首页
社区
课程
招聘
[已解决] [求助指导下UPX变异壳linux脱壳 500.00雪花
发表于: 2019-10-22 19:23 3381

[已解决] [求助指导下UPX变异壳linux脱壳 500.00雪花

2019-10-22 19:23
3381
程序检测为ELF 32 

参考了 
https://bbs.pediy.com/thread-206458.htm
http://bbs.pediy.com/showthread.php?t=38035
http://bbs.pediy.com/showthread.php?t=79061
IDA 7.0 远程调试 单步跟进研究了2天了 也参考了以上帖子 别说 OEP  就是大跳都过不到直接程序就飞了
希望各路大神指导下 


[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

最后于 2019-10-23 01:10 被kanxue编辑 ,原因:
收藏
免费 1
支持
分享
最新回复 (10)
雪    币: 2381
活跃值: (109)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
程序在此
最后于 2019-10-25 02:27 被s3139701编辑 ,原因: 撤销
2019-10-22 20:09
0
雪    币: 161
活跃值: (231)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
3

这个程序对于初学破解的人不友好!

 

 

跟踪到入口后,发现EntryPoint已经被破坏

[0x08048000]> pf.elf_header
     ident : 
                struct<elf_ident>
           magic : 0x08048000 = "\x7fELF"
           class : 0x08048004 = class (enum elf_class) = 0x1 ; ELFCLASS32
            data : 0x08048005 = data (enum elf_data) = 0x1 ; ELFDATA2LSB
         version : 0x08048006 = version (enum elf_hdr_version) = 0x1 ; EV_CURRENT
      type : 0x08048010 = type (enum elf_type) = 0x2 ; ET_EXEC
   machine : 0x08048012 = machine (enum elf_machine) = 0x3 ; EM_386
   version : 0x08048014 = version (enum elf_obj_version) = 0x1 ; EV_CURRENT
     entry : 0x08048018 = 0x4c725ee6 # 真实的入口为 0x8048418
     phoff : 0x0804801c = 0x00000034
     shoff : 0x08048020 = 0x006983fc
     flags : 0x08048024 = 0x00000000
    ehsize : 0x08048028 = 0x0034
 phentsize : 0x0804802a = 0x0020
     phnum : 0x0804802c = 0x0005
 shentsize : 0x0804802e = 0x0028
     shnum : 0x08048030 = 0x001a
  shstrndx : 0x08048032 = 0x0019

再看看phdr

[0x08048000]> pf 5? (elf_phdr)elf.phdr @ $$+0x34!0x100
0x08048034 [0] {
   elf.phdr : 
                struct<elf_phdr>
          type : 0x08048034 = type (enum elf_p_type) = 0x1 ; PT_LOAD
        offset : 0x08048038 = 0x00000000
         vaddr : 0x0804803c = 0x08048000
         paddr : 0x08048040 = 0x08048000
        filesz : 0x08048044 = 0x00683b88
         memsz : 0x08048048 = 0x00683b88
         flags : 0x0804804c = flags (enum elf_p_flags) = 0x5 ; PF_Read_Exec
         align : 0x08048050 = 0x00001000
}
0x08048054 [1] {
   elf.phdr : 
                struct<elf_phdr>
          type : 0x08048054 = type (enum elf_p_type) = 0x1 ; PT_LOAD
        offset : 0x08048058 = 0x00683b88
         vaddr : 0x0804805c = 0x086ccb88
         paddr : 0x08048060 = 0x086ccb88
        filesz : 0x08048064 = 0x0001042c
         memsz : 0x08048068 = 0x001633d0
         flags : 0x0804806c = flags (enum elf_p_flags) = 0x6 ; PF_Read_Write
         align : 0x08048070 = 0x00001000
}
0x08048074 [2] {
   elf.phdr : 
                struct<elf_phdr>
          type : 0x08048074 = type (enum elf_p_type) = 0x4 ; PT_NOTE
        offset : 0x08048078 = 0x000000d4
         vaddr : 0x0804807c = 0x080480d4
         paddr : 0x08048080 = 0x080480d4
        filesz : 0x08048084 = 0x00000020
         memsz : 0x08048088 = 0x00000020
         flags : 0x0804808c = flags (enum elf_p_flags) = 0x4 ; PF_Read
         align : 0x08048090 = 0x00000004
}
0x08048094 [3] {
   elf.phdr : 
                struct<elf_phdr>
          type : 0x08048094 = type (enum elf_p_type) = 0x7
        offset : 0x08048098 = 0x00683b88
         vaddr : 0x0804809c = 0x086ccb88
         paddr : 0x080480a0 = 0x086ccb88
        filesz : 0x080480a4 = 0x00000014
         memsz : 0x080480a8 = 0x00000034
         flags : 0x080480ac = flags (enum elf_p_flags) = 0x4 ; PF_Read
         align : 0x080480b0 = 0x00000004
}
0x080480b4 [4] {
   elf.phdr : 
                struct<elf_phdr>
          type : 0x080480b4 = type (enum elf_p_type) = 0x6474e551
        offset : 0x080480b8 = 0x00000000
         vaddr : 0x080480bc = 0x00000000
         paddr : 0x080480c0 = 0x00000000
        filesz : 0x080480c4 = 0x00000000
         memsz : 0x080480c8 = 0x00000000
         flags : 0x080480cc = flags (enum elf_p_flags) = 0x6 ; PF_Read_Write
         align : 0x080480d0 = 0x00000010
}

