【声明】:例文习作。有很多不懂敬请诸位大侠赐教!
【调试环境】:WinXP、flyODBG、PEiD、LordPE、ImportREC
、得到重定位表RVA和OEP
代码:--------------------------------------------------------------------------------
11D820B0 > 807C24 08 01 CMP BYTE PTR SS:[ESP+8],1 // 进入OD 停在这里
11D820B5 0F85 A3010000 JNZ testdll.11D8225E
--------------------------------------------------------------------------------
不用跟踪,Ctrl+S 在当前位置下搜索命令序列:
代码:--------------------------------------------------------------------------------
xchg ah,al
rol eax,10
xchg ah,al
add eax,esi
--------------------------------------------------------------------------------
找到在11D82232处,在其上mov al,byte ptr ds:[edi]的11D8222B处下断,F9运行,断下
代码:--------------------------------------------------------------------------------
11D8222B 8A07 MOV AL,BYTE PTR DS:[EDI]
//EDI=11D28994-当前基址11D20000=00008994 ★ 这就是重定位表的RVA
11D8222D 47 INC EDI
11D8222E 09C0 OR EAX,EAX
11D82230 74 2B JE SHORT testdll.11D8225D
//重定位数据处理完毕则跳转(问题2:是不是不管11D82230转跳与否,重定位数据已经处理完毕?)
11D82232 3C EF CMP AL,0EF
11D82234 77 11 JA SHORT testdll.11D82247
11D82236 01C3 ADD EBX,EAX
11D82238 8B03 MOV EAX,DWORD PTR DS:[EBX]
11D8223A 86C4 XCHG AH,AL //找到这里(问题1:一下4行,似乎是所有UPX壳dll的特征,很想知道他的作用。)
11D8223C C1C0 10 ROL EAX,10
11D8223F 86C4 XCHG AH,AL
11D82241 01F0 ADD EAX,ESI
11D82243 8903 MOV DWORD PTR DS:[EBX],EAX
11D82245 ^ EB E2 JMP SHORT testdll.11D82229
11D82247 24 0F AND AL,0F
11D82249 C1E0 10 SHL EAX,10
11D8224C 66:8B07 MOV AX,WORD PTR DS:[EDI]
11D8224F 83C7 02 ADD EDI,2
11D82252 09C0 OR EAX,EAX
11D82254 ^ 75 E0 JNZ SHORT testdll.11D82236
--------------------------------------------------------------------------------
在11D8225D处下断,F9运行,断下,重定位数据处理完毕
当我们在11D8225D处中断下来时,EDI=11D81A13,就是重定位表结束的地址
代码:--------------------------------------------------------------------------------
11D8225D 61 POPAD
//此时EDI=11D81A13 ★
11D8225E - E9 A92E29FF JMP testdll.1101510C
//飞向光明之点巅!
11D82263 0000 ADD BYTE PTR DS:[EAX],AL
11D82265 0000 ADD BYTE PTR DS:[EAX],AL
11D82267 0000 ADD BYTE PTR DS:[EAX],AL
11D82269 0000 ADD BYTE PTR DS:[EAX],AL
11D8226B 0000 ADD BYTE PTR DS:[EAX],AL
11D8226D 0000 ADD BYTE PTR DS:[EAX],AL
11D8226F 0000 ADD BYTE PTR DS:[EAX],AL
--------------------------------------------------------------------------------
代码:--------------------------------------------------------------------------------
11015104 - FF25 8C120011 JMP DWORD PTR DS:[1100128C] ; MSVBVM60.UserDllMain
1101510A 0000 ADD BYTE PTR DS:[EAX],AL
1101510C 5A POP EDX //转跳目的地 ; LOADDLL.00410A73
1101510D 68 F475C511 PUSH testdll.11C575F4
11015112 68 F875C511 PUSH testdll.11C575F8
11015117 52 PUSH EDX
11015118 ^ E9 E7FFFFFF JMP testdll.11015104 // 转跳到11015104 ; JMP to MSVBVM60.UserDllMain
1101511D 0000 ADD BYTE PTR DS:[EAX],AL
1101511F 0040 00 ADD BYTE PTR DS:[EAX],AL
11015122 0000 ADD BYTE PTR DS:[EAX],AL
11015124 3000 XOR BYTE PTR DS:[EAX],AL
11015126 0000 ADD BYTE PTR DS:[EAX],AL
11015128 3800 CMP BYTE PTR DS:[EAX],AL
1101512A 0000 ADD BYTE PTR DS:[EAX],AL
1101512C 0000 ADD BYTE PTR DS:[EAX],AL
1101512E 0000 ADD BYTE PTR DS:[EAX],AL
11015130 52 PUSH EDX
11015131 A3 A02A385C MOV DWORD PTR DS:[5C382AA0],EAX
11015136 134B 98 ADC ECX,DWORD PTR DS:[EBX-68]
11015139 06 PUSH ES
1101513A 1E PUSH DS
--------------------------------------------------------------------------------
