; MSVBVM60.__vbaGenerateBoundsError
0040253C - FF25 2C114000 jmp dword ptr ds:[40112C] ; MSVBVM60.__vbaAryLock
00402542 - FF25 E0104000 jmp dword ptr ds:[4010E0] ; MSVBVM60.VarPtr
00402548 - FF25 A0104000 jmp dword ptr ds:[4010A0] ; MSVBVM60.__vbaRedimPreserve
0040254E - FF25 B4104000 jmp dword ptr ds:[4010B4] ; MSVBVM60.EVENT_SINK_QueryInterface
00402554 - FF25 84104000 jmp dword ptr ds:[401084] ; MSVBVM60.EVENT_SINK_AddRef
0040255A - FF25 AC104000 jmp dword ptr ds:[4010AC] ; MSVBVM60.EVENT_SINK_Release
00402560 - FF25 28114000 jmp dword ptr ds:[401128] ; MSVBVM60.ThunRTMain
到了这里, 知道输入表在哪里了
打开ImportREC, oep可以先不输, RVA填1000, size也先1000, 点获得输入表,只有第一个是真的,后面的全cut掉
用importREC修复刚刚的1.exe, 得到1_.exe, 可以把这次调试关掉了
用LordPE打开1_.exe , oep填入22FF0, 22FF0是401000段末尾的空白处, 将TLS表的53110和18 全都清0, 保存退出
用OD载入后停在我们改的oep 422FF0,现在是空的
00422FF0 1_.<Mo> 0000 add byte ptr ds:[eax],al
00422FF2 0000 add byte ptr ds:[eax],al
00422FF4 0000 add byte ptr ds:[eax],al
00422FF6 0000 add byte ptr ds:[eax],al
00422FF8 0000 add byte ptr ds:[eax],al
00422FFA 0000 add byte ptr ds:[eax],al
00422FFC 0000 add byte ptr ds:[eax],al
00422FFE 0000 add byte ptr ds:[eax],al
在第一个区段搜索 vb5 这个字符串, 结果是在402854
所以我们这样改oep
00422FF0 1_.<Mo> 68 54284000 push 1_.00402854 ; ASCII "VB5!6&vb6chs.dll"
00422FF5 E8 66F5FDFF call <jmp.&msvbvm60.ThunRTMain> //这个是上面jmp [输入表]的最后一个, VB的入口
00422FFA 0000 add byte ptr ds:[eax],al
00422FFC 0000 add byte ptr ds:[eax],al
00422FFE 0000 add byte ptr ds:[eax],al
然后保存退出, 脱壳完成
附件:1_.rar
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!