段地址没有对齐且错误

最后于 2019-10-23 16:20 被采臣·宁编辑 ,原因:
2019-10-23 15:10
0
雪    币: 2381
活跃值: (109)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
采臣·宁 ![](upload/attach/201910/7619_DXQ5VW62QAVWERR.png) 这个程序对于初学破解的人不友好
还有的救吗? 我用之前给别人DUMP的方式 提取出来的和 原程序已经很接近了
2019-10-23 15:29
0
雪    币: 556
活跃值: (2394)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5

脱壳文件附上,测试下。

上传的附件:
2019-10-24 23:11
0
雪    币: 2381
活跃值: (109)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
6
crackwiki 脱壳文件附上,测试下。
ELF Header:
  Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
  Class:                             ELF32
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           Intel 80386
  Version:                           0x1
  Entry point address:               0x4c725ee6
  Start of program headers:          52 (bytes into file)
  Start of section headers:          6915068 (bytes into file)
  Flags:                             0x0
  Size of this header:               52 (bytes)
  Size of program headers:           32 (bytes)
  Number of program headers:         5
  Size of section headers:           40 (bytes)
  Number of section headers:         26
  Section header string table index: 25

Section Headers:
  [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
  [ 0] PhD▒m^H▒^W!A      <unknown>: 341  00000343 000344 000345 349 AIOG 838 839 840
readelf: Warning: section 0: sh_link value of 838 is larger than the number of sections
  [ 1]                   <unknown>: 34b  0000034d 00034e 00034f 353 XxIOG 848 849 850
readelf: Warning: section 1: sh_link value of 848 is larger than the number of sections
  [ 2] P▒ A             <unknown>: 355  00000357 000358 000359 35d AXMIOG 858 859 860
readelf: Warning: section 2: sh_link value of 858 is larger than the number of sections
  [ 3] ▒^L▒E▒P▒y▒<       <unknown>: 35f  00000361 000362 000363 367 SIOG 868 869 870
readelf: Warning: section 3: sh_link value of 868 is larger than the number of sections
  [ 4]                   <unknown>: 369  0000036b 00036c 00036d 371 AxSIOG 878 879 880
readelf: Warning: section 4: sh_link value of 878 is larger than the number of sections
  [ 5] ▒^L▒E▒P▒E▒<       <unknown>: 373  00000375 000376 000377 37b XMSIOG 888 889 890
readelf: Warning: section 5: sh_link value of 888 is larger than the number of sections
  [ 6]                   <unknown>: 37d  0000037f 000380 000381 385 AXxMSIOG 898 899 900
readelf: Warning: section 6: sh_link value of 898 is larger than the number of sections
  [ 7] ▒^D▒U▒RP▒E▒P▒▒QA  <unknown>: 387  00000389 00038a 00038b 38f xLOG 908 909 910
readelf: Warning: section 7: sh_link value of 908 is larger than the number of sections
  [ 8] P▒▒QA             <unknown>: 391  00000393 000394 000395 399 AMLOG 918 919 920
readelf: Warning: section 8: sh_link value of 918 is larger than the number of sections
  [ 9] ▒^H▒E▒PhL▒m^H▒ A <unknown>: 39b  0000039d 00039e 00039f 3a3 XxMLOG 928 929 930
readelf: Warning: section 9: sh_link value of 928 is larger than the number of sections
