od载入后程序停止下面:
005839FF > $ E8 94950000 call 0058CF98
00583A04 .^ E9 89FEFFFF jmp 00583892
00583A09 $ 3B0D 605E6200 cmp ecx, dword ptr [0x625E60]
00583A0F . 75 02 jnz short 00583A13
00583A11 . F3: prefix rep:
00583A12 . C3 retn
00583A13 > E9 1B960000 jmp 0058D033
00583A18 $ 8BFF mov edi, edi
程序有自校验,随便修改任何一个字节,程序直接报错。
我们写个上面的
00583A18 $ 8BFF mov edi, edi 为 nop
这样并不会影响程序的运行,但程序会报错。
我们一直F8到出错的地方:
005839A1 . 56 push esi
005839A2 . 68 00004000 push 00400000
005839A7 . E8 2EC40100 call 0059FDDA ; 程序到这里就出错,我们跟进去继续F8
0059FE39 |> \8B06 mov eax, dword ptr [esi]
0059FE3B |. 8BCE mov ecx, esi
0059FE3D |. FF50 50 call dword ptr [eax+0x50] ; 程序到这里就出错,我们跟进去继续F8
00443192 |. 51 push ecx
00443193 |. 8BCB mov ecx, ebx
00443195 |. E8 B0980500 call 0049CA4A ; 程序到这里就出错,我们跟进去继续F8
0049CAAB |. 68 00E10000 push 0xE100
0049CAB0 |. 8BC8 mov ecx, eax
0049CAB2 |. FF52 0C call dword ptr [edx+0xC] ; 程序到这里就出错,我们跟进去继续F8
0040EFEA |. 8BCE mov ecx, esi
0040EFEC |. FFD2 call edx ; 程序到这里就出错,我们跟进去继续F8
00436999 |. 895D AC mov dword ptr [ebp-0x54], ebx ; |
0043699C |. E8 F8380400 call 0047A299 ; \程序到这里就出错,我们跟进去继续F8
0047A2DA |. FF53 5C call dword ptr [ebx+0x5C] ; 程序到这里就出错,我们跟进去继续F8
注意上面的call第四次才出错!我们在第四次call中断才跟进去按F8,到下面地方就出错:
00425D58 |. 83C4 2C add esp, 0x2C
00425D5B |. 8BC6 mov eax, esi
00425D5D |. E8 CE330000 call 00429130 ; 程序到这里就出错,我们跟进去继续F8
004291EB |. 68 80545E00 push 005E5480 ; /Arg1 = 005E5480
004291F0 |. E8 1B040000 call 00429610 ; \程序到这里就出错,我们跟进去继续F8
00429648 |. 8B4F 20 mov ecx, dword ptr [edi+0x20]
0042964B |. 51 push ecx ; /hWnd
0042964C |. FF15 28795B00 call dword ptr [<&USER32.GetParen>; \GetParent
00429652 |. 50 push eax ; /Arg1
00429653 |. E8 2D1A0500 call 0047B085 ; \vbsedit.0047B085
00429658 |. 8B9F 60050000 mov ebx, dword ptr [edi+0x560] ; ebx会有一串字符
0042965E |. 33F6 xor esi, esi ; ea303562c76686f61f5d5efdc83e3b55
00429660 |. 8975 E0 mov dword ptr [ebp-0x20], esi
00429663 |. 8975 D8 mov dword ptr [ebp-0x28], esi
00429666 |. 8975 DC mov dword ptr [ebp-0x24], esi
00429669 |. 8DA424 000000>lea esp, dword ptr [esp]
00429670 |> 0FB69437 5005>/movzx edx, byte ptr [edi+esi+0x55>
00429678 |. 52 |push edx ; /Arg2
00429679 |. 68 70505E00 |push 005E5070 ; |Arg1 = 005E5070
0042967E |. 8D55 E4 |lea edx, dword ptr [ebp-0x1C] ; |
00429681 |. E8 DAACFDFF |call 00404360 ; \vbsedit.00404360
00429686 |. 66:8B04B3 |mov ax, word ptr [ebx+esi*4]
0042968A |. 83C4 08 |add esp, 0x8
0042968D |. 66:3B45 E4 |cmp ax, word ptr [ebp-0x1C]
00429691 75 78 |jnz short 0042970B ; 不修改这里是不会跳的
00429693 |. 66:8B4CB3 02 |mov cx, word ptr [ebx+esi*4+0x2>
00429698 |. 66:3B4D E6 |cmp cx, word ptr [ebp-0x1A]
0042969C 75 6D |jnz short 0042970B ; 不修改这里是不会跳的
0042969E |. 46 |inc esi
0042969F |. 83FE 10 |cmp esi, 0x10
004296A2 |.^ 7C CC \jl short 00429670
004296A4 |. 33C0 xor eax, eax