用LordPE选中Ollydbg的loaddll.exe的进程,在下面的列表里选择testdll.dll,然后完整脱壳,得到dumped.dll。
―――――――――――――――――――――――――――――――――
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
二、输入表
在fly的示例文章中
http://bbs.pediy.com/showthread.php?s=&threadid=1484&perpage=15&highlight=关于UPX脱壳的Ollydbg脱壳翻版&pagenumber=1
随便从程序找一个API调用,如:
代码:--------------------------------------------------------------------------------
003B10FD FF15 20403B00 call dword ptr ds:[3B4020]; kernel32.GetVersion
--------------------------------------------------------------------------------
在转存中跟随3B4020,上下看到许多函数地址,很明显的可以找到IAT开始和结束的地址:
代码:--------------------------------------------------------------------------------
003B3FF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
003B4000 1D 51 C4 77 1C 3A C4 77 3E E7 C4 77 CC D2 C4 77 .Q.w.:.w>..w...w
003B40B0 CE 7C E5 77 05 74 E5 77 F9 81 E5 77 EB 41 E4 77 .|.w.t.w...w.A.w
003B40C0 66 C8 E5 77 3E 18 F6 77 00 00 00 00 00 00 00 00 f..w>..w........
--------------------------------------------------------------------------------
开始地址=003B4000
结束地址=003B40C8
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
事实上,我根本找不到任何API调用,如上文我执行到11015118时已经转跳到11015104,然后一个转跳到DS:[1100128C]进入
MSVBVM60.UserDllMai了,此时EIP的值是733ABBBA7,我到了这里,很幸运,我发现了API。
------------------------------------------------------------
733ABBA7 > 55 PUSH EBP
733ABBA8 8BEC MOV EBP,ESP
733ABBAA 53 PUSH EBX
733ABBAB 56 PUSH ESI
733ABBAC 57 PUSH EDI
733ABBAD 6A 01 PUSH 1
733ABBAF 5F POP EDI
733ABBB0 893D C0064A73 MOV DWORD PTR DS:[734A06C0],EDI
733ABBB6 FF15 C8103973 CALL DWORD PTR DS:[<&KERNEL32.GetCurrentThreadId>] ; kernel32.GetCurrentThreadId
//API DS:[733910C8]=7C809737 (kernel32.GetCurrentThreadId)
733ABBBC A3 D4074A73 MOV DWORD PTR DS:[734A07D4],EAX
733ABBC1 8B45 14 MOV EAX,DWORD PTR SS:[EBP+14]
733ABBC4 33DB XOR EBX,EBX
733ABBC6 2BC3 SUB EAX,EBX
733ABBC8 74 1E JE SHORT MSVBVM60.733ABBE8
733ABBCA 48 DEC EAX
733ABBCB 0F85 E3320200 JNZ MSVBVM60.733CEEB4
733ABBD1 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
733ABBD4 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
733ABBD7 8901 MOV DWORD PTR DS:[ECX],EAX
733ABBD9 891D C0064A73 MOV DWORD PTR DS:[734A06C0],EBX
733ABBDF 8BC7 MOV EAX,EDI
我开始到733910C8 附近寻找输入表,fly 我到这里没错吧?
73390000 >4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ?......?..
73390010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ?......@.......
73390020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
73390030 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 ............?..
73390040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ?.???L?Th
73390050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
73390060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
...... ................................... //省略部分行
73390FA0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
73390FB0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
73390FC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
73390FD0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
73390FE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
73390FF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
73391000 >A9 CC 80 7C 58 CD 80 7C 19 62 82 7C 01 B0 85 7C ┨?X?|b??|
73391010 >2F 08 81 7C 94 22 82 7C 92 FE 81 7C DD FD 81 7C /?????蔟?