  [10] ^H▒ A            <unknown>: 3a5  000003a7 0003a8 0003a9 3ad AXSLOG 938 939 940
readelf: Warning: section 10: sh_link value of 938 is larger than the number of sections
  [11] ▒^L▒E▒P▒9 A       <unknown>: 3af  000003b1 0003b2 0003b3 3b7 MSLOG 948 949 950
readelf: Warning: section 11: sh_link value of 948 is larger than the number of sections
  [12]                   <unknown>: 3b9  000003bb 0003bc 0003bd 3c1 AxMSLOG 958 959 960
readelf: Warning: section 12: sh_link value of 958 is larger than the number of sections
  [13] P▒^Z▒<            <unknown>: 3c3  000003c5 0003c6 0003c7 3cb XILOG 968 969 970
readelf: Warning: section 13: sh_link value of 968 is larger than the number of sections
  [14] w▒▒^L▒E▒P▒▒▒<     <unknown>: 3cd  000003cf 0003d0 0003d1 3d5 AXxILOG 978 979 980
readelf: Warning: section 14: sh_link value of 978 is larger than the number of sections
  [15] ▒<                <unknown>: 3d7  000003d9 0003da 0003db 3df xMILOG 988 989 990
readelf: Warning: section 15: sh_link value of 988 is larger than the number of sections
  [16] ^H▒▒^D▒U▒RP▒E▒P▒p <unknown>: 3e1  000003e3 0003e4 0003e5 3e9 ASILOG 998 999 1000
readelf: Warning: section 16: sh_link value of 998 is larger than the number of sections
  [17] E▒P▒pQA           <unknown>: 3eb  000003ed 0003ee 0003ef 3f3 XxSILOG 1008 1009 1010
readelf: Warning: section 17: sh_link value of 1008 is larger than the number of sections
  [18] ^P▒▒^H▒E▒PhH▒m^H▒ <unknown>: 3f5  000003f7 0003f8 0003f9 3fd AXMSILOG 1018 1019 1020
readelf: Warning: section 18: sh_link value of 1018 is larger than the number of sections
  [19] ▒m^H▒\ A          <unknown>: 3ff  00000401 000402 000403 407   T 1028 1029 1030
readelf: Warning: section 19: sh_link value of 1028 is larger than the number of sections
  [20] ^P▒▒^L▒E▒P▒▒^_A   <unknown>: 409  0000040b 00040c 00040d 411 AxT 1038 1039 1040
readelf: Warning: section 20: sh_link value of 1038 is larger than the number of sections
  [21] ^_A               <unknown>: 413  00000415 000416 000417 41b XMT 1048 1049 1050
readelf: Warning: section 21: sh_link value of 1048 is larger than the number of sections
  [22] E▒P▒▒<           <unknown>: 41d  0000041f 000420 000421 425 AXxMT 1058 1059 1060
readelf: Warning: section 22: sh_link value of 1058 is larger than the number of sections
  [23] ^P▒^[▒▒^Lh^XZN^H▒ <unknown>: 427  00000429 00042a 00042b 42f xST 1068 1069 1070
readelf: Warning: section 23: sh_link value of 1068 is larger than the number of sections
  [24] ^H▒\^QE           <unknown>: 431  00000433 000434 000435 439 AMST 1078 1079 1080
readelf: Warning: section 24: sh_link value of 1078 is larger than the number of sections
  [25] ▒^Lj              <unknown>: 43b  0000043d 00043e 00043f 443 XxMST 1088 1089 1090
readelf: Warning: section 25: sh_link value of 1088 is larger than the number of sections
Key to Flags:
  W (write), A (alloc), X (execute), M (merge), S (strings)
  I (info), L (link order), G (group), x (unknown)
  O (extra OS processing required) o (OS specific), p (processor specific)

Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  LOAD           0x000000 0x08048000 0x08048000 0x683b88 0x683b88 R E 0x1000
  LOAD           0x683b88 0x086ccb88 0x086ccb88 0x1042c 0x1633d0 RW  0x1000
  NOTE           0x0000d4 0x080480d4 0x080480d4 0x00020 0x00020 R   0x4
  TLS            0x683b88 0x086ccb88 0x086ccb88 0x00014 0x00034 R   0x4
  GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RW  0x10

亲 我运行程序后dump出程序查看到是这样的  我按照  LOAD    NOTE    TLS  各字段进行修复了 清空 Start of section headers 值为0
有2个问题 1 真实入口处怎么计算的  2 我是直接正常运行dump出来 我不知道你怎么计算的真实入口处 但是我按照你给的文件修改了入口对比了两个文件

左图为我提取的  右图为你提取的 为什么我的程序前面80%以上都一样 但是后段 我这边多了点东西 有很少差异 我是dump方式不对吗
2019-10-25 12:25
0
雪    币: 556
活跃值: (2394)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
7
你要在入口点dump出程序来
2019-10-25 12:34
0
雪    币: 2381
活跃值: (109)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
8
crackwiki 你要在入口点dump出程序来
  Magic:   7f 45 4c 46 01 01 01 03 00 00 00 00 00 00 00 00
  Class:                             ELF32
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - Linux
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           Intel 80386
  Version:                           0x1
  Entry point address:               0xe29700
  Start of program headers:          52 (bytes into file)
  Start of section headers:          0 (bytes into file)
  Flags:                             0x0
  Size of this header:               52 (bytes)
  Size of program headers:           32 (bytes)
  Number of program headers:         2
  Size of section headers:           40 (bytes)
  Number of section headers:         0
  Section header string table index: 0

There are no sections in this file.

Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  LOAD           0x000000 0x00c01000 0x00c01000 0x229310 0x229310 RWE 0x1000
  LOAD           0x000f58 0x0882ff58 0x0882ff58 0x00000 0x00000 RW  0x1000

查看入口点为  0xe29700 

GNU gdb (GDB) Red Hat Enterprise Linux (7.2-92.el6)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /root/test...(no debugging symbols found)...done.
(gdb) b 0xe29700
No symbol table is loaded.  Use the "file" command.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (0xe29700) pending.
(gdb) r
Starting program: /root/test
/usr/bin/|12Oexe
Program exited with code 0177.
b 0xe29700 断点后 r运行 程序直接退出 入口处根本到不了
2019-10-25 13:35
0
雪    币: 556
活跃值: (2394)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
9
二楼说的很清楚了, # 真实的入口为 0x8048418
2019-10-25 14:48
0
雪    币: 2381
活跃值: (109)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
10
crackwiki 二楼说的很清楚了, # 真实的入口为 0x8048418
这个入口点我也断点过 结果一样 gdb直接将程序退出
2019-10-25 14:50
0
雪    币: 2381
活跃值: (109)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
11
GNU gdb (GDB) Red Hat Enterprise Linux (7.2-92.el6)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /root/test...(no debugging symbols found)...done.
(gdb) b 0x8048418
No symbol table is loaded.  Use the "file" command.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (0x8048418) pending.
(gdb) r
Starting program: /root/test
/usr/bin/|12Oexe
Program exited with code 0177.
(gdb)

2019-10-25 14:51
0
游客
登录 | 注册 方可回帖
返回
//