004296A6 |> 8D4D D0 lea ecx, dword ptr [ebp-0x30]
004296A9 |. 51 push ecx ; /pThreadId
004296AA |. 8D55 E0 lea edx, dword ptr [ebp-0x20] ; |
004296AD |. 895485 D8 mov dword ptr [ebp+eax*4-0x28], >; |
004296B1 |. 8B45 D4 mov eax, dword ptr [ebp-0x2C] ; |
004296B4 |. 33DB xor ebx, ebx ; |
004296B6 |. 53 push ebx ; |CreationFlags => 0
004296B7 |. 8D55 D8 lea edx, dword ptr [ebp-0x28] ; |
004296BA |. 52 push edx ; |pThreadParm
004296BB |. 68 80954200 push 00429580 ; |ThreadFunction = vbsedit.00429580
004296C0 |. 53 push ebx ; |StackSize => 0x0
004296C1 |. 53 push ebx ; |pSecurity => NULL
004296C2 |. 8945 DC mov dword ptr [ebp-0x24], eax ; |
004296C5 |. FF15 40735B00 call dword ptr [<&KERNEL32.Create>; \CreateThread
004296CB |. 8BF0 mov esi, eax
004296CD |. 68 E8030000 push 0x3E8 ; /Timeout = 1000. ms
004296D2 |. 56 push esi ; |原来出错的地方在这里
004296D3 |. FF15 44735B00 call dword ptr [<&KERNEL32.WaitFo>; \WaitForSingleObject
将上面两个跳转nop掉即可。但是退出会有问题,再看看
五处call 00404360相关
7522 668B54B702663B55F6 7517
7519 668B44B302663B44242A 75
7578 668B4CB302663B4DE6 75
7575 668B44BE02663B84240A050000 75
0F859D020000668B4CB702663B4DE6 0F858E020000
668B????02663b????
上面的关键比较是
00429681 |. E8 DAACFDFF |call 00404360 ; \vbsedit.00404360
00429686 |. 66:8B04B3 |mov ax, word ptr [ebx+esi*4]
0042968A |. 83C4 08 |add esp, 0x8
0042968D |. 66:3B45 E4 |cmp ax, word ptr [ebp-0x1C] ; 关键比较
所以我们在上面的call处,对[ebp-1c]下内存写入断点。程序断在下面:
00597ADF |. 8B0E mov ecx, dword ptr [esi]
00597AE1 |. 8B45 08 mov eax, dword ptr [ebp+0x8]
00597AE4 |. 66:8901 mov word ptr [ecx], ax ; 这里写入关键数值
00597AE7 |. 8306 02 add dword ptr [esi], 0x2
0042968D |. 66:3B45 E4 |cmp ax, word ptr [ebp-0x1C]
这里有一串固定的字符串:
00785BBA ea303562c76686f61f5d5efdc83e3b55
c9df9cdc7c003d08ad64c7f1e7ff34fd
下载我们来看文件退出的问题,还是
015D9CE0 28841ee6f2542a47ce9ae6df76282b569d253b684f0235d8d6566e4a753dc7cd
0040FFEF |. 6A 00 push 0x0 ; |pSecurity = NULL
0040FFF1 |. FF15 40735B00 call dword ptr [<&KERNEL32.CreateThre>; \CreateThread
0040FFF7 |. 6A FF push -0x1 ; /这里改成 push 0
0040FFF9 |. 50 push eax ; |hObject
0040FFFA |. FF15 44735B00 call dword ptr [<&KERNEL32.WaitForSin>; \WaitForSingleObject
00410000 |. 8B4F 20 mov ecx, dword ptr [edi+0x20]
00410003 |. 51 push ecx ; /hWnd
00410004 |. FF15 88795B00 call dword ptr [<&USER32.IsIconic>] ; \IsIconic
替换
6A 00 FF 15 ?? ?? ?? ?? 6A FF 50
为
6A 00 FF 15 ?? ?? ?? ?? 6A 00 50
00410119 |. /74 0B je short 00410126 ; 这里要跳
0041011B |. |6A 01 push 0x1 ; /Arg1 = 00000001
0041011D |. |8BCF mov ecx, edi ; |
0041011F |. |E8 7C0E0000 call 00410FA0 ; \vbsedit.00410FA0
00410124 |. |EB 18 jmp short 0041013E
替换
85C0740B6A018BCF
为
85C0eb0B6A018BCF
下面是跳过对话框:
00469957 /0F85 D8000000 jnz 00469A35 ; 这里要跳,不然运行时候有对话框
0046995D |. |53 push ebx
0046995E |. |E8 E0A61100 call 00584043
......省略一些代码
00469A68 |. 52 push edx