73391020 >16 1E 80 7C E1 EA 81 7C E6 2B 81 7C E0 C6 80 7C ?彡???嗥?
73391030 >2A E8 81 7C CF C6 80 7C A9 2C 81 7C 3F DC 81 7C *?|掀?????|
73391040 >5F 48 81 7C 23 CC 81 7C 78 2C 81 7C CB D8 81 7C _H?#?|x,?素?
73391050 >80 A4 80 7C 11 03 81 7C 08 93 83 7C A9 26 82 7C ????|??
73391060 >AE 94 83 7C 7E D4 80 7C 29 B9 80 7C 31 03 93 7C ??~?|)?|1?
73391070 >29 B5 80 7C 35 E8 81 7C 62 5F 82 7C 29 29 81 7C )?|5?|b_?))?
73391080 >3B 29 82 7C 54 2A 82 7C B9 8F 83 7C 24 1A 80 7C ;)?T*???$?
73391090 >0E 18 80 7C 77 9B 80 7C ED 10 92 7C 05 10 92 7C ?w?|???
733910A0 >A1 9F 80 7C 8A 18 93 7C 7B 97 80 7C 94 97 80 7C ????{?|??
733910B0 >64 B6 80 7C B3 9E 80 7C 50 97 80 7C 29 C7 80 7C d?|??P?|)?|
733910C0 >5C E8 81 7C 79 EE 81 7C 37 97 80 7C 51 28 81 7C \?|y?|7?|Q(?
733910D0 >D4 05 93 7C 3D 04 93 7C C4 CE 80 7C B9 8C 83 7C ??=?奈???
733910E0 >5D B2 80 7C 85 E6 81 7C A9 60 82 7C 44 FB 81 7C ]?|??┼?D?|
733910F0 >66 EA 80 7C EC E9 80 7C E2 F8 81 7C 55 F9 81 7C f?|扉?怿?U?|
73391100 >C1 C9 80 7C F9 56 85 7C 40 7A 95 7C 32 23 80 7C 辽???@z?2#?
73391110 >E3 12 81 7C 47 90 82 7C EE 1E 80 7C 8A 2B 86 7C ??G?|????
73391120 >A2 CA 81 7C 53 30 82 7C 7F 5D 87 7C 52 70 82 7C ⑹?S0?]?Rp?
73391130 >59 35 81 7C 19 90 83 7C D7 EF 80 7C 14 9B 80 7C Y5??|罪??|
73391140 >C6 2A 81 7C 81 9A 80 7C D0 1A 80 7C 77 92 83 7C ??????w?|
73391150 >87 1F 82 7C 4D 11 86 7C 39 9A 80 7C EC B8 80 7C ??M?9?|旄?
73391160 >9F 0F 81 7C 50 F8 81 7C A6 0D 81 7C 6B 17 80 7C ??P?|??k?
73391170 >34 0D 81 7C 6E 9C 80 7C A7 24 80 7C 3F EB 80 7C 4.?n?|????|
73391180 >0D E0 80 7C 16 E0 80 7C 2A E9 81 7C 8D 2C 81 7C .?|?|*?|??
73391190 >F5 9B 80 7C 53 34 81 7C 0F 2B 81 7C AB 14 81 7C ??S4?+???
733911A0 >4E A3 80 7C 23 A8 80 7C F4 97 80 7C 67 23 80 7C N?|#?|??g#?
733911B0 >E7 AA 81 7C 4F 1D 80 7C 30 25 80 7C 4C 9C 80 7C 绐?O?0%?L?|
733911C0 >28 9C 80 7C BD E4 81 7C 4E 99 80 7C AC 92 80 7C (?|戒?N?|??
733911D0 >6A 48 81 7C 82 D5 82 7C 65 C8 80 7C BE 3E 82 7C jH???e?|??
733911E0 >57 BB 80 7C C0 9F 80 7C 63 4C 81 7C 77 1D 80 7C W?|??cL?w?
733911F0 >28 AC 80 7C 42 24 80 7C 9A E1 81 7C 10 11 81 7C (?|B$????
73391200 >97 AA 80 7C 39 30 82 7C C4 C8 80 7C 2B 2E 83 7C ??90?娜?+.?
73391210 >8D 2B 81 7C 59 B8 80 7C AD 9C 80 7C 47 2D 82 7C ??Y?|??G-?
73391220 >C7 A0 80 7C FD 79 93 7C FB 2C 82 7C 93 D2 80 7C 沁???????