00469A69 |. E8 E258FEFF call 0044F350
00469A6E |. E8 51920100 call 00482CC4
00469A73 |. 8B40 04 mov eax, dword ptr [eax+0x4]
00469A76 |. 8B10 mov edx, dword ptr [eax]
00469A78 |. 6A 01 push 0x1
00469A7A |. 68 307A5E00 push 005E7A30 ; DisplayLogo
00469A7F |. 8BC8 mov ecx, eax
00469A81 |. 8B42 7C mov eax, dword ptr [edx+0x7C]
00469A84 |. 68 60505E00 push 005E5060 ; Options
00469A89 |. FFD0 call eax
00469A8B |. 894424 24 mov dword ptr [esp+0x24], eax
00469A8F |. E8 30920100 call 00482CC4
00469A94 |. 8B40 04 mov eax, dword ptr [eax+0x4]
00469A97 |. 8B10 mov edx, dword ptr [eax]
00469A99 |. 6A 01 push 0x1
00469A9B |. 68 487A5E00 push 005E7A48 ; UseUnicodeForConsole
00469AA0 |. 8BC8 mov ecx, eax
00469AA2 |. 8B42 7C mov eax, dword ptr [edx+0x7C]
00469AA5 |. 68 60505E00 push 005E5060 ; Options
00469AAA |. FFD0 call eax
00469AAC |. 894424 20 mov dword ptr [esp+0x20], eax
替换
0F85D800000053E8
为
E9D90000009053E8
上面是做loader的关键点1
00443AA2 E8 FF400300 call 00477BA6 ; 这里要你nop掉就不会显示注册框
00443AA7 |. 83F8 FF cmp eax, -0x1
00443AAA |. 75 08 jnz short 00443AB4
00443AAC |. 6A 00 push 0x0 ; /ExitCode = 0x0
00443AAE |. FF15 F0745B00 call dword ptr [<&KERNEL32.ExitProces>; \ExitProcess
00443AB4 |> 83F8 01 cmp eax, 0x1
00443AB7 |. 0F85 A1020000 jnz 00443D5E
......省掉一些代码
00443B16 |. 8D4C24 20 lea ecx, dword ptr [esp+0x20] ; |
00443B1A |. C68424 14020000 10 mov byte ptr [esp+0x214], 0x10 ; |
00443B22 |. E8 A903FCFF call 00403ED0 ; \vbsedit.00403ED0
00443B27 |. 68 C0395F00 push 005F39C0 ; /http://www.vbsedit.com/key37.asp?license=
00443B2C |. 8D4C24 1C lea ecx, dword ptr [esp+0x1C] ; |
00443B30 |. C68424 14020000 11 mov byte ptr [esp+0x214], 0x11 ; |
00443B38 |. E8 9303FCFF call 00403ED0 ; \vbsedit.00403ED0
00443B3D |. 8D4C24 24 lea ecx, dword ptr [esp+0x24]
00443B41 |. C68424 10020000 12 mov byte ptr [esp+0x210], 0x12
00443B49 |. E8 72350000 call 004470C0
00443B4E |. 8BF0 mov esi, eax
替换
E8????????83F8FF75086a00
为
909090909083F8FF75086a00
上面是做loader的关键点2
0045CB97 |. FF15 147A5B00 call dword ptr [<&WINTRUST.WinVerifyT>; wintrust.WinVerifyTrust
0045CB9D |. 3BC7 cmp eax, edi
0045CB9F |. 74 12 je short 0045CBB3 ; 这个要跳,不然代码不会变色
0045CBA1 |. 3D 09010B80 cmp eax, 0x800B0109
0045CBA6 |. 74 0B je short 0045CBB3
0045CBA8 |. 3D 26200980 cmp eax, 0x80092026
0045CBAD |. 0F85 F1040000 jnz 0045D0A4
程序不能创建.vbs文件:
0044D56E |. E8 CD6CFBFF call 00404240 ; 这个call必须返回为0
0044D573 |. 8D70 01 lea esi, dword ptr [eax+0x1] ; 这里决定esi的大小
0044D576 |. C1E6 1E shl esi, 0x1E
......省略一些代码
0044D634 |> \6A 00 push 0x0 ; /hTemplateFile = NULL
0044D636 |. 68 80000000 push 0x80 ; |Attributes = NORMAL
0044D63B |. 6A 02 push 0x2 ; |Mode = CREATE_ALWAYS
0044D63D |. 6A 00 push 0x0 ; |pSecurity = NULL
0044D63F |. 6A 00 push 0x0 ; |ShareMode = 0
0044D641 |. 56 push esi ; |Access
0044D642 |. 8D85 CCFCFFFF lea eax, dword ptr [ebp-0x334] ; |上面的esi必须为40000000
0044D648 |. 50 push eax ; |FileName
0044D649 |. FF15 14735B00 call dword ptr [<&KERNEL32.CreateFile>; \CreateFileW
根据上面的call 00404240
00404240 /$ 55 push ebp
......省略一些代码
004042FB |.^ 7C D3 \jl short 004042D0
004042FD |> 397D FC cmp dword ptr [ebp-0x4], edi
00404300 75 09 jnz short 0040430B ; 这里nop掉
00404302 |. 5F pop edi
00404303 |. 5E pop esi
00404304 |. 33C0 xor eax, eax
00404306 |. 5B pop ebx
00404307 |. 8BE5 mov esp, ebp
00404309 |. 5D pop ebp
0040430A |. C3 retn
0040430B |> 5F pop edi
0040430C |. 5E pop esi
0040430D |. B8 01000000 mov eax, 0x1
00404312 |. 5B pop ebx
00404313 |. 8BE5 mov esp, ebp
00404315 |. 5D pop ebp
00404316 \. C3 retn
下面是exe生成的限制:
00477B6D > \3BFB cmp edi, ebx
00477B6F . 74 0F je short 00477B80 ; 0
00477B71 F646 58 10 test byte ptr [esi+0x58], 0x10 ; 这里的值要等于10
00477B75 75 09 jnz short 00477B80 ; 这里一定要跳
00477B77 . 57 push edi ; /hWnd
00477CB4 . F646 58 10 test byte ptr [esi+0x58], 0x10 ; 关键比较
00477CB8 . 74 1E je short 00477CD8 ; 0
00477CBA . 6A 04 push 0x4
00477CBC . 5F pop edi
00477CBD . 8BCE mov ecx, esi
00477CBF . E8 85740000 call 0047F149
00477CC4 . A9 00010000 test eax, 0x100
00477CC9 . 74 03 je short 00477CCE ; 1
00477CCB . 6A 05 push 0x5
00477CCD . 5F pop edi
00477CCE > 57 push edi ; /Arg1
00477CCF . 8BCE mov ecx, esi ; |
00477CD1 . E8 5B2E0000 call 0047AB31 ; \弹出对话框
0044F890 . 33C0 xor eax, eax
0044F892 > 8B8C24 F00200>mov ecx, dword ptr [esp+0x2F0]
0044F899 . 8D1481 lea edx, dword ptr [ecx+eax*4]
0044F89C . 899424 F00200>mov dword ptr [esp+0x2F0], edx
0044F8A3 . 84DB test bl, bl
0044F8A5 . 0F84 B5110000 je 00450A60 ; 下面转换exe
0044F8AB . E8 14340300 call 00482CC4
0044F8B0 . 8B8C24 F00200>mov ecx, dword ptr [esp+0x2F0]
0044F8B7 . 8B40 04 mov eax, dword ptr [eax+0x4]
0044F8BA . 8B10 mov edx, dword ptr [eax]
0044F8BC . 8B92 80000000 mov edx, dword ptr [edx+0x80]
0044F8C2 . 51 push ecx
0044F8C3 . 68 0C525F00 push 005F520C ; UNICODE "Bits"
0044F8C8 . 68 18525F00 push 005F5218 ; UNICODE "ConvertExe"
0044D4B6 /$ 8B45 D0 mov eax, dword ptr [ebp-0x30]
0044D4B9 |. 85C0 test eax, eax
0044D4BB |. 74 07 je short 0044D4C4
0044D4BD |. 50 push eax ; /hObject
0044D4BE |. FF15 20735B00 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
0044D4C4 |> 8B45 E0 mov eax, dword ptr [ebp-0x20]
0044D4C7 |. 85C0 test eax, eax ; eax应该等于vbs里面的内容
0044D4C9 74 09 je short 0044D4D4 ; 下面的call打开vbs会报错
0044D4CB |. 50 push eax
0044D4CC |. E8 B1920200 call 00476782
0044D4D1 |. 83C4 04 add esp, 0x4
0044D4D4 |> 8B45 D8 mov eax, dword ptr [ebp-0x28]
0044D4D7 |. 85C0 test eax, eax
0044D4D9 |. 74 09 je short 0044D4E4
0044D4DB |. 50 push eax
0044D4DC |. E8 A1920200 call 00476782
0044D4E1 |. 83C4 04 add esp, 0x4
0044D4E4 \> C3 retn
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)