73391230 >4C 17 81 7C A1 97 83 7C 57 B3 80 7C 40 03 93 7C L???W?|@?
73391240 >7C 36 81 7C 01 6A 82 7C 69 10 81 7C 82 00 81 7C |6?j?i???
73391250 >2F FE 80 7C B1 C7 80 7C 65 A0 80 7C F1 BA 80 7C /?|鼻?e_?窈?
73391260 >2D FF 80 7C 66 91 83 7C 36 8F 83 7C C9 25 81 7C -?|f?|6?|??
73391270 >19 01 81 7C 93 8D 83 7C 18 94 83 7C CF C6 80 7C ????|掀?
73391280 >CF 21 82 7C DF 06 86 7C 50 94 83 7C 66 AA 80 7C ????P?|f?|
73391290 >ED 09 93 7C 43 99 80 7C 00 00 00 00 44 A9 D6 77 ??C?|....D┲w
733912A0 >0B A4 D5 77 21 13 D6 77 45 19 D6 77 4B 5E D5 77 ふw!主E主K^征
733912B0 >15 E5 D3 77 12 0B D2 77 55 E6 D1 77 F5 F7 D4 77 逵w吟U嫜w貅憎
733912C0 >4B BE D1 77 CE E1 D3 77 AF E4 D2 77 41 63 D6 77 K狙w吾喻?吟Ac主
733912D0 >16 92 D1 77 3F AE D1 77 57 9E D1 77 7A 11 D2 77 ?w??wW?wz吟
733912E0 >81 E5 D2 77 5A A0 D3 77 1C B1 D3 77 11 F5 D2 77 ?吟Z_喻庇w跻w
733912F0 >4B 15 D3 77 CD 48 D2 77 58 DE D2 77 24 13 D2 77 K喻腿吟X抟w$吟
73391300 >02 F9 D2 77 B3 C7 D3 77 61 C6 D3 77 2F EA D1 77 ?w城喻a朴w/暄w
73391310 >46 FA D2 77 AF 00 D3 77 F7 15 D3 77 3C 21 D3 77 F?w?喻?喻<!喻
73391320 >50 62 D2 77 DA C6 D3 77 BF C2 D3 77 4A C9 D3 77 Pb吟谄喻柯喻J捎w
73391330 >9F 03 D3 77 9D 8F D1 77 DA 5E D2 77 F6 8B D1 77 ?喻?痒谵吟?痒
73391340 >B8 96 D1 77 89 96 D1 77 0C 94 D1 77 11 12 D2 77 ?痒?痒.?w吟
73391350 >F3 0D D2 77 28 8E D1 77 AC 6B D5 77 0F 6C D5 77 ?吟(?w?征l征
73391360 >CB 8C D1 77 9B 92 D1 77 1A 00 D3 77 6C 00 D3 77 ?痒?痒.喻l.喻
73391370 >D8 FF D2 77 95 47 D2 77 9D FD D3 77 EA E8 D1 77 ?吟?吟?喻觇痒
73391380 >65 F6 D4 77 05 C5 D1 77 16 48 D2 77 33 B9 D1 77 e鲈w叛wH吟3寡w
73391390 >AE 20 D2 77 8C 14 D2 77 18 11 D3 77 59 A2 D5 77 ?吟?吟喻Y⒄w
733913A0 >9D A1 D5 77 57 C2 D1 77 F1 AE D1 77 EA 04 D5 77 ?征W卵w癞痒?征
733913B0 >AD A8 D1 77 35 EE D3 77 ED E5 D1 77 C6 B5 D1 77 ?痒5钣w礤痒频痒
733913C0 >21 90 D1 77 12 0B D2 77 D7 EB D3 77 A2 05 D2 77 !?w吟纂喻?吟
733913D0 >DE 1D D2 77 C3 91 D2 77 4E EF D4 77 14 94 D2 77 ?吟?吟N镌w?w
733913E0 >62 A2 D6 77 A9 0D D6 77 BA 0F D2 77 90 0F D2 77 b⒅w?主?吟?吟
........................................................
........................................................//省略n行
73393CF0 D7 8B 15 8C E0 49 73 52 FF D7 A1 9C E0 49 73 50 ??IsR??嗌sP
73393D00 FF D7 8B 0D 5C E0 49 73 51 FF D7 5F 5E C3 81 FE ??\嗌sQ?_^?
73393D10 9C E0 49 73 74 C7 81 FE 8C E0 49 73 74 BF 81 FE ?Ist??嗌st?
73393D20 7C E0 49 73 74 B7 81 FE 5C E0 49 73 74 AF 50 FF |嗌st??嗌st??
73393D30 D7 8B 06 50 E8 D6 E9 FF FF 83 C4 04 EB 9F 8B 44 ?P柚?????
73393D40 24 04 8B 4C 24 08 56 33 D2 2B 48 10 C1 F9 0C 8B $?$V3?H六.
73393D50 74 C8 18 8D 44 C8 18 8B 4C 24 10 8A 11 03 F2 89 t????$??
73393D60 30 C6 01 00 8B 08 C7 40 04 F1 00 00 00 81 F9 F0 0?.?抢?..?
73393D70 00 00 00 0F 84 B6 4B 04 00 5E C3 56 57 8B 3D 3C ...?K.^弥W?<
73393D80 11 39 73 BE 30 C0 49 73 8B 46 10 85 C0 74 0A 68 9s?郎s??t.h
73393D90 00 80 00 00 6A 00 50 FF D7 8B 36 81 FE 30 C0 49 .?.j.P???0郎
73393DA0 73 75 E5 A1 28 C0 49 73 50 FF 15 FC 11 39 73 5F su濉(郎sP??9s_
73393DB0 5E C3 00 00 49 73 54 4E 54 00 00 00 6B 65 72 6E ^?.IsTNT...kern
73393DC0 65 6C 33 32 2E 64 6C 6C 00 00 00 00 49 73 50 72 el32.dll....IsPr
73393DD0 6F 63 65 73 73 6F 72 46 65 61 74 75 72 65 50 72 ocessorFeaturePr
73393DE0 65 73 65 6E 74 00 00 00 4B 45 52 4E 45 4C 33 32 esent...KERNEL32
73393DF0 00 00 00 00 00 00 00 00 68 25 3F 73 26 FA 3E 73 ........h%?s&?s
73393E00 23 BC 3E 73 46 14 3F 73 B6 98 3E 73 1E 0C 3F 73 #?sF?s?>s.?s
73393E10 46 9E 3E 73 48 DB 3E 73 B6 EC 3E 73 6E 9E 3E 73 F?sH?s鹅>sn?s
73393E20 7E 9E 3E 73 FC C8 3E 73 0C C9 3E 73 1C C9 3E 73 ~?s?>s.?s?s
73393E30 38 4C 3F 73 7A 4A 3F 73 F0 8B 3E 73 00 8C 3E 73 8L?szJ?s?>s.?s
73393E40 1D 8C 3E 73 2F 8C 3E 73 43 8C 3E 73 55 8C 3E 73 ?s/?sC?sU?s
73393E50 69 8C 3E 73 7B 8C 3E 73 8F 8C 3E 73 A1 8C 3E 73 i?s{?s?>s?>s
73393E60 B5 8C 3E 73 C7 8C 3E 73 DB 8C 3E 73 ED 8C 3E 73 ?>s?>s?>s?>s
73393E70 01 8D 3E 73 13 8D 3E 73 27 8D 3E 73 39 8D 3E 73 ?s?s'?s9?s
73393E80 4D 8D 3E 73 5F 8D 3E 73 73 8D 3E 73 85 8D 3E 73 M?s_?ss?s?>s
73393E90 99 8D 3E 73 AB 8D 3E 73 BF 8D 3E 73 D1 8D 3E 73 ?>s?>s?>s?>s
73393EA0 E5 8D 3E 73 F7 8D 3E 73 0B 8E 3E 73 1D 8E 3E 73 ?>s?>s?s?s
问题3:到73393DF0 才出现连续的00 00 00 00 00 00 00 00 空字节,这是否是结束的标志?
所以输入表的
开始=73391000
结束=73393DF0
大小=2DF0
运行ImportREC,注意:去掉“使用来自磁盘的PE部首”的选项!
选中Ollydbg的loaddll.exe的进程,然后点“选取DLL”,选择testdll.dll,填入RVA=73391000、大小=00002DF0 ,点“Get Import”,得到输入表。
=============================
Image Base:00400000 Size:00060000
->> Module selected: e:\crack\反汇编\ollydbg1.101\testdll.dll
Image Base:11000000 Size:00D98000
Can't read memory of the process!
==============================
这里,我该怎么写呢? help